The Impact of Hard Disk Firmware Steganography on Computer Forensics

Andrew Blyth, Iain Sutherland, Gareth Davies, P. Pringle

Research output: Contribution to journalArticlepeer-review

22 Downloads (Pure)


The hard disk drive is probably the predominant form of storage media and is a primary data source in a forensic investigation. The majority of available software tools and literature relating to the investigation of the structure and content contained within a hard disk drive concerns the extraction and analysis of evidence from the various file systems which can reside in the user accessible area of the disk. It is known that there are other areas of the hard disk drive which could be used to conceal information, such as the Host Protected Area and the Device Configuration Overlay. There are recommended methods for the detection and forensic analysis of these areas using appropriate tools and techniques. However, there are additional areas of a disk that have currently been overlooked. The Service Area or Platter Resident Firmware Area is used to store code and control structures responsible for the functionality of the drive and for logging failing or failed sectors.?This paper provides an introduction into initial research into the investigation and identification of issues relating to the analysis of the Platter Resident Firmware Area. In particular, the possibility that the Platter Resident Firmware Area could be manipulated and exploited to facilitate a form of steganography, enabling information to be concealed by a user and potentially from a digital forensic investigator.
Original languageEnglish
JournalJournal of Digital Forensics, Security and Law
Issue number2
Publication statusPublished - 1 Jan 2009
Event The 2009 ADFSL Conference on Digital Forensics, Security and Law - USA
Duration: 20 May 200920 May 2009


  • digital forensics
  • firmware
  • steganography


Dive into the research topics of 'The Impact of Hard Disk Firmware Steganography on Computer Forensics'. Together they form a unique fingerprint.

Cite this