Detect hidden volumes (not TC)

Hi guys,
is there any way for "Power Users" (not Computer Forensic Technicians) to detect any hidden volumes as described below ? For sure it's not possible within the compromised OS, but what about Boot CDs ?


"The developers who created ZeroAccess were "very smart," in that they used various "creative" low-level methods that made it almost impossible to remove the malware without somehow damaging the host operating system, said Koziol. The rootkit uses device drivers to create hidden volumes on the hard drive that are virtually impossible to detect using normal techniques. The hidden partition is still there even if data is deleted or if the volume is formatted. "

cheers,
gam

 

I know that you can see hidden Windows Restore volumes (Dell, HP, etc.) using a Linux Live CD and GParted. I do not know about the ZeroAccess hidden volumes.

I do not have enough experience with the Partition Wizard bootable CD. I would guess that it would show hidden volumes. I know that it has options for destroying data ("zero" write, "one" write + "zero" write, etc.). I am not sure if you can destroy data on just one volume or if it only destroys data on the whole hard drive.

http://www.partitionwizard.com/partition-wizard-bootable-cd.html

 

The hidden volume is used for storage and works with the driver and although an interesting approach isn't to important in the removal of the infection - to see the virtual volume use forensic tools . For damage, I haven't looked at recent Zeroacess/Max++ samples but in x64 version there BSOD on reboot if the autorun was deleted without repairing the registry key.