SlideShare a Scribd company logo

Hiding data in hard drive’s service areas

Yury Chemerkin
Yury Chemerkin
Technology
1 of 6
Download to read offline
Hiding Data in Hard-Drive’s Service Areas Ariel Berkman <ariel@recover.co.il> Recover Information Technologies LTD http://www.recover.co.il February 14, 2013 Contents 1 Introduction 1 2 Service Areas and Service Area Modules 2 3 Service Area Sizes 3 4 Other Reserved Areas 3 5 Data Hiding and Sanitation 4 6 Proof of Concept 4 7 Summary 6 1 Introduction In this paper we will demonstrate how spinning hard-drives’ service areas1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard-drive). These reserved areas are used by hard-drive vendors to store modules that in 1 Sometimes referred to as “Reserved area”, “System Area”, “Negative sectors”, “Firmware area”, “Microcode Area”, etc. 1
turn operate the drive, and in a sense, together with the ROM, serve as the hard-drive’s internal storage and OS. By sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these areas to read and write data that are otherwise inaccessible. This should not be confused with DCO2 or HPA3 which can be easily detected, removed and accessed via standard ATA commands. 2 Service Areas and Service Area Modules A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These ar- eas are outside the hard-drive’s Logical Block Address (LBA) space and as such are inaccessible via the standard ATA commands. As the complexity of hard-drives grow, so does the software and data required to manage that complexity, and correspondingly, the need for larger service areas. The ser- vice area contains both code and data modules such as defect management modules, SMART data modules, self-test modules and much more. Due to their importance, there are usually two copies of these modules, such that if one copy gets damaged or corrupted, the drive could continue to operate. Since these modules are responsible for the operability of the drive, cor- ruption of these modules could result in a drive failure. Professional data- recovery labs have been using, since the inception of the field, data-recovery tools (e.g., Ace Laboratory’s4 PC3000) to access these service areas and re- pair, when possible, the critically damaged modules. In order to access the service area, Programmable IO must be used to send VSCs directly to the hard-drive’s IO port. These commands are unique to the hard-drive vendor and are not publicly disclosed. Hard-drive vendors often release tools for manipulating hard-drive’s functionality; these tools use VSCs to modify certain elements of the drive. One such example is Western- Digital’s wdidle3.exe 5 (and its open source counterpart idle3-tools 6 ) which changes the way the hard-drive’s built-in activity timer operate. Another 2 http://en.wikipedia.org/wiki/Device configuration overlay 3 http://en.wikipedia.org/wiki/Host Protected Area 4 http://www.acelaboratory.com/ 5 http://support.wdc.com/product/download.asp?groupid=609&sid=113 6 http://idle3-tools.sourceforge.net/ 2
example is the hddhackr 7 tool which modifies the service area modules in charge of the hard-drive identification information. 3 Service Area Sizes Service area size and service area module sizes vary significantly across hard- drive vendors, families, capacities and firmware versions. For example, a WD2500KS-00MJB0 drive (Western-Digital, Hawk family, 250GB, Firmware version 02AEC) has two copies of its service area modules (on platter surfaces mapped to heads 0 and 1), each around 6MB in size. The reserved-area size on each surface is approximately 23MB (720 sectors-per-track x 64 tracks). Furthermore, since this drive has 6 surfaces (heads 0 through 5) and the service area modules copies are on surfaces mapped to heads 0 and 1, the corresponding areas on surfaces mapped to heads 2 through 5 are reserved, but not in use by the drive. As such the total reserved area size on such drives is approximately 141MB, of which 12MB is in use. In comparison, a WD10EACS-00ZJB0 drive (Western-Digital, Hulk fam- ily, 1TB) has two copies of its service area modules, each approximately 26MB. The reserved-area size on each surface is approximately 56MB (1280 sectors-per-track x 86 tracks). This drive has 8 surfaces (heads 0 through 7) and the service area modules copies are on surfaces mapped to heads 0 and 1. The rest of the reserved area is not in use. As such, the total reserved area sizes on such drives is approximately 450MB, of which 52MB is in use. 4 Other Reserved Areas In addition to areas reserved for service area modules, other forms of ATA- inaccessible locations that require VSCs might be available: • The hard-drive’s flash chip is used for boot-strapping the drive. While usually very small (around 1MB), could contain some available space. • Unused tracks past the hard-drive’s LBA. • Some hard-drives have disabled head(s) which map to a whole surface. By sending VSCs, one could theoretically enable that head, use that 7 http://www.google.com/search?q=hddhackr 3
entire unused surface to store data and then disable the head to render that data inaccessible. 5 Data Hiding and Sanitation The common notion in data sanitation is that data sanitation software tools, when properly used, will completely purge all data on the hard-drive. How- ever, this does not apply to the aforementioned reserved areas, regardless of the employed data destruction method (e.g. single pass, multiple passes with random data, nulls, etc.). It’s important to emphasize that the only way data can be written to reserved areas is by using the hard-drive’s VSCs. For that reason, it’s very unlikely that data would, for example, be accidentally copied or leaked8 to these areas. It is however possible, although non-trivial to accomplish, that a software designed for that purpose, would be able to copy data to reserved areas such that they would not be sanitized despite any software sanitation efforts. Furthermore, software designed to manipulate the reserved areas - via the drive’s VSCs - could use the reserved areas as a “hiding” place. Not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software, computer forensics tools, etc. 6 Proof of Concept In order to demonstrate the ability to hide data in the service area, we’ve developed a proof-of-concept designed to work on Western-Digital 250GB Hawk hard-drives (available for download at http://www.recover.co.il/SA- cover/SA-cover-poc.c). These drives have 6 surfaces, each with 64 tracks (with 720 sectors-per-track) reserved for service area. The first two surfaces contain copies of the service area modules and are therefore not used in the POC (despite the unallocated areas which can also be used). The POC can read and write a file of upto 94MB to the reserved area (4 x 64 x 720 x 512 8 An exception to this is when a hard-drive decides to re-allocate a suspected bad-sector, and re-maps that logical address to a new sector, leaving the original sector inaccessible to the user. However, the risk is minor due to the small amount of reserved sectors for this purpose and the inability to control when and where it will take place. 4
bytes). The code can result in data loss, or hard-drive failure, therefore use it at your own risk! In this example we demonstrate how the POC can be used to hide data that will not be sanitized (or accessible) using standard tools: • Generate a random file (94MB in size) and compute its MD5 hash value. • Write the file to the service area. • Sanitize the drive by dd-ing /dev/zero onto the “entire” drive (the block device of the relevant hard-drive). Our understanding is that a complete, successful single pass of nulls (or any other byte) would suffice for the data to be rendered unrecoverable. • Read the service area content and calculate its MD5 value to see the random data file is intact. root@Shafan1:~/SA# dd if=/dev/urandom count=184320 > random-file ; md5sum random-file 184320+0 records in 184320+0 records out 94371840 bytes (94 MB) copied, 12.8187 s, 7.4 MB/s 0baca7245e1efa160512a6217c13a7b0 random-file root@Shafan1:~/SA# ./SA-cover-poc -p 0x0170 -w ./random-file using port address: 0x0170 Model: WDC WD2500KS-00MJB0 S/N: WD-WCANK5391702 F/W Ver: 02.01C03 LBA24:268435455 LBA48:488397168 Service area sectors-per-track (720) Service area tracks (64) Num of heads(6) Unused reversed space (94371840 bytes) writing head(2) track(-1) writing head(2) track(-2) writing head(2) track(-3) .... writing head(5) track(-62) writing head(5) track(-63) writing head(5) track(-64) 5
root@Shafan1:~# dd if=/dev/zero of=/dev/sdb bs=1M dd: writing ‘/dev/sdb’: No space left on device 238476+0 records in 238475+0 records out 250059350016 bytes (250 GB) copied, 4732.86 s, 52.8 MB/s root@Shafan1:~/SA# ./SA-cover-poc -p 0x0170 -r after-dding-dev-zero using port address: 0x0170 Model: WDC WD2500KS-00MJB0 S/N: WD-WCANK5391702 F/W Ver: 02.01C03 LBA24:268435455 LBA48:488397168 Service area sectors-per-track (720) Service area tracks (64) Num of heads(6) Unused reversed space (94371840 bytes) reading head(2) track(-1) reading head(2) track(-2) .... reading head(5) track(-62) reading head(5) track(-63) reading head(5) track(-64) root@Shafan1:~/SA# md5sum after-dding-dev-zero 0baca7245e1efa160512a6217c13a7b0 after-dding-dev-zero 7 Summary Spinning hard-drives contain reserved areas with non-negligible sizes that are used by hard-drive vendors to store service area modules. These areas can only be accessed and manipulated via VSCs (Vendor Specific Commands). By using VSCs, one can store data in these areas such that it would be effectively hidden to the OS and other tools using standard ATA commands. 6

Recommended

Memory management
Memory managementMemory management
Memory managementRajni Sirohi
 
os
osos
oslavanya lalu
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data ProtectionEMC
 
Mass storage structurefinal
Mass storage structurefinalMass storage structurefinal
Mass storage structurefinalmarangburu42
 
Designing Information Structures For Performance And Reliability
Designing Information Structures For Performance And ReliabilityDesigning Information Structures For Performance And Reliability
Designing Information Structures For Performance And Reliabilitybryanrandol
 
Mass storagestructure pre-final-formatting
Mass storagestructure pre-final-formattingMass storagestructure pre-final-formatting
Mass storagestructure pre-final-formattingmarangburu42
 
Exploiting Multi Core Architectures for Process Speed Up
Exploiting Multi Core Architectures for Process Speed UpExploiting Multi Core Architectures for Process Speed Up
Exploiting Multi Core Architectures for Process Speed UpIJERD Editor
 
10.1.1.48.4087
10.1.1.48.408710.1.1.48.4087
10.1.1.48.4087Aram Khalili
 

Recommended

Memory management
Memory managementMemory management
Memory managementRajni Sirohi
 
os
osos
oslavanya lalu
 
Flash-Specific Data Protection
Flash-Specific Data ProtectionFlash-Specific Data Protection
Flash-Specific Data ProtectionEMC
 
Mass storage structurefinal
Mass storage structurefinalMass storage structurefinal
Mass storage structurefinalmarangburu42
 
Designing Information Structures For Performance And Reliability
Designing Information Structures For Performance And ReliabilityDesigning Information Structures For Performance And Reliability
Designing Information Structures For Performance And Reliabilitybryanrandol
 
Mass storagestructure pre-final-formatting
Mass storagestructure pre-final-formattingMass storagestructure pre-final-formatting
Mass storagestructure pre-final-formattingmarangburu42
 
Exploiting Multi Core Architectures for Process Speed Up
Exploiting Multi Core Architectures for Process Speed UpExploiting Multi Core Architectures for Process Speed Up
Exploiting Multi Core Architectures for Process Speed UpIJERD Editor
 
10.1.1.48.4087
10.1.1.48.408710.1.1.48.4087
10.1.1.48.4087Aram Khalili
 
PowerAlluxio
PowerAlluxioPowerAlluxio
PowerAlluxioChi-fan Chu
 
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...Principled Technologies
 
Chapter 3
Chapter 3Chapter 3
Chapter 3Ali Broumandnia
 
OSCh14
OSCh14OSCh14
OSCh14Joe Christensen
 
I/O System and Case study
I/O System and Case studyI/O System and Case study
I/O System and Case studyLavanya G
 
12.mass stroage system
12.mass stroage system12.mass stroage system
12.mass stroage systemSenthil Kanth
 
Operation System
Operation SystemOperation System
Operation SystemROHINIPRIYA1997
 
Chapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage SystemsChapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage SystemsWayne Jones Jnr
 
Secondary storage devices
Secondary storage devicesSecondary storage devices
Secondary storage devicesDr. C.V. Suresh Babu
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Ch10
Ch10Ch10
Ch10ushaindhu
 
Reliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose ControllersReliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose ControllersIJMER
 
3
33
3Dhiraj kumar
 
04.01 file organization
04.01 file organization04.01 file organization
04.01 file organizationBishal Ghimire
 
Disk Management
Disk ManagementDisk Management
Disk ManagementShipra Swati
 
Sheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project DetailsSheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project Detailsshadikbsc
 
DBMS Unit IV and V Material
DBMS Unit IV and V MaterialDBMS Unit IV and V Material
DBMS Unit IV and V MaterialArthyR3
 
I/O System and Case Study
I/O System and Case StudyI/O System and Case Study
I/O System and Case StudyGRamya Bharathi
 
Unit3 ppt3 hard drive
Unit3 ppt3 hard driveUnit3 ppt3 hard drive
Unit3 ppt3 hard driveFarhanMalik93
 
Storage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 NotesStorage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 NotesSudarshan Dhondaley
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionMarkus Michalewicz
 
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...The Linux Foundation
 

More Related Content

What's hot

Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...Principled Technologies
 
I/O System and Case study
I/O System and Case studyI/O System and Case study
I/O System and Case studyLavanya G
 
12.mass stroage system
12.mass stroage system12.mass stroage system
12.mass stroage systemSenthil Kanth
 
Chapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage SystemsChapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage SystemsWayne Jones Jnr
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Reliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose ControllersReliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose ControllersIJMER
 
04.01 file organization
04.01 file organization04.01 file organization
04.01 file organizationBishal Ghimire
 
Sheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project DetailsSheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project Detailsshadikbsc
 
DBMS Unit IV and V Material
DBMS Unit IV and V MaterialDBMS Unit IV and V Material
DBMS Unit IV and V MaterialArthyR3
 
I/O System and Case Study
I/O System and Case StudyI/O System and Case Study
I/O System and Case StudyGRamya Bharathi
 
Unit3 ppt3 hard drive
Unit3 ppt3 hard driveUnit3 ppt3 hard drive
Unit3 ppt3 hard driveFarhanMalik93
 

What's hot (19)

PowerAlluxio
PowerAlluxioPowerAlluxio
PowerAlluxio
 
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
Consolidating older database servers onto Dell PowerEdge FX2 with FC830 serve...
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
OSCh14
OSCh14OSCh14
OSCh14
 
I/O System and Case study
I/O System and Case studyI/O System and Case study
I/O System and Case study
 
12.mass stroage system
12.mass stroage system12.mass stroage system
12.mass stroage system
 
Operation System
Operation SystemOperation System
Operation System
 
Chapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage SystemsChapter 12 - Mass Storage Systems
Chapter 12 - Mass Storage Systems
 
Secondary storage devices
Secondary storage devicesSecondary storage devices
Secondary storage devices
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 
Ch10
Ch10Ch10
Ch10
 
Reliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose ControllersReliable Hydra SSD Architecture for General Purpose Controllers
Reliable Hydra SSD Architecture for General Purpose Controllers
 
3
33
3
 
04.01 file organization
04.01 file organization04.01 file organization
04.01 file organization
 
Disk Management
Disk ManagementDisk Management
Disk Management
 
Sheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project DetailsSheik Mohamed Shadik - BSc - Project Details
Sheik Mohamed Shadik - BSc - Project Details
 
DBMS Unit IV and V Material
DBMS Unit IV and V MaterialDBMS Unit IV and V Material
DBMS Unit IV and V Material
 
I/O System and Case Study
I/O System and Case StudyI/O System and Case Study
I/O System and Case Study
 
Unit3 ppt3 hard drive
Unit3 ppt3 hard driveUnit3 ppt3 hard drive
Unit3 ppt3 hard drive
 

Similar to Hiding data in hard drive’s service areas

Storage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 NotesStorage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 NotesSudarshan Dhondaley
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionMarkus Michalewicz
 
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...The Linux Foundation
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software ReleaseIsabella789
 
EOUG95 - Client Server Very Large Databases - Paper
EOUG95 - Client Server Very Large Databases - PaperEOUG95 - Client Server Very Large Databases - Paper
EOUG95 - Client Server Very Large Databases - PaperDavid Walker
 
Ch14 OS
Ch14 OSCh14 OS
Ch14 OSC.U
 
Understanding the Windows Server Administration Fundamentals (Part-2)
Understanding the Windows Server Administration Fundamentals (Part-2)Understanding the Windows Server Administration Fundamentals (Part-2)
Understanding the Windows Server Administration Fundamentals (Part-2)Tuan Yang
 
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)DataCore APAC
 
Operation System
Operation SystemOperation System
Operation SystemANANTHI1997
 
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]Markus Michalewicz
 
Virtual SAN- Deep Dive Into Converged Storage
Virtual SAN- Deep Dive Into Converged StorageVirtual SAN- Deep Dive Into Converged Storage
Virtual SAN- Deep Dive Into Converged StorageDataCore Software
 
TechDay - Toronto 2016 - Hyperconvergence and OpenNebula
TechDay - Toronto 2016 - Hyperconvergence and OpenNebulaTechDay - Toronto 2016 - Hyperconvergence and OpenNebula
TechDay - Toronto 2016 - Hyperconvergence and OpenNebulaOpenNebula Project
 
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdf
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdfSHARE Virtual Flash Memory VFM VSM_04-17-19.pdf
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdfssuser9f7ea5
 

Similar to Hiding data in hard drive’s service areas (20)

Storage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 NotesStorage Area Networks Unit 2 Notes
Storage Area Networks Unit 2 Notes
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion Edition
 
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
XPDS13: VIRTUAL DISK INTEGRITY IN REAL TIME JP BLAKE, ASSURED INFORMATION SE...
 
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
1Z0-027 Exam-Oracle Exadata Database Machine Administration, Software Release
 
Operating system ppt
Operating system pptOperating system ppt
Operating system ppt
 
Operating system ppt
Operating system pptOperating system ppt
Operating system ppt
 
Operating system ppt
Operating system pptOperating system ppt
Operating system ppt
 
Operating system ppt
Operating system pptOperating system ppt
Operating system ppt
 
EOUG95 - Client Server Very Large Databases - Paper
EOUG95 - Client Server Very Large Databases - PaperEOUG95 - Client Server Very Large Databases - Paper
EOUG95 - Client Server Very Large Databases - Paper
 
OS_Ch14
OS_Ch14OS_Ch14
OS_Ch14
 
Ch14 OS
Ch14 OSCh14 OS
Ch14 OS
 
Understanding the Windows Server Administration Fundamentals (Part-2)
Understanding the Windows Server Administration Fundamentals (Part-2)Understanding the Windows Server Administration Fundamentals (Part-2)
Understanding the Windows Server Administration Fundamentals (Part-2)
 
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)
Virtual SAN - A Deep Dive into Converged Storage (technical whitepaper)
 
Azure Databases with IaaS
Azure Databases with IaaSAzure Databases with IaaS
Azure Databases with IaaS
 
Operation System
Operation SystemOperation System
Operation System
 
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
 
Virtual SAN- Deep Dive Into Converged Storage
Virtual SAN- Deep Dive Into Converged StorageVirtual SAN- Deep Dive Into Converged Storage
Virtual SAN- Deep Dive Into Converged Storage
 
TechDay - Toronto 2016 - Hyperconvergence and OpenNebula
TechDay - Toronto 2016 - Hyperconvergence and OpenNebulaTechDay - Toronto 2016 - Hyperconvergence and OpenNebula
TechDay - Toronto 2016 - Hyperconvergence and OpenNebula
 
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdf
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdfSHARE Virtual Flash Memory VFM VSM_04-17-19.pdf
SHARE Virtual Flash Memory VFM VSM_04-17-19.pdf
 
DAS RAID NAS SAN
DAS RAID NAS SANDAS RAID NAS SAN
DAS RAID NAS SAN
 

More from Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 

More from Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Hiding data in hard drive’s service areas

  • 1. Hiding Data in Hard-Drive’s Service Areas Ariel Berkman <ariel@recover.co.il> Recover Information Technologies LTD http://www.recover.co.il February 14, 2013 Contents 1 Introduction 1 2 Service Areas and Service Area Modules 2 3 Service Area Sizes 3 4 Other Reserved Areas 3 5 Data Hiding and Sanitation 4 6 Proof of Concept 4 7 Summary 6 1 Introduction In this paper we will demonstrate how spinning hard-drives’ service areas1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard-drive). These reserved areas are used by hard-drive vendors to store modules that in 1 Sometimes referred to as “Reserved area”, “System Area”, “Negative sectors”, “Firmware area”, “Microcode Area”, etc. 1
  • 2. turn operate the drive, and in a sense, together with the ROM, serve as the hard-drive’s internal storage and OS. By sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these areas to read and write data that are otherwise inaccessible. This should not be confused with DCO2 or HPA3 which can be easily detected, removed and accessed via standard ATA commands. 2 Service Areas and Service Area Modules A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These ar- eas are outside the hard-drive’s Logical Block Address (LBA) space and as such are inaccessible via the standard ATA commands. As the complexity of hard-drives grow, so does the software and data required to manage that complexity, and correspondingly, the need for larger service areas. The ser- vice area contains both code and data modules such as defect management modules, SMART data modules, self-test modules and much more. Due to their importance, there are usually two copies of these modules, such that if one copy gets damaged or corrupted, the drive could continue to operate. Since these modules are responsible for the operability of the drive, cor- ruption of these modules could result in a drive failure. Professional data- recovery labs have been using, since the inception of the field, data-recovery tools (e.g., Ace Laboratory’s4 PC3000) to access these service areas and re- pair, when possible, the critically damaged modules. In order to access the service area, Programmable IO must be used to send VSCs directly to the hard-drive’s IO port. These commands are unique to the hard-drive vendor and are not publicly disclosed. Hard-drive vendors often release tools for manipulating hard-drive’s functionality; these tools use VSCs to modify certain elements of the drive. One such example is Western- Digital’s wdidle3.exe 5 (and its open source counterpart idle3-tools 6 ) which changes the way the hard-drive’s built-in activity timer operate. Another 2 http://en.wikipedia.org/wiki/Device configuration overlay 3 http://en.wikipedia.org/wiki/Host Protected Area 4 http://www.acelaboratory.com/ 5 http://support.wdc.com/product/download.asp?groupid=609&sid=113 6 http://idle3-tools.sourceforge.net/ 2
  • 3. example is the hddhackr 7 tool which modifies the service area modules in charge of the hard-drive identification information. 3 Service Area Sizes Service area size and service area module sizes vary significantly across hard- drive vendors, families, capacities and firmware versions. For example, a WD2500KS-00MJB0 drive (Western-Digital, Hawk family, 250GB, Firmware version 02AEC) has two copies of its service area modules (on platter surfaces mapped to heads 0 and 1), each around 6MB in size. The reserved-area size on each surface is approximately 23MB (720 sectors-per-track x 64 tracks). Furthermore, since this drive has 6 surfaces (heads 0 through 5) and the service area modules copies are on surfaces mapped to heads 0 and 1, the corresponding areas on surfaces mapped to heads 2 through 5 are reserved, but not in use by the drive. As such the total reserved area size on such drives is approximately 141MB, of which 12MB is in use. In comparison, a WD10EACS-00ZJB0 drive (Western-Digital, Hulk fam- ily, 1TB) has two copies of its service area modules, each approximately 26MB. The reserved-area size on each surface is approximately 56MB (1280 sectors-per-track x 86 tracks). This drive has 8 surfaces (heads 0 through 7) and the service area modules copies are on surfaces mapped to heads 0 and 1. The rest of the reserved area is not in use. As such, the total reserved area sizes on such drives is approximately 450MB, of which 52MB is in use. 4 Other Reserved Areas In addition to areas reserved for service area modules, other forms of ATA- inaccessible locations that require VSCs might be available: • The hard-drive’s flash chip is used for boot-strapping the drive. While usually very small (around 1MB), could contain some available space. • Unused tracks past the hard-drive’s LBA. • Some hard-drives have disabled head(s) which map to a whole surface. By sending VSCs, one could theoretically enable that head, use that 7 http://www.google.com/search?q=hddhackr 3
  • 4. entire unused surface to store data and then disable the head to render that data inaccessible. 5 Data Hiding and Sanitation The common notion in data sanitation is that data sanitation software tools, when properly used, will completely purge all data on the hard-drive. How- ever, this does not apply to the aforementioned reserved areas, regardless of the employed data destruction method (e.g. single pass, multiple passes with random data, nulls, etc.). It’s important to emphasize that the only way data can be written to reserved areas is by using the hard-drive’s VSCs. For that reason, it’s very unlikely that data would, for example, be accidentally copied or leaked8 to these areas. It is however possible, although non-trivial to accomplish, that a software designed for that purpose, would be able to copy data to reserved areas such that they would not be sanitized despite any software sanitation efforts. Furthermore, software designed to manipulate the reserved areas - via the drive’s VSCs - could use the reserved areas as a “hiding” place. Not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software, computer forensics tools, etc. 6 Proof of Concept In order to demonstrate the ability to hide data in the service area, we’ve developed a proof-of-concept designed to work on Western-Digital 250GB Hawk hard-drives (available for download at http://www.recover.co.il/SA- cover/SA-cover-poc.c). These drives have 6 surfaces, each with 64 tracks (with 720 sectors-per-track) reserved for service area. The first two surfaces contain copies of the service area modules and are therefore not used in the POC (despite the unallocated areas which can also be used). The POC can read and write a file of upto 94MB to the reserved area (4 x 64 x 720 x 512 8 An exception to this is when a hard-drive decides to re-allocate a suspected bad-sector, and re-maps that logical address to a new sector, leaving the original sector inaccessible to the user. However, the risk is minor due to the small amount of reserved sectors for this purpose and the inability to control when and where it will take place. 4
  • 5. bytes). The code can result in data loss, or hard-drive failure, therefore use it at your own risk! In this example we demonstrate how the POC can be used to hide data that will not be sanitized (or accessible) using standard tools: • Generate a random file (94MB in size) and compute its MD5 hash value. • Write the file to the service area. • Sanitize the drive by dd-ing /dev/zero onto the “entire” drive (the block device of the relevant hard-drive). Our understanding is that a complete, successful single pass of nulls (or any other byte) would suffice for the data to be rendered unrecoverable. • Read the service area content and calculate its MD5 value to see the random data file is intact. root@Shafan1:~/SA# dd if=/dev/urandom count=184320 > random-file ; md5sum random-file 184320+0 records in 184320+0 records out 94371840 bytes (94 MB) copied, 12.8187 s, 7.4 MB/s 0baca7245e1efa160512a6217c13a7b0 random-file root@Shafan1:~/SA# ./SA-cover-poc -p 0x0170 -w ./random-file using port address: 0x0170 Model: WDC WD2500KS-00MJB0 S/N: WD-WCANK5391702 F/W Ver: 02.01C03 LBA24:268435455 LBA48:488397168 Service area sectors-per-track (720) Service area tracks (64) Num of heads(6) Unused reversed space (94371840 bytes) writing head(2) track(-1) writing head(2) track(-2) writing head(2) track(-3) .... writing head(5) track(-62) writing head(5) track(-63) writing head(5) track(-64) 5
  • 6. root@Shafan1:~# dd if=/dev/zero of=/dev/sdb bs=1M dd: writing ‘/dev/sdb’: No space left on device 238476+0 records in 238475+0 records out 250059350016 bytes (250 GB) copied, 4732.86 s, 52.8 MB/s root@Shafan1:~/SA# ./SA-cover-poc -p 0x0170 -r after-dding-dev-zero using port address: 0x0170 Model: WDC WD2500KS-00MJB0 S/N: WD-WCANK5391702 F/W Ver: 02.01C03 LBA24:268435455 LBA48:488397168 Service area sectors-per-track (720) Service area tracks (64) Num of heads(6) Unused reversed space (94371840 bytes) reading head(2) track(-1) reading head(2) track(-2) .... reading head(5) track(-62) reading head(5) track(-63) reading head(5) track(-64) root@Shafan1:~/SA# md5sum after-dding-dev-zero 0baca7245e1efa160512a6217c13a7b0 after-dding-dev-zero 7 Summary Spinning hard-drives contain reserved areas with non-negligible sizes that are used by hard-drive vendors to store service area modules. These areas can only be accessed and manipulated via VSCs (Vendor Specific Commands). By using VSCs, one can store data in these areas such that it would be effectively hidden to the OS and other tools using standard ATA commands. 6