1
QUESTION : Can the apparently "random"-ish data written to a full drive (not just a partition) during a random "wipe" or encryption be somehow interpreted by the computer as having a "valid" MBR Partition table? (Since the random data is written to the first 512 bytes of the drive when you choose a full drive --- I think).
Note: I'm using Truecrypt, however I think the same issue can logically occur whether random wiping or encrypting. I've thought more about my previous wall-o-text post (here: https://superuser.com/questions/523951/why-is-truecrypt-creating-random-phantom-partitions-when-encryption-a-full-dri ) and I realized I could probably ask this in a much simpler and refined way above regardless of the operating system or program used.
BACKGROUND : Each time I re-encrypt the same drive (full drive), I keep getting these partitions of various sizes showing up (expanded description in the posted wall-o-text link above if you would like to see more).
MY GUESS: I think maybe the proper location of bytes of the MBR are getting filled with seemingly valid data to make it appear as though it's defining a partition table (even though the partitions are totally wacky, and are impossible sizes). It only happens with one particular hard drive, I can't seem to make it happen with another drive (flash drive this time instead of an external backup drive).
The flash drive doesn't seem to have the fake partitions be generated on it despite numerous attempts, but the external backup drive does consistently.
Or does it likely seem to be a hardware related issue with my external hard drive do you think?
OTHER MISC INFO: Note: I can mount the "device" perfectly fine (if I choose the physical "drive", and not one of the weird partitions), I just can't figure out why there are these fake and wildly random partitions showing up when I connect the external drive. I just would have thought there's some sort of standard signature check of the MBR partition table to prevent weird partitions from being registered when you connect the external hard drive.
A partition manager software (GParted) doesn't register and display the random fake partitions, but the Operating system (Linux in this case) does register them, and so does Truecrypt itself (probably due to querying the operating system).
Do you think this is normal to have happen? I don't remember it happening initially when I first encrypted the drive; but it seems to happen consistently upon every attempt to re-encrypt the drive to see if it finally stops doing it.
Mikeweb49
Posted 2012-12-27T03:11:28.853
Reputation: 255
Question currently closed. Currently I can't add this as an answer. But the answer is: yes. The MBR's info on partitions is just 64 bytes (16 per partition), with no sig check. The main sig check in the MBR are the 511th and 512th bytes (bytes 510-511 if using 0-based count); if they are 0x55AA then the drive is bootable by the BIOS. Well, the first 446 byte vary based on which OS, so there could be more sig checks, e.g. a disk ID at byte 441. But I know of no standard sig check for partitions. "Blank" partition data is typically signified by a byte of 0 for that partition's s "type" ID. – TOOGAM – 2017-07-02T12:04:36.343
@Thomas: Maybe GPT has more protections, but for MBR? Partition type IDs are at bytes 451 and 467 and 483 and 499. To NOT have partitions would basically require all of those to be zero. Any non-zero value would specify that there is a partition; I find it most probable (by an extraordinarily high likelihood) that there will be invalid partition data (most likely 4 partitions, each starting at a random spot on the disk, and each of a random size, and a random partition type). What checks are you expecting for "a valid partition header"? – TOOGAM – 2017-07-02T12:13:52.847
Since that is clearly not the intention it could only be because of buggy s/w. Maybe best post to the TrueCrypt support forum? (http://forums.truecrypt.org/) I can only say that I have used TC for years in the manner which you describe and have never once seen a new partition appearing ... sounds curios, best ask the TC guys
– Mawg says reinstate Monica – 2012-12-27T03:21:13.940I've also used Truecrypt for quite a long time, but encrypted partitions, and not a full drive. Only recently did I decide to encrypt the full device (no partitions at all). It just seems plausible in my mind that random data might be interpreted as a partition table --- but, if so, I would imagine every drive would have an equally likely chance of this occurring. Likewise, I would imagine everyone that wipes a drive would notice this odd occurrence as well.. – Mikeweb49 – 2012-12-27T03:31:49.930
Statistically, it is possible for random data to just happen to describe a valid partition header, but such an event is inconceivably unlikely. For all intents and purposes, the probability of this occurring is zero. – Thomas – 2012-12-27T03:45:38.473
Thomas, that's what I was thinking too... statistically unlikely --- except in my case it's happening quite consistently (at least 5 times in a row with different partitions arrangements showing up using certain tools). However, that seems to only be recognized by Linux (while watching /var/log/syslog) and Truecrypt. Other software such as partition management software doesn't seem to show the partitions, nor does the linux command "fdisk -l". Thanks for your input. – Mikeweb49 – 2012-12-27T05:10:58.763