How do I determine the sectors that are occupying a drive track?
I am interested in locating “the last 512 bytes of the first logical drive track” in order to determine if a drive is encrypted with truecrypt according to their provided specification. I would only be running this check when the drive was decrypted, as I would be executing it as an audit remotely for our systems.
Any assistance is appreciated.
Modern hard drives have tracks with varying length (tracks closer to the center have less sectors), and, more importantly, physical geometry of the non-removable disk (number of heads, tracks, etc) is not exposed to outside world as it was in 1980s.
TrueCrypt manual refers to “logical drive track”, or “logical geometry”. This is a completely different thing. As I said before, all modern HDDs and SSDs expose only sectors to the outside world (no tracks or whatever). Sectors are addressed linearly: #0, #1, #2, …
This is called LBA (Logical Block Addressing).
But there was a time when LBA standard was new and young (mid-1990s), and people used to access their harddisks via older interface (CHS), invented by IBM for first IBM PCs in 1980. CHS allows to read/write sectors on the disk by specifying Cylider, Head and Sector. Due to the limitations of IBM PC BIOS, Cylinder must be in range 0..1023, Head must be in range 0..255 and Sector must be in range 1..63 (even today). Sectors are grouped in tracks (each track is addressed by C and H). All of this has nothing to do with physical disk geometry, it’s just alternative way to access LBA disk, that’s why it’s called “logical geometry”.
Not that much of the data can be addressed via CHS: 512 bytes per sector * 63 sectors * 256 heads * 1024 cylinders < 8 Gbytes. So CHS was just a compatibility hack and quickly fallen into disuse when larger harddisks arrived on the market. Windows 98 used to access HDD via LBA, that’s for sure. DOS 6.22 and Windows 3.11 used CHS. I’m not sure about Windows 95.
So, these days ALL harddrives have maximum number of logical heads (256) and sectors per track (63). Thus, first “logical track” is just a group of HDD sectors #0 .. #62. All operating systems from DOS to Windows XP used to create first partition just after this “first logical track”, at the sector #63, thus causing misalignment and slow operation on 4Kb-sector HDDs. That crap was completely removed in Vista/Win7/Win8: all partitions created by modern FDISK are 1Mb-aligned.
So, TrueCrypt manual just refers to the LBA sector #62 (or 512-byte block starting at offset 31744). But on some fancy BIOS with CHS sector-per-track value less than 63 (extremely unlikely), this can be any sector from #1 to #62 (sector #0 is MBR). I’ve seen some mid-2000s BIOSes which used to assign 32 sectors-per-track to USB thumdrives (not fixed HDDs).
Mikhail’s answer is very good in describing about the sectors but he never goes over how to actually read them. Many modern hex editors will let you see a RAW view of hard drives and you can look directly at the sectors.
For example Hex Workshop is the editor I use and it has a option to open the hard drive directly. I don’t think it can open System drives directly but if you put the disk in another computer you can read it fine.
So per Mikhails instructions you would just need to keep hitting
Next Sector until you find the sector the data is stored in (likely sector 62, but it could be a sector before it as he said in his answer).