Information Technology Reference
In-Depth Information
hide data in the so-called HPA (Host Protected Access) area and manipulate the De-
vice Configuration Overlay (see below) maliciously. HPA is defined as a confidential
area for data storage outside the normal operating file system. This area is hidden
from the operating system and file system, and is normally used for specialized ap-
plications. Systems may wish to store configuration data or save memory to the hard
disk drive device in a location that the operating systems cannot change. If an HPA
area exists on a suspect's drive, tools for forensic seizure operation will detect this
area and copy all the contents of the suspect's hard disk drive sectors, including all
the HPA hidden sectors, to the evidence drive.
6 . 2
D e v i c e C o n fi g u r a t i o n O v e r l a y ( D C O )
DCO allows systems to modify the apparent features provided by a hard disk drive
device. It provides a set of commands that allow a utility program to modify some
of the commands, modes, and feature sets reported as supported by the hard disk
drive. It can be used to hide a portion of the hard disk drive capacity from being
viewed by the operating system and the file system. If DCO is detected on a sus-
pect's drive, tools for forensic seizure operation will copy all the contents of the
suspect's hard disk drive sectors including all the DCO hidden sectors to the evi-
dence drive.
Unlike MAFIA, these tools are independent of the operating system and hence
even less controllable. While HPA activities are becoming worrisome, the first tools
are appearing that are designed to counter certain other tools such as Transmogrify,
a first ever tool to defeat EnCase's file signaturing capabilities by allowing users to
mask and unmask user's files as any file type, and Sam Juicer, a Meterpreter module
that dumps the hashes from the SAM, but does it without ever hitting disk.
7.
Conclusions
We have talked about a number of general issues in this chapter and listed those
which are still unresolved. We have introduced forensic imaging under UNIX, with
emphasis on dd, which is currently one of the few tools able, at least on paper, to
recognize and create an image of the HPA and DCO on a 2.6 or higher Linux kernel.
Based on my personal experience, I believe that the above listed issues are something
to keep an extremely careful eye on, especially in distributed environments and re-
garding remote forensics since there is currently little practical experience with them
and a need to find a more organized approach. Hopefully the technical community
