The Linux Kernel and the Forensic Acquisition of Hard Disks with an Odd Number of Sectors
J. Kornblum
International Journal of Digital Evidence
2004

Paper (pdf)     Bibtex

No official version of the Linux kernel, up through and including version 2.4, allowed a user land process to access the last sector of a hard disk or hard disk partition with an odd number of sectors. Although the inability to access this last sector did not affect normal operation of the system, it did prevent the complete forensic acquisition of such a disk. The author repeats an earlier experiment to verify the issue in version 2.4 of the kernel and then shows that the issue has been resolved in version 2.6. Systems using version 2.6 of the Linux kernel can completely forensically acquire disks or partitions with an odd number of sectors.


Home     Publications     Presentations     Utilities     Tools     Blog