Abstract
The most common form of storage media utilized in both commercial and domestic systems is the hard disk drive, consequently these devices feature heavily in digital investigations. Hard disk drives are a collection of complex components. These components include hardware and
firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent the drive’s correct operation. We review the general construction of a hard disk drive. In particular we examine the error handling process present within hard disk drives for dealing with failed or failing sectors and detail how this can be manipulated. The potential forensic
impact on an investigation of manipulating firmware is then explored. We propose best practice considerations when analyzing a hard drive where firmware manipulation is suspected and detail a possible method to detect this form of modification.
firmware elements that are essential for the effective operation of the drive. There are now a number of devices available, intended for data recovery, which can be used to manipulate the firmware components contained within the drive. It has been previously shown that it is possible to alter firmware for malicious purposes, either to conceal information or to prevent the drive’s correct operation. We review the general construction of a hard disk drive. In particular we examine the error handling process present within hard disk drives for dealing with failed or failing sectors and detail how this can be manipulated. The potential forensic
impact on an investigation of manipulating firmware is then explored. We propose best practice considerations when analyzing a hard drive where firmware manipulation is suspected and detail a possible method to detect this form of modification.
Original language | English |
---|---|
Title of host publication | Annual ADFSL Conference on Digital Forensics, Security and Law |
Subtitle of host publication | St. Paul, Minnesota, May 19-21, 2010 |
Publisher | Scholarly Comms |
Publication status | Published - 1 Jan 2010 |
Event | The 2010 ADFSL Conference on Digital Forensics, Security and Law - USA Duration: 19 May 2010 → 19 May 2010 |
Conference
Conference | The 2010 ADFSL Conference on Digital Forensics, Security and Law |
---|---|
Period | 19/05/10 → 19/05/10 |
Keywords
- hard disk
- steganography
- data recovery