OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Paul Sanderson (paulsandersonforensics.co.uk)
Date: Mon Feb 04 2002 - 11:41:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    How sure are you that your forensic imaging software is actually taking a
    full image of your suspect hard disk drive?

    I have been concerned over the last year or so about the accuracy of various
    imaging tools with regard to the number of sectors imaged with both BIOS and
    Direct access (as used by Safeback). So I took to performing a bit of R&D
    and wrote a program to return the different sector counts in the different
    modes. Whilst researching this I found the following:

    A facility exists within the ATA specification that allows, with a standard
    command, the user to limit the addressable range of sectors on a disk to an
    arbitrary number? i.e. you can make, for example, an 80GB drive report (both
    via the BIOS and if accessed directly) that it is a 16GB drive!

    This command also supports a ‘volatile bit’ that when set means the drive
    can be powered down and will retain the new settings when rebooted or
    transferred to another machine.

    This facility has been in the ATA specification since ATA4 (the first
    revision of this specification was in 1996 and it was last revised in 1998).
    I believe that both HP and IBM have already used this ‘protected area’ as a
    recovery area for pre-installed software, possibly utilising an application
    from StorageSoft. I have verified that Encase, Safeback (irrespective of the
    access mode used) and the LogiCube Solitaire forensic imaging tools will
    incorrectly image 16GB in the above example as opposed to the full 80GB.
    Vogon, I am informed, can correctly image the full 80GB. I have yet to test
    DD or any other imaging tools.

    More information, including a tool to correctly resize the drive, is
    available here: http://www.sandersonforensics.co.uk/html/bxdr.html

    ===================================
    Paul Sanderson
    T. #44 1869 325667
    F. #44 1869 369001
    M. #44 7808 773856
    http://www.sandersonforensics.co.uk
    ===================================

    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com