Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice

Iain Sutherland, Gareth Davies

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

710 Downloads (Pure)

Abstract

The most common form of storage media utilized in both commercial and domestic systems is the hard disk drive, consequently these devices feature heavily in digital investigations. Hard disk drives are a collection of complex components. These components include hardware and
firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent the drive’s correct operation. We review the general construction of a hard disk drive. In particular we examine the error handling process present within hard disk drives for dealing with failed or failing sectors and detail how this can be manipulated. The potential forensic
impact on an investigation of manipulating firmware is then explored. We propose best practice considerations when analyzing a hard drive where firmware manipulation is suspected and detail a possible method to detect this form of modification.
Original languageEnglish
Title of host publicationAnnual ADFSL Conference on Digital Forensics, Security and Law
Subtitle of host publicationSt. Paul, Minnesota, May 19-21, 2010
PublisherScholarly Comms
Publication statusPublished - 1 Jan 2010
Event The 2010 ADFSL Conference on Digital Forensics, Security and Law - USA
Duration: 19 May 201019 May 2010

Conference

Conference The 2010 ADFSL Conference on Digital Forensics, Security and Law
Period19/05/1019/05/10

Keywords

  • hard disk
  • steganography
  • data recovery

Fingerprint

Dive into the research topics of 'Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice'. Together they form a unique fingerprint.

Cite this