Protected disk areas can defeat disk imaging software

From: Paul Sanderson (paulat_private)
Date: Mon Feb 04 2002 - 09:41:57 PST

Next message: Dmitry Tsurlik: "Help: Disk signature"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How sure are you that your forensic imaging software is actually taking a
full image of your suspect hard disk drive?

I have been concerned over the last year or so about the accuracy of various
imaging tools with regard to the number of sectors imaged with both BIOS and
Direct access (as used by Safeback). So I took to performing a bit of R&D
and wrote a program to return the different sector counts in the different
modes. Whilst researching this I found the following:

A facility exists within the ATA specification that allows, with a standard
command, the user to limit the addressable range of sectors on a disk to an
arbitrary number? i.e. you can make, for example, an 80GB drive report (both
via the BIOS and if accessed directly) that it is a 16GB drive!

This command also supports a ‘volatile bit’ that when set means the drive
can be powered down and will retain the new settings when rebooted or
transferred to another machine.

This facility has been in the ATA specification since ATA4 (the first
revision of this specification was in 1996 and it was last revised in 1998).
I believe that both HP and IBM have already used this ‘protected area’ as a
recovery area for pre-installed software, possibly utilising an application
from StorageSoft. I have verified that Encase, Safeback (irrespective of the
access mode used) and the LogiCube Solitaire forensic imaging tools will
incorrectly image 16GB in the above example as opposed to the full 80GB.
Vogon, I am informed, can correctly image the full 80GB. I have yet to test
DD or any other imaging tools.

More information, including a tool to correctly resize the drive, is
available here: http://www.sandersonforensics.co.uk/html/bxdr.html

===================================
Paul Sanderson
T. #44 1869 325667
F. #44 1869 369001
M. #44 7808 773856
http://www.sandersonforensics.co.uk
===================================



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dmitry Tsurlik: "Help: Disk signature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 06:11:02 PST