FREE ELECTRONIC LIBRARY - Thesis, dissertations, books

Pages:   || 2 |

«Abstract In digital forensics, it is necessary to analyze the data in the Host Protected Area (HPA)—a potentially large hidden region of the hard ...»

-- [ Page 1 ] --

Applications of Data Recovery Tools to Digital Forensics:

Analyzing the Host Protected Area with the PC-3000

Richard Leickly and David Angell

Circle Hook Data Recovery

{ Richard, David}@CircleHookDR.com


In digital forensics, it is necessary to analyze the data in the Host Protected Area (HPA)—a

potentially large hidden region of the hard drive. The removal of the HPA can either be

temporary or permanent depending on whether the changes occur in non-volatile or volatile memory locations. Permanently removing the HPA alters information in the Service Area—nonvolatile storage regions on the platters; temporarily removing it alters the contents of the drive’s RAM—volatile storage on the drive’s circuit board. The implications of both procedures for forensic hard drive analysis are discussed. Typically, forensic tools are used to remove the HPA, but the PC-3000—a data recovery tool unfamiliar to many digital forensic examiners—can be used for either method, and offers some advantages over more commonly used forensic tools: the HPA can be removed in RAM, and files and folders in the HPA can be viewed and saved to disk, or the drive can be imaged to a destination drive.

Introduction A Host Protected Area (HPA) is an area of a hard drive that is normally inaccessible to the user.

Its existence is not reported to the BIOS or to the operating system of the host computer. In this sense, it is a hidden area of the hard drive that can contain data in many formats, ranging from raw code or files (possibly encrypted), to complete alternative system or data partitions, and even disk images of operating systems. It can range in size from a less than a megabyte to many gigabytes.

Host Protected Areas were introduced in 2001 via the ATA-4 specification which saw the addition of two ATA commands: Read Native Max Address and Set Max Address1. When LBA-48 was introduced for drives larger than 137 GB, a revised standard (ATA-6) added two additional commands with the same purpose: Set Native Max Address Ext and Set Max Address Ext2.

Information Technology-AT Attachment with Packet Interface Extension (ATA/ATAPI-4). T13. 1153D. Rev. 18.

Working Draft. 1998.

Information Technology-AT Attachment with Packet Interface-6 (ATA/ATAPI-6). T13. 1410D. Rev. 3b. Working Draft. 2002.

1|Page Copyright 2012 – Richard C. Leickly and David K. Angell Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000 The stated purpose of the HPA is to offer computer manufacturers a region of the hard drive for the storage of diagnostic utilities, recovery programs, and even copies of the host operating system, in a manner that would prevent their deletion or manipulation by the user. If the host operating system becomes damaged, a computer with a manufacturer-installed HPA-hidden system partition can be instructed to boot from that partition.

Our intention is to show the digital forensic community how a data recovery tool—the PCexamines the HPA. We demonstrate how it can be used to temporarily or permanently remove an HPA, and how it can then either create a clone or image of the drive, or expose and render accessible the drive’s partitions and file system. We also show how and where the removal of an HPA alters the drive, and the implications this has on the forensic process. To appeal to a wider audience, we assume little prior knowledge of hard drive architecture or internal operations.

Forensic significance of the Host Protected Area A Host Protected Area can be relatively large in size, encompassing many gigabytes of data.

Because most files are too large to be stored in file slack or in the empty sectors following the MBR (Master Boot Record), the large hidden area of an HPA provide an appealing, albeit unsophisticated, way to conceal information or malware. Compromising the executable code stored in the HPA is also possible, but would require a more sophisticated attack.

Digital forensic examiners are well-aware of the possibility that an HPA could be present on the hard drive they are examining. Many common digital forensics tools used for imaging or cloning can detect and remove a Host Protected Area; and many tools can detect and recover the data discovered in this region.

However, many forensic examiners may not be aware of the operations that occur on the hard drive when an HPA is created or removed, or be aware of the locations on the drive that are changed by those operations. They may also not be aware that removing an HPA is an alteration to the hard drive. In the final section of this article we will discuss the specific changes that are made to the hard drive and the implications this has for the forensic process.

–  –  –

be obtained from the ACE Laboratories website4. Through the use of the supplied adapters, drives of any storage capacity, of any physical size, or in any combination of SATA or PATA interfaces, can be connected to the data and power leads that extend from the PC-3000 cards.

Drives can be independently designated as source or destination drives. The drives are independently controlled, and it is possible to designate both drives as source drives, if desired, and to switch between them. Using the PC-3000 interface, drives can also be mounted and made accessible to the host operating system.

HPA Creation Typically, computer manufacturers use proprietary software tools to create HPAs and to write diagnostic and recovery software to that area of the hard drive. The HPA becomes accessible during boot when permitted by the BIOS and the proprietary HPA-aware tools installed by the manufacturer. These tools make alterations to the MBR, and write an object containing configuration information, called the BEER (Boot Engineering Extension Record) to the last sector of the drive5. The specification for this is called PARTIES (Protected Area Run Time Interface Extension Services) 6.

In order to assess the ability of the PC-3000 to analyze the HPA, we first needed to create one, and put a partition with some data into it. Not having access to the tools used by the computer manufacturers, we used a manual process that did not insert any special instructions into the MBR or write a BEER to the last sector. Since those changes are only needed to make the HPA accessible during boot, they would have had no effect on our results. Here we briefly outline the process we used to create an HPA. The details have been posted on the Circle Hook Data Recovery website7.

On a clean 2.5”, nominally 120 GB Samsung drive (Model: HM121H), we created two NTFS partitions: a normal data partition and a hidden data partition, in the following manner. Noting that the full capacity of the drive was 234,441,647 sectors (maximum LBA is 234,441,647), we used the PC-3000 to create an HPA that began at LBA 150,000,002. Using Windows XP, we created a normal partition in the space below LBA 150,000,002, and added a file there. We then used the PC-3000 to remove the HPA. Returning the drive to Windows XP; we put a partition in the formerly hidden area starting at LBA 150,000,001, and extended it to the end of the drive.

We copied a different file there. We then returned the drive to the PC-3000 and re-created the http://www.acelaboratory.com/pc3000.udma.php 5 nd Computer Evidence: Collection and Preservation. 2 Edition. Christopher L. T. Brown. Course Technology PTR.


Protected Area Run Time Interface Extension Services. T13/1367D Revision 3. American National Standard Information Systems. 2000.

CircleHookDR.com 3|Page Copyright 2012 – Richard C. Leickly and David K. Angell Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000 HPA at LBA 150,000,002. Using a hex editor, we removed the entry for the second partition from the MBR. This last step prevented Windows XP from seeing the partition—making it a hidden partition. Without that last step, the partition’s existence was reported to the operating system, but its size was 0 bytes. It was unusable, but it wasn’t hidden.

In summary, we prepared a drive with two partitions: one normal data partition and one hidden data partition. The normal partition extended from LBA 0 to LBA 150,000,001; the hidden partition was approximately 40 GB and extended from LBA 150,000,002 to the end of the drive— LBA 234,441,647. Each partition contained a single unique jpeg image file. This drive was used for all subsequent analyses. We attached the drive attached to the PC-3000 to analyze the HPA we had created.

Results The PC-3000 does not explicitly indicate the ATA commands that it uses. However, from the ATA specifications, we know which ATA commands are available and what they do. In the following paragraphs, we indicate the relevant ATA commands that are involved because it clarifies the actions performed by the PC-3000.

Preliminary Analysis of the Hard Drive We used the PC-3000 to discover the physical locations of the Samsung drive’s firmware. The drive had firmware in both a ROM chip on the circuit board and in the Service Area on the platter. The amount of firmware on the platter was substantial: 64 cylinders were allocated to the Service Area, and 21 of these cylinders had firmware modules written to them.

Temporary removal of the HPA To the Windows Disk Management utility, the Samsung drive appeared to have only a single partition: Disk 1, Mango-1; the partition in the HPA on Disk 1 (Mango-2) was not discovered by Windows Disk Management (Figure 1).

Figure 1. Samsung drive as seen in Windows Disk Management.

–  –  –

After invoking the ATA command—Identify Device—via the PC-3000’s Drive ID command, the drive was seen as having a useable capacity of 150,000,001 sectors (Figure 2).

Figure 2. PC-3000.

Results from the Drive ID command with the HPA present on the drive.

As part of its drive-identification process, the PC-3000 had already discovered the drive’s true full capacity (234,441,647 sectors) by means of another ATA command—Read Native Max Address. We directed the PC-3000 to write this value to the drive’s RAM, which reset the drive’s capacity to that value (Figure 3).

–  –  –

This was done by issuing the ATA command—Set Max Address—with its volatility bit set to the value 0. (When the volatility bit is set to 0, the change to the drive is temporary, and will not persist after the drive is repowered.) After that, we again invoked the PC-3000’s Drive ID command and confirmed that the drive’s maximum LBA had been set to the value 234,441,648 (Figure 4)—its maximum possible value. The HPA had been removed.

Figure 4. PC-3000.

Results of Drive ID command after the HPA was removed from the drive.

The PC-3000 includes a utility called the Data Extractor. After the Data Extractor is invoked, there are two choices: either make an image of the entire drive, or proceed to the File Explorer interface to view the file tree and copy selected files. When the drive was opened in the Data Extractor’s File Explorer interface (Figure 5), we saw one NTFS partition and two other NTFS partitions (indicated by blue accent marks).

–  –  –

Figure 5. PC-3000.

File Explorer of Disk Extractor showing that the data in the HPA is exposed.

The PC-3000 refers to these as Virtual Boot Partitions. They are copies of the partitions on the drive. There is one virtual partition for each partition discovered on the drive. In the figure, the root of the lower virtual partition has been expanded, and is shown in the right panel. The entire directory of the hidden partition is exposed. From this screen, the files and folders in the right panel were opened and saved to a destination drive. Figure 6 shows analogous results for the partition that was never hidden.

Figure 6. PC-3000.

File Explorer of Disk Extractor showing the data in the normal partition.

–  –  –

Cycling the power on the drive restarted the initialization process. This cleared the value 234,441,647 from RAM and the drive initialized to a capacity of 150,000,001 sectors, indicating that the HPA was restored. This confirmed that the removal of the HPA was temporary.

Permanent Removal of the HPA A permanent change to a hard drive means that the changes are preserved after the drive is repowered or sent a hardware rest command. To implement the permanent removal of the HPA, we returned to the menu shown in Figure 7.

Figure 7. PC-3000.

Settings for the permanent removal of the HPA This is the same menu shown in Figure 3, except that we elected to save the value of the maximum LBA returned by Identify Device to the Service Area—a non-volatile location. For this, the PC-3000 issued the ATA command—Set Max Address—and made the change permanent by changing the volatility bit for the command from the 0 to 1. From this point on, the results were identical to those of the temporary HPA removal procedure: the drive was seen as having 234,441,647 sectors and the File Explorer interface of the Data Extractor showed the same information as in Figure 5. As before, we had the option of making an image or proceeding to open or save files to a destination drive.

The removal of the HPA was permanent. Cycling the power on the drive had no effect on the capacity of the drive as seen by Windows: 234,441,647 sectors.

–  –  –

For each drive manufacturer, the PC-3000 presents a customized interface. This is necessary because each manufacturer uses a unique set of firmware modules and commands. Sometimes these differences allow the operator to investigate one drive in ways not available on another.

Pages:   || 2 |

Similar works:

«Aus der Medizinischen Klinik für Nephrologie der Medizinischen Fakultät der Charite-Universitätsmedizin Berlin Campus Benjamin Franklin DISSERTATION Western Blot und realtime PCRbasierte Identifizierung möglicher Hypertonie assoziierter Gene an einem definiertem Hypotoniemodell an Wistar-Kyoto Ratten zur Erlangung des akademischen Grades Doctor medicinae (Dr. med.) vorgelegt der Medizinischen Fakultät Charité-Universitätsmedizin Berlin von Vesna Furundzija aus Berlin Gutachter: 1. Prof....»

«Why Does the Health of Immigrants Deteriorate? Evidence from Birth Records Osea Giuntella∗ University of Oxford, Blavatnik School of Government IZA Draft August 20, 2013 Abstract Despite their lower socioeconomic status, Hispanic immigrants in the United States initially have better health outcomes than natives. Paradoxically while secondgeneration immigrants assimilate socio-economically, their health deteriorates. I show that a model of selection and intergenerational transmission of health...»

«Mark Patrick Cain, M.D., F.A.A.P. Hospital Address: Indiana University School of Medicine Riley Hospital for Children 702 Barnhill Dr. Room 4230 Indianapolis, Indiana 46202 (317) 944-7446/274-7439 FAX: (317) 274-7481 email: mpcain@iupui.edu Home Address: 11560 Summit Circle Zionsville, Indiana 46077 (317) 873-1306 Date of Birth: December 15, 1960 Frankfurt, Germany Citizenship: U.S.A. Wife: Charla Ruth Cain – Married 1987 Family Information: Children: Chelsea Camille Cain – 3/4/90 Alexandra...»

«Environmental impact of the Aral Sea desiccation Marina Arroyo Bovea Geographer, environmentalist -1Environmental impact of the Aral Sea desiccation  Introduction, case study Page 3  Causes of the disaster Page 3  Impacts on the environment Page 4  Consequences for the population Page 5  Attempts of recovery Page 6  Conclusion Page 7  Bibliography Page 8 Abstract The Aral Sea, once the world's fourth largest sea, is now reduced to a fraction of its original extension. The...»

«definition and diagnosis of diabetes mellitus and intermediate hyperglycemia RepoRt of a WHo/IDf ConsultatIon WHo library Cataloguing-in-publication Data Definition and diagnosis of diabetes mellitus and intermediate hyperglycemia : report of a WHO/IDF consultation.1.Diabetes mellitus – diagnosis. 2.Diabetes mellitus classification. 3.Hyperglycemia. 4.Glucose tolerance test. I.World Health Organization. II.International Diabetes Federation. ISBN 92 4 159493 4 (NLM classification: WK 810) ISBN...»

«Florida’s Psychotherapist-Patient Privilege in Family Court Author: Bruce G. Borkosky1 Author: Mark S. Thomas Journal: Florida Bar Journal 87(5), 35-40 Cite: Borkosky, B. G., Thomas, M. S. (2013). Florida’s Psychotherapist-Patient Privilege in Family Court, Florida Bar Journal 87(5), 35-40 2 Introduction Divorce litigation is widespread in Florida,1 and often involves mental health professionals (MHPs). Many MHP licensing2 and ethics3 complaints result, as the litigation can be both complex...»

«Comprehensive Health Education HECAT: Module CHE comPrehensIve health educatIon currIculum Description: This module contains the tools to If a curriculum focuses only on HBOs related to analyze and score comprehensive health education a single HECAT topic, use the Health Education curricula. A comprehensive curriculum is one that Curriculum Analysis module that addresses is broad in scope and content; addresses numerous that specific topic instead of this module. If a health problems, issues,...»

«CLEAN DETOX MANUAL & SAMPLE MEAL PLAN CREATED BY DR. JUNGER AND CLEAN TEAM PLEASE READ OUR HEALTH DISCLAIMER BEFORE STARTING THIS PROGRAM Before we get started, please read this important disclaimer: Important: Please DO NOT conduct the Clean Detox if you: • are pregnant or nursing • are under the age of 18 • have active cancer • have liver disease or hepatitis • have Type 1 Diabetes • are on medications for bipolar disorder, or • have an allergy to any food or ingredient...»

«Available online at www.sciencedirect.com Research in Developmental Disabilities 30 (2009) 158–178 Outcome of comprehensive psycho-educational interventions for young children with autism Svein Eikeseth Akershus University College, P.O. Box 423, N-2001 Lillestrom, Norway Received 9 January 2008; accepted 15 February 2008 Abstract This paper evaluates comprehensive psycho-educational research on early intervention for children with autism. Twenty-five outcome studies were identified. Twenty...»

«www.iprhelpdesk.eu European IPR Helpdesk Fact Sheet Intellectual property considerations for medical devices September 2015 1 Introduction 1. Concept Stage 2. Prototype Stage – Confidential Information and NDAs 3. Pre-Clinical Stage – Patent Considerations 4. Clinical Stage Design Considerations 5. Clinical Stage – Trade Mark Considerations 6. Manufacturing Stage – Copyright Considerations 7. Commercial Use – Anti-Counterfeiting Considerations 8. Commercial Use – Infringement...»

«Guidance about compliance Summary of regulations, outcomes and judgement framework March 2010 About the Care Quality Commission The Care Quality Commission is the independent regulator of health and adult social care services in England. We also protect the interests of people whose rights are restricted under the Mental Health Act. Whether services are provided by the NHS, local authorities, private companies or voluntary organisations, we make sure that people get better care. We do this by:...»

«April 9th 2014 (V1) Classification NOT PROTECTIVELY MARKED Title POLICE STAFF DISCIPLINARY POLICY CCMT Sponsor DIRECTOR OF PEOPLE Department/Area PEOPLE DIRECTORATE Section/Sector EMPLOYMENT RELATIONS _ Contents 1.0 Rationale 2.0 Intention 3.0 General Principles 4.0 Guidance, Procedures & Tactics 5.0 Challenges & Representations 6.0 Communication 6.1 Links to Police National Legal Database/Other 6.2 Implementation Strategy 7.0 Compliance and Certification 7.1 Human Rights Audit 7.2 Equality...»

<<  HOME   |    CONTACTS
2016 www.dis.xlibx.info - Thesis, dissertations, books

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.