Using ATA commands on hard disks ... why bother?
From SecuriWiki
This page is by Greg Murdoch.
There are many approaches a user can take if they wish to hide data on a hard disk. Often the simplest approach is to encrypt the data in question. But while this hides the content of the data it does not hide the existence of the data. This of course leaves the user open to suspicion and possible attempts at rubber-hose cryptanalysis. People with criminal intentions may go to extreme lengths to hide the fact that they are hiding incriminating data. One approach would be to use a cryptographic technique such as stenography. Another is to use features about the way data is stored on the hard disk to attempt to hide it. One possibility it to store data in areas not listed in the partition table. This would evade casual inspection, but would not protect data from being discovered in a captured disk image. Another approach, which I shall cover in more depth here, is to use features of the ATA specification to hide disk areas from the computer at the device level. Approaches like this are impossible to detect without an understanding of the ATA commands that control them. In Addition if a disk area is hidden in such a manner programs designed to securely wipe data from a disk will not touch any of the hidden data.
Contents |
ATA Disks
Advanced Technology Attachment (ATA) is a standard that originally only concerned with hard drives but has since been extended to cover a number of computer devices such as CD-ROM drives and tape drives. The original standard ATA-1, also known as IDE, covered hard drives that are quite small by today’s standard with a maximum capacity of 504 MB. Later ATA-2 and ATA-3, also known as EIDE, extended this to 8.4 GB and 137 GB. The Host Protected Area, the first addition of potential use in hiding data, was added as an optional extension at about this point. The next standard, ATA/ATAPI-4, added support for CD-ROMs and other devices were added and the naming convention was changed to reflect this. In further standards the maximum capacity was increased to 144 PB, and the maximum bus speed was also increased. These latter specifications ATA/ATAPI-4 to ATA/ATAPI-7 are also known by their bus speed, ATA-33, ATA-66, ATA-100 and ATA-133. ATA/ATAPI-6, or ATA-100, introduced Device Configuration Overlays which can also be used to hide data. Most hard drives in current use conform to one of these last specifications.
Host Protected Area
The Host Protected Area (HPA) is an area of a compatible hard disk that is typically used to store vendor specific tools and support data. It is not accessible by the operating system as it is kept logically distinct from the remainder of the hard disk; it is an ideal hiding place for someone hoping to evade a forensic investigator. HPA is an optional extension, but it is still included in all modern hard disks. Various sources put its inclusion from ATA-3 to ATA-5. The HPA consists of sectors towards the end of the hard disk, directly after the user accessible potion of the disk. The operating system uses the ATA command IDENTIFY DEVICE to identify the length of the user accessible portion of a compatible hard disk. HPA provides a SET MAX ADDRESS and a READ NATIVE MAX ADDRESS commands to allow this value to be manipulated. With HPA support SET MAX ADDRESS can be used to artificially lower the max addresses returned by the IDENTIFY DEVICE command. While READ NATIVE MAX ADDRESS returns the real max address, as IDENTIFY DEVICE would when HPA is not in use.
When the value returned by IDENTIFY DEVICE is reduced in this manner it seems to the operating system that the hard disk is smaller than it actually is. This allows a user to write to the final sectors on the disk and then use SET MAX ADDRESS to lower the disk size, effective hiding is data. Luckily for a forensic investigator aware of such a capability, this is easy to detect. If you run both ATA commands IDENTIFY DEVICE and READ NATIVE MAX ADDRESS and receive different results for the maximum disk size then HPA is in use. Using SET MAX ADDRESS to set the max address to the value returned by READ NATIVE MAX ADDRESS will then regain use of this area of the disk.
The Sleuth Kit provides tools disk_stat and disk_sreset that can be used to remove HPA disk areas. Disk_stat reports two values, Maximum Disk Sector and Maximum User Sector. These correspond to the values returned by the ATA commands READ NATIVE MAX ADDRESS and IDENTIFY DEVICE respectively. Disk_sreset uses SET MAX ADDRESS to the maximum disk sector, removing the HPA area. This change is made with the Volatile bit set. This means that the change is only temporary and when the disk is next booted the HPA area will be restored to its previous configuration.
Device Configuration Overlays
Device Configuration Overlays (DCO) operate in a similar way to HPA's for the purposes of creating a hidden section on an ATA disk. A Device Configuration Overlay allows the data returned by the IDENTIFY DEVICE command to be downgraded, including the disk capacity. As this also fools HPA's the two areas can be nested within each other.
DCO's, like HPA's, are an optional extension that was introduced in ATA/ATAPI-6 (aka ATA-100). Like HPA almost all ATA-100 compatible disks support this feature. But as there are still many ATA-66 and ATA-33 disk in use DCO's are less likely to be supported on older hard disks. HPA introduced two commands that made READ NATIVE MAX ADDRESS reveal the true disk size and allow the value returned by IDENTIFY DEVICE to be reduced. Similarly DCO adds two ATA commands DEVICE CONFIGURATION SET and DEVICE CONFIGURATION IDENTITY that make DEVICE CONFIGURATION IDENTITY reveal the true disk size and allows the value returned by READ NATIVE MAX ADDRESS to be reduced. Hard disks that support DCO also support HPA allowing for two hidden areas to be included on a DCO supported disk. DCO's can be located and removed in a similar manner to HPA's but when a disk contains both the HPA must be removed before the DCO.
PLists and Glists
In previous years it was common for hard disks to ship with sectors that were defective from manufacture. File systems often dealt with this issue by marking those sectors as 'bad sectors' and not using them in the file system itself. This led to the possibility of hiding data in bad clusters. If a sector was written to and then the cluster it was contained in was marked bad, then it would be invisible to the file system with no chance that it would be overwritten. This is not very likely to work these days, as image acquisition tools taking a byte copy of a disk will still capture the data. Also modern hard disks no longer allow the OS to see bad clusters, so occurrences of any clusters marked as bad would warrant investigation.
Modern disks often maintain a number of spare sectors, and automatically swap bad sectors with these. This way the user of the hard disk does not see any bad sectors even if they are present. This is very interesting from a forensic point of view as swapped out sectors that are not longer visible may retain valuable data and may escape intact when the remainder of the disk has been securely wiped. Also these sector lists may be purposely used to attempt to hide data away from a forensic disk analysis. Typically there are two lists maintained a PList and a GList. The PList, or Primary Defect List, is used to ensure that a disk is shipped without bad sectors, by placing all bad sectors in the user area of the disk into the PList and replacing them with spare sectors. This list is set during manufacture and cannot be modified. More interestingly is the GList, Growing Defect List. This list is maintained and updated during the lifetime of the hard disk and if non-empty will likely contain data from the user portion even if the disk has been securely erased.
Unlike HPA's and DCO's the workings of PLists and Glists is not included in the standards and is vendor specific. As such there is very little information available on how to modify or access the data contained in these sectors. Some commercial products such as busTRACE exist that claim to be able to access these lists. To an investigator with sufficient resources dismantling the disk and reading data straight from the platters is likely to succeed, as is simply asking the disk manufacturer for the implementation details. It is possible that a criminal with advanced knowledge of a given vendors GList implementation could purposefully add sectors containing important information to the GList. This would prevent a forensic investigator without this knowledge from retrieving this information.
Security Mode
ATA-3 introduced a set of Security Mode commands that handle the setting and use of passwords on ATA disks at the hardware level. I discuss these here Bypassing Passwords on Harddisks.
Tools
The following program can be used to issue all the ATA commands discussed above: HDAT2 [1], The ATA Forensics tool [2]
Imaging tools such as Encase and DCFLDD fail to image sections of hard disks that are in HPA or DCO areas of hard disks. In the latest 2.6 Linux kernels however DD is reported to successfully recover such data.
ATA-3 commands
For reference I have included a list of all ATA commands specified in ATA-3. This standard has been withdrawn so i didn't have to pay to see it...
Check Power Mode
Door Lock
Door Unlock
Download Microcode
Execute Device Diagnostic
Format Track
Identify Device
Identify Device DMA
Idle
Idle Immediate
Initialise Device Parameters
Media Eject
NOP
Read Buffer
Read DMA
Read Long
Read Multiple
Read Sector
Read Verify Sector
Recalibrate
Security Disable Password
Security Erase Prepare
Security Freeze Lock
Security Set Password
Security Unlock
Seek
Set Features
Set Multiple Mode
Sleep
Smart
Standby
Standby Immediate
Write Buffer
Write DMA
Write LONG
Write Multiple
Write Sector
Write Verify
