Proposal / Submission Type
Peer Reviewed Paper
Location
St. Paul, Minnesota
Start Date
19-5-2010 1:00 PM
Abstract
The most common form of storage media utilized in both commercial and domestic systems is the hard disk drive, consequently these devices feature heavily in digital investigations. Hard disk drives are a collection of complex components. These components include hardware and firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent the drive’s correct operation. We review the general construction of a hard disk drive. In particular we examine the error handling process present within hard disk drives for dealing with failed or failing sectors and detail how this can be manipulated. The potential forensic impact on an investigation of manipulating firmware is then explored. We propose best practice considerations when analyzing a hard drive where firmware manipulation is suspected and detail a possible method to detect this form of modification.
Keywords: Hard Disk, Steganography, Data Recovery, Firmware.
Scholarly Commons Citation
Davies, Gareth and Sutherland, Iain, "Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice" (2010). Annual ADFSL Conference on Digital Forensics, Security and Law. 4.
https://commons.erau.edu/adfsl/2010/wednesday/4
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons
Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice
St. Paul, Minnesota
The most common form of storage media utilized in both commercial and domestic systems is the hard disk drive, consequently these devices feature heavily in digital investigations. Hard disk drives are a collection of complex components. These components include hardware and firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent the drive’s correct operation. We review the general construction of a hard disk drive. In particular we examine the error handling process present within hard disk drives for dealing with failed or failing sectors and detail how this can be manipulated. The potential forensic impact on an investigation of manipulating firmware is then explored. We propose best practice considerations when analyzing a hard drive where firmware manipulation is suspected and detail a possible method to detect this form of modification.
Keywords: Hard Disk, Steganography, Data Recovery, Firmware.