Case Study 1 — The Drive That Hid Eighty Gigabytes
A departing engineer was suspected of copying proprietary source code before resigning. The case did not turn on clever analysis — it turned on an acquisition done so carefully that the defense's motion to suppress collapsed, and on a hidden region the examiner almost trusted the drive's own report enough to miss.
Background
A mid-size robotics firm noticed that a senior controls engineer had, in his final two weeks, accessed an unusual number of files in the firmware repository. He resigned on a Friday and started at a direct competitor the following Monday. Legal authorized a forensic examination of the company-owned laptop he had returned. This is the second anchor case of the book — the employee who covered their tracks — and it begins, as every investigation does, at acquisition.
The laptop, a Dell Latitude with a 256 GB internal SATA SSD, arrived at the examiner's bench in a sealed, signed evidence bag, case number 2026-0291, evidence item 01. Because the firm anticipated litigation — and because the engineer's new employer would certainly retain its own expert — the examiner treated the acquisition as if it were already in front of a judge. That assumption, made before a single byte was read, is what later saved the case.
The acquisition
The examiner photographed the sealed bag, the seal number, and the labels before opening anything. She recorded the laptop's make, model, and service tag, then opened the bag under seal discipline, logging the existing tamper-evident seal number. She removed the SSD, photographed it with its serial number visible, and connected it through a Tableau T356789iu forensic bridge — a SATA hardware write-blocker she had validated that same morning against a scratch disk (hash before, a deliberate failed dd write, hash after, identical). The blocker's model, firmware, and serial went into her notes.
Then came the step that made the case. Before imaging, she queried the drive for hidden regions:
$ sudo hdparm -N /dev/sdb
/dev/sdb:
max sectors = 333447016/500118192, HPA is enabled
The drive was reporting itself as roughly 170 GB (333,447,016 sectors) while its native capacity was 256 GB (500,118,192 sectors). A Host Protected Area of about 80 GB sat hidden behind the figure the operating system would normally trust. Had she imaged the reported size, eighty gigabytes of the drive — and whatever lived there — would never have been examined. Instead she configured the acquisition to capture the full native capacity and documented the discovery.
She imaged to a compressed E01 with Guymager, entering the case metadata into the container header, and computed both MD5 and SHA-256. The tool re-read source and image and verified both:
Format : Expert Witness Format, sub-format Guymager, compressed
Device : /dev/sdb (HPA removed for acquisition: 500,118,192 sectors)
MD5 : c4f0a91e7b8d2356ae10f9b6d4a72e8c
SHA-256 : 8b1d4e9a6c0f23e7d5a1b4c8f02e96d3a7b5c1e0f8d2a4b6c9e3f1a07d5b2c8e
MD5 verified : yes (source image matches acquired image)
SHA-256 verified : yes (source image matches acquired image)
State : Finished successfully
She recorded both digests on the chain-of-custody form and the evidence label, resealed the original drive with a new numbered seal, logged it, returned it to the locked evidence room, and made a working copy whose hash she verified against the acquisition value. Only then did analysis begin — on the copy, never the original. The hidden 80 GB region turned out to contain a compressed archive of the firmware repository and a deleted batch script that had copied it there. The $FILE_NAME MFT timestamps (which the engineer's timestomping had not reached) and the USB device history in the registry would later complete the picture — but those are Chapters 16 and 21. This chapter's contribution was simply that the evidence existed, complete, and provably unaltered.
The suppression hearing
The competitor's expert filed a motion to suppress, arguing the image was unreliable. The examiner's acquisition notes answered every point before it was fully asked:
DEFENSE: "How do you know the laptop wasn't modified when you examined it?"
EXAMINER: "The source was connected through a Tableau T356789iu hardware
write-blocker, NIST CFTT-tested, which I validated that morning.
No write command could reach the drive."
DEFENSE: "How do you know your copy matches the original?"
EXAMINER: "I computed MD5 and SHA-256 of the source during acquisition and
of the image afterward. Both matched. I recorded both values; the
SHA-256 is 8b1d4e9a...d5b2c8e."
DEFENSE: "Couldn't there be data you simply didn't capture?"
EXAMINER: "The drive reported a reduced size due to a Host Protected Area.
I detected it with hdparm, captured the full native capacity, and
documented it. The acquisition covers all 500,118,192 sectors."
The motion was denied. The matter settled within the month.
The analysis
-
Acquisition is where admissibility is won or lost. The examiner did no exotic analysis at this stage — she made a verified copy and documented it. But the rigor of that copy is what survived a hostile expert and a suppression motion. A flawless analysis on a flawed acquisition would have been worthless; the reverse was nearly unassailable.
-
Never trust the drive's reported size. The most consequential decision in the whole case was a single
hdparm -Nquery. An HPA (or a DCO) lets a drive lie about its capacity. Checking for hidden regions and capturing native capacity is not optional diligence — here it was the case, eighty gigabytes of it. -
Validate the write-blocker, and record what you used. "I used a write-blocker" invites twenty questions. "I used a NIST-tested Tableau T356789iu, validated that morning, serial X" ends the line of questioning. The make, model, firmware, serial, and validation are evidence about your evidence.
-
Two hashes, recorded everywhere, are a mathematical guarantee. Computing MD5 and SHA-256, capturing them during the single source read, verifying the image against them, and writing them onto the form, the label, and the report converted "I copied it" into "I can prove it is identical." That sentence on the stand is often what makes digital evidence admissible.
-
Treat every acquisition as if a judge is already watching. The examiner did not know at the outset that there would be a suppression hearing. She prepared for one anyway — photographs, serials, seal numbers, a gap-free chain. The defensibility was built before anyone challenged it, because by the time you are challenged it is too late to add it.
Discussion questions
-
The examiner detected the HPA with
hdparm -N. What is the other hidden-region mechanism she should also have queried for, and what command reveals it? What would have happened to the case if she had imaged the reported 170 GB instead of the native 256 GB? -
The defense attacked the reliability of the image, not its contents. Why is attacking acquisition often a more powerful defense strategy than disputing the analysis itself? How does meticulous acquisition documentation neutralize it?
-
⭐ Suppose the SSD had been failing, returning different bytes on re-read, so that no two images hashed identically. How would the examiner have had to change her integrity story for the suppression hearing — and could the case still have survived? Tie your answer to piecewise hashing and the honest statement of limitations.
-
The examiner recorded the write-blocker's firmware version and serial number, not just "a write-blocker." Draft the two-sentence answer she gives on the stand using those specifics, and explain why each detail closes a door the defense would otherwise open.
-
Everything downstream — the deleted batch script, the timestomped files, the USB history — was analyzed on the working copy. Explain how the integrity established at acquisition flows forward to make each of those later findings defensible, and what would have happened to all of them if the original had been booted "just to look."