•  
  •  
 

Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

The hard disk drive is probably the predominant form of storage media and is a primary data source in a forensic investigation. The majority of available software tools and literature relating to the investigation of the structure and content contained within a hard disk drive concerns the extraction and analysis of evidence from the various file systems which can reside in the user accessible area of the disk. It is known that there are other areas of the hard disk drive which could be used to conceal information, such as the Host Protected Area and the Device Configuration Overlay. There are recommended methods for the detection and forensic analysis of these areas using appropriate tools and techniques. However, there are additional areas of a disk that have currently been overlooked. The Service Area or Platter Resident Firmware Area is used to store code and control structures responsible for the functionality of the drive and for logging failing or failed sectors. This paper provides an introduction into initial research into the investigation and identification of issues relating to the analysis of the Platter Resident Firmware Area. In particular, the possibility that the Platter Resident Firmware Area could be manipulated and exploited to facilitate a form of steganography, enabling information to be concealed by a user and potentially from a digital forensic investigator.

References

[1] Vidström A., (2005) Computer Forensics and the ATA Interface, Technical report Swedish Defence Research Agency, FOI-R--1638—SE, February 2005, 1650-1942

[2] Carrier B, (2005) Forensic File System Analysis, Addison Wesley.

[3] Gupta M.R., Hoeschele, M.D., Marcus K. Rogers M.K., (2006) Hidden Disk Areas: HPA and DCO. International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1

[4] Blyth A.J.C., Sutherland I, Pringle N., (2008) Tools and Techniques for Steganography and Data Insertion onto Computer Hard-Drives, 8th Annual Program Manager’s Anti-Tamper Workshop, Sponsored by US DoD AntiTamper Executive Agent SAF/AQL and Department of the Army, Redstone Arsenal, Huntsville, AL, USA.

[5] Badtrk (ADM) Documentation (Accessed 11/3/09) http://docsrv.caldera.com:507/en/man/html.ADM/badtrk.ADM.html

[6] HDD Firmware Serial Number Source Code 1.01 Free Download (Accessed 11/3/09) http://www.softlow.com/windows/developmenttools/debugging/shareware/hdd-firmware-serial-number-source-code.html

[7] Davies G. & Sutherland I. (2009), Forensic Implications of the modification of Hard Disk Firmware, Proceedings of the Fourth Research Student Workshop, University of Glamorgan, 12th March 2009.

[8] Gutmann .p (1996) Secure Deletion of Data from Magnetic and Solid-State Memory. Proceedings of The Sixth USENIX Security Symposium, July 22–25, 1996, San Jose, California, USA

[9] Jones A., Valli C., Sutherland I. (2006) An Analysis of Information Remaining on Disks offered for sale on the second hand market. Journal of Digital Security, Forensics & Law. Volume 1, Issue 3.

[10] Jones A., Dardick G., Sutherland I, Valli C., (2009) The 2007 Analysis of Information Remaining on Disks offered for sale on the second hand market. Int. J. Liability and Scientific Enquiry. Vol.2 (1), pp.53–68

[11] Sutherland I, & Mee V. (2006) Data Disposal: How educated are your Schools?, 6th European Conference on Information Warfare and Security, June 2006.

DOI

https://doi.org/10.15394/jdfsl.2009.1059

 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.