We know many ways we can hide information on a hard disk. That’s nothing new: Among the best known we can list encrypted files or volumes, steganography on images, audio and video (and even text and other media), host protected areas on the hard drive or HPA ‘s, and DCO‘s (Device Configuration Overlay), and we should not forget about the plain mark as hidden method in order to keep some files or directories away from the unaware.
I’m pretty sure you already know about that, so, what brings us to this recurring issue this time?
First, let’s pave the way a little for those interested in the topic. Let’s start talking (briefly) about forensic computer analysis, we’ll continue talking about some aspects of the inner workings of a traditional hard drive; we will discuss the hard disk duplicating devices and the widespread myth that exists about its operation; then we will talk about our research on ways of concealing data in hard disks; and we will finally close the article with a small proof of concept in which we will hide and retrieve data from a hard drive using the proposed technique.
On the forensic computer analysis
Every good researcher knows that the alteration of an evidence is the most serious things you may incur as a researcher. This is no different when it comes to an investigation concerning the contents of a computer hard disk: just as a forensic surgeon uses gloves to collect and study the evidence —along with other mechanisms to avoid contamination—, a computer forensic investigator must ensure that no changes happen at all when accessing the hard disk.
However, as we know, there is a problem. Accessing a hard drive may look a bit like quantum mechanics: The mere act of observing the subject modifies it. This happens in normal situations because, when mounting the unit in order to browse its contents, the system will change (among other things) dates of last access to every file the system needs to read in order to boot up. Some other changes that completely beyond our control will take place at boot or mount time. Therefore, forensic investigations are rarely performed on the original hard drive, but instead, they are performed on a copy (which can be in various formats) leaving the original securely sealed, preserving the chain of custody . When for some reason there is no time to obtain a copy, or it is simply impossible, you can work using a write blocker that guarantees that any attempt to write on the disk will be thwarted or diverted.
It is important to emphasize the fact of using the copy or conventional reading methods, which covers almost all forensic examinations.
About the inner workings of a conventional hard drive
Many of the IT people have a quite good idea of how a hard drive works. However, some times, IT people —like me— take lots of things for granted.
So, what you may not know about a hard disk? A hard drive is a machine more intelligent than most people think. It is a small computer, with almost all the features that a traditional computer has. Apart from its well-known physical structure (electronic board or PCB, magnetic platters, read-write heads mounted on mechanical arms, etc.), a hard drive has its own operating system, its own little file system, its own RAM and ROM, its startup sequence, and even a UART (serial) terminal to communicate with in order to perform many tasks, mainly testing and maintenance.
We will focus on two key elements in the operation of a hard drive of particular relevance to this article: the ROM chip and the Service Area.
- The ROM. It contains the firmware code or microcode which dictates the hard drive operation. In some models of most manufacturers it also can store certain information known as adaptive parameters, which is a list of parameters that are unique to each disk drive in the world. It is stored, as its name states, inside a ROM or Flash memory chip, which can be a hard disk isolated chip (usually a 8-pin microchip), or, in newer models, it can be embedded into the same package of the main microcontroller.
- Service Area or SA. It contains information which is essential to the operation of the hard drive. Some of this information is also a list of adaptive parameters, as some of those stored in ROM, and another part consists mainly of tables of factory-found bad sectors (usually known as P-List or Primary List), bad sectors tables found after low-level formatting the drive (depending on the manufacturer, it may appear as G-List or A-List – Growing List and Adaptive or Reassigned List, respectively, among other names), and the translation code or Translator (which translates the LBA shown to the outside world into the CHS addressing format – Cylinder, Head, Sector-, taking into account all the sectors marked in P-List and G-List tables, and spare sectors). It is contained in the magnetic platters themselves in what is known as negative cylinders, usually in the first zone, and depending on the manufacturer, replicated across the rest of the surfaces.
With these two pieces of information of a hard disk’s inner working, we can better understand what comes next.
The hard drive duplicators
These devices widely used in forensic investigations are designed to make copies of a hard drive at a decent speed while preserving the original drive’s integrity.
Beyond the tremendous speeds they promise (of up to 12 GB per minute), which I have never seen in the case of conventional hard drives (although I have heard about copies between SSD’s to reach up to 19 GBpm, with B for byte), many of them promise complete and absolute backing (“clones”), performed bitwise ensuring total and absolute write protection. Well, let me say that this is not really so.
First, because of the fact that the copies are sectorwise, or more correctly, LBA to LBA. You can not command the disk to read a single bit; instead, you must command it to read an LBA or LBA’s group at a time. Besides the efficiency this mechanism provides, it should be noted that the error checking and correction codes (CRC, ECC) are at the sector level, so it is necessary to read a sector completely to see if what was read is valid or not.
Second, the copies are not absolute. The copying process is made only of the disk’s user area and if is performed at the LBA level. What does this mean? Let’s go deeper: We have already mentioned the Translator. Recall that the hard disk geometry consists of cylinders, tracks and sectors. Each track has a number of spare sectors, that may become in use if some currently used sector does not pass the some of the quality self-checking. So, what happens when the sector K is marked as defective, and it becomes in use another sector that is geometrically located in a different place? If things were not thoroughly studied, the sector K would have disappeared leaving a hole (sticking K-1 and K+1 together) which may cause a complete loss of consistency of any file system relying upon such structure. The hard drive solves this problem by filling the gap with a spare sector, which happens almost transparently to the outside. “Almost” because the disk performance drops as sectors relocate, having to go to different geographical areas to extract the data. The Translator is responsible for making this relocation transparent, acting as an intermediate stage between physical sectors (P-CHS and L-CHS) and virtual sectors, known as LBA, which are then presented to the host. Depending on the case (sectors that do not pass the quality test at manufacturing time or during subsequent operation), if the sector (e.g.) K-1 has assigned the LBA 560, and sector K is defective, the Translator can promote a spare sector to be assigned the LBA 561, or it can pull one place back all of the LBA’s, as shown in the picture below. What happens it depends on when the defective sector was flagged.
Returning to the HDD duplicating devices, this is done only at the LBA level, so it only copies the sectors which are given an LBA at a given moment. The hard drive itself takes care of hiding the other sectors abroad, because they either are spare sectors, or are marked as bad. The pitfall arises.
On the other hand, there are two things that are not copied at all: The ROM, and the service area. This, naturally, makes sense: They contain only data that is relevant for each hard drive in the world, and they contain data which is only useful for each manufacturer and model (cloning between different devices still works as long as the LBA number is the same, doesn’t it?). If someone tried to overwrite the service area of a target hard disk drive with the one from the original hard drive, it will end up with a brick between his or her hands. Keep in mind that the magnetic surfaces of hard disks are not an exact science and they suffer from irregularities, defects and impurities that make them completely unique, so each platter must be individually paved (servo tracks, gain bursts, etc.) and formatted a low level, and properly tested looking for areas with irregularities, which are recorded in the P-List table at manufacturing time.
And thirdly, the write protection is not so. It is, to the user data area. But not for the service area or the ROM: The logs are still written, sectors are still being remapped, and any information that internally handles the hard drive is free to be modified or deleted at any time and without notice.
Yet this does not mean it is not useful to have a cloning device; they are comfortable and fast, but they give us the same data visibility (adding sometimes HPA’s and DCO’s) that gives us our operating system. They certainly protect what they have to protect and they copy data preserving file system’s integrity, which is not compatible with having all sectors back. That’s what they’re made for.
Hiding data on the hard disk
Now comes the interesting part. Let’s talk about two techniques that will allow us to store data on a hard drive, preventing it from being copied if using a hard drive duplicator (or a raw dd), thus leaving it completely out of sight of the forensic investigator which will be using those duplicates at investigation time. Let’s get seroius for a moment: this is not gutter press. Doing so requires some advanced knowledge and specific, specialized tools and/or knowledge of terminal commands of each manufacturer and hard drive family, and it is not practical at all. As a result, the use of this technique is in practice bounded to a very limited set of cases, such as hiding the recipe for the Coca-Cola, or hiding the access codes to Zion. Not for regular use.
The two proposed techniques are:
- Save a file in the hard disk, using a specialized data recovery tool with built-in commands that will help us to write to the service area, and mark the occupied sectors as defective in the P-List or the G-List. Then check the results with a raw hard disk (hex) viewer.
- Write directly to the service area, in one of the modules which are not critical for the disk to work. Telling the critical modules from the ones that are not is completely different story, so don’t try this at home if you don’t want to turn your HDD into a 50-buck brick. This same technique can be used to overwrite non-critical modules of the ROM.
For our proof of concept, we have chosen the first method.
MARKING SECTORS AS DEFECTIVE
Before we begin, I want to clarify that there are bad sectors in view of the file system (which can be assigned LBA sectors) and therefore the host, and bad sectors that are only known to the disc itself. The first ones are recorded in a table whose name depends on the file system (in NTFS, it is the file $BadClus, with each bit representing the state of each cluster in the partition), and the latter ones are recorded in the Service Area tables already mentioned, P-List and G / A / S-List.
Materials that we use:
- A specialized data recovery electronic board with ATA interface, which connects via ATA and serial port to the hard disk. As we have said, it is dispensable, but it facilitates the work a lot since there are almost no references to HDD’s terminal commands. Surprisingly, HDD serial terminal will often have a help command, which varies from one manufacturer and drive family to another, but again, information about its usage is very limited. In order to connect a hard drive to the serial port, you can take a look at a previous post of this blog: http://hard2bit.com/blog/?p=33 (Spanish at the moment).
- A hard disk. We’ll use a rather old Samsung device, model SV2001H.
- A computer with a serial port and a hyperterminal program.
- A hexadecimal viewer and editor.
To start, we need access to the service area. That’s not easy. There’s no information about how to access the service area of some drives in all the vast Internet. Moreover, each HDD family of each HDD manufacturer will respond to a different command set, some a lot of research is needed before even trying to do so on any hard disk drive. The Samsung we use will display the commands it supports when typing HE at the ENG> prompt. You can enter debug mode by pressing the escape, changing the prompt to DBG>. However, as I say, we will use a specialized tool that saves us a lot of work here.
So, here comes what we will dot:
- We scored the sector K with its current LBA number and the word PREVIO (Spanish word for previous) using a hexadecimal editor with raw access to the disk.
- We have written important and secret information in the LBA K +1.
- We labeled the K +2 sector with its LBA number and the word POSTERIOR (Spanish word for subsequent or following)
We have used the value K = 50, so we have used sectors not usually partitioned since the first partition usually starts at LBA 63 or 2048.
This is how our disk looks like now:
Sectors (LBA) 50, 51 and 52 of our hard drive.
Now, using the tool, we get the defective sector tables. The following screenshot is part of the content of the S-List, indicating the zone (which conforms consecutive reading and writing areas), head, cylinder and sector that have been marked as faulty and excluded from the set of sectors that are given an LBA:
Now, using the utility, we add a new record to the S-List. We have a problem here, since we do not know how to hide LBA sector 51 if we have to specify its location at PCHS, which is how to do it. The calculations can be somewhat complicated because you have to consider all the defects present on the disk, and how it is addressing them its Translator, to find out which head, cylinder and physical sector were given to a specific LBA.
In this case, we have used the utility (again, a terminal command) to find out the size of the SA, which is 8 cylinders. Therefore, and trying luck, we have forced a new bad sector, the 8:0:52, which is our 0:0:52 sector in LCHS format, and since CHS begins with 1, that should be our sector given the LBA 51.
If we are lucky, and we have no other relocations or defects, we may have just hidden LBA 51. And indeed: Turning off the disk and then on again (we need a power cycle for the changes to take effect), and visualizing it with a hex editor, we can see:
We have hidden the sector! Just to be clear, we repeat that there is no way to see this sector again from beyond the ATA interface, without re-enabling it in the service area. Any attempt to see it from a PC will be frustrated, as the disk itself has hidden if from the existence: The next sector has replaced it, and all LBA have moved exactly one position backwards.
To finish the proof of concept, we have removed the defective sector from the table, to see if we can recover its from hard drive. Please don’t think I’m cheating with the next screenshot, the sector has safely returned:
There it is! It is true that with a little more time could have been hiding a bigger file, but for the POC, this is good enough.
It may also be of interest …
We have seen that the duplicating process of a hard drive, and also how the hard disk is presented to the system, operates at the LBA level. It is interesting to note that during the normal operation of the disk, it is common for some sectors to become defective, so they are included in the G-List and possibly relocated, if such thing is still possible. Any further operation performed on the hard disk, including a secure erasure [logical] at any level (DoD 5220.22-M, Schneier, Gutmann, etc..), will still be done at the LBA level, so it is still possible to recover some information from them. True is, that if they were marked as bad, it is not going to be easy to extract something from them, but with the appropriate read command, you can ignore the CRC and visually inspect the the retrieved information. We will discuss this in our next post.
Any comments, please, without hesitation.
Hard2bit Data Forensics