Difference between pages "Fiwalk" and "DCO and HPA"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+
Device Configuration Overlay (DCO) and Host Protected Area (HPA).
 +
 
 +
== Detection ==
 +
 
 +
=== Linux ===
 +
 
 +
==== Using hdparm ====
 +
 
 +
'''HPA'''
 +
 
 +
Command:
 +
 
 +
<pre># hdparm -N /dev/sda</pre>
 +
 
 +
Disabled HPA:
  
==XML Example==
 
 
<pre>
 
<pre>
<?xml version='1.0' encoding='ISO-8859-1'?>
+
/dev/sda:
<fiwalk xmloutputversion='0.2'>
+
max sectors   = 1465149168/1465149168, HPA is disabled
  <metadata
+
  xmlns='http://example.org/myapp/'
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+
    <dc:type>Disk Image</dc:type>
+
  </metadata>
+
  <creator>
+
    <program>fiwalk</program>
+
    <version>0.5.7</version>
+
    <os>Darwin</os>
+
    <library name="tsk" version="3.0.1"></library>
+
    <library name="afflib" version="3.5.2"></library>
+
    <command_line>fiwalk -x /dev/disk2</command_line>
+
  </creator>
+
  <source>
+
    <imagefile>/dev/disk2</imagefile>
+
  </source>
+
<!-- fs start: 512 -->
+
   <volume offset='512'>
+
    <Partition_Offset>512</Partition_Offset>
+
    <block_size>512</block_size>
+
    <ftype>2</ftype>
+
    <ftype_str>fat12</ftype_str>
+
    <block_count>5062</block_count>
+
    <first_block>0</first_block>
+
    <last_block>5061</last_block>
+
    <fileobject>
+
      <filename>README.txt</filename>
+
      <id>2</id>
+
      <filesize>43</filesize>
+
      <partition>1</partition>
+
      <alloc>1</alloc>
+
      <used>1</used>
+
      <inode>6</inode>
+
      <type>1</type>
+
      <mode>511</mode>
+
      <nlink>1</nlink>
+
      <uid>0</uid>
+
      <gid>0</gid>
+
      <mtime>1258916904</mtime>
+
      <atime>1258876800</atime>
+
      <crtime>1258916900</crtime>
+
      <byte_runs>
+
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
+
      </byte_runs>
+
      <md5>2bbe5c3b554b14ff710a0a2e77ce8c4d</md5>
+
      <sha1>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</sha1>
+
    </fileobject>
+
  </volume>
+
<!-- end of volume -->
+
<!-- clock: 0 -->
+
  <runstats>
+
    <user_seconds>0</user_seconds>
+
    <system_seconds>0</system_seconds>
+
    <maxrss>1814528</maxrss>
+
    <reclaims>546</reclaims>
+
    <faults>1</faults>
+
    <swaps>0</swaps>
+
    <inputs>56</inputs>
+
    <outputs>0</outputs>
+
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
+
  </runstats>
+
</fiwalk>
+
 
</pre>
 
</pre>
  
 +
Enabled HPA:
 +
<pre>
 +
/dev/sdc:
 +
max sectors  = 586070255/586072368, HPA is enabled
 +
</pre>
 +
 +
'''DCO'''
 +
 +
Command:
 +
 +
<pre># hdparm --dco-identify /dev/sda</pre>
 +
 +
Example output:
 +
<pre>
 +
/dev/sda:
 +
DCO Revision: 0x0001
 +
The following features can be selectively disabled via DCO:
 +
Transfer modes:
 +
mdma0 mdma1 mdma2
 +
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
 +
Real max sectors: 1465149168
 +
ATA command/feature sets:
 +
SMART self_test error_log security HPA 48_bit
 +
(?): selective_test conveyance_test write_read_verify
 +
(?): WRITE_UNC_EXT
 +
SATA command/feature sets:
 +
(?): NCQ SSP
 +
</pre>
 +
 +
== Removing HPA ==
 +
 +
=== Linux ===
  
 +
==== Using hdparm ====
 +
Command:
  
==XML Schema==
+
<pre># hdparm -N p586072368 /dev/sdc</pre>
  
{|
+
('''permanently''' (!) set max visible number of sectors, see example above)
|XML Tag
+
|Meaning
+
|
+
|-
+
|<fileobject>
+
|Every file is inside a <fileobject>
+
|-
+
|<orphan>YES</orphan>
+
|YES means that the file is an ""orphan,"" with no file name.
+
|-
+
|<filesize>3210</filesize>
+
|The file size in bytes.
+
|-
+
|<unalloc>1</unalloc>
+
|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
+
|-
+
|<used>1</used>
+
|Not sure what this means.
+
|-
+
|<mtime>1114172320</mtime>
+
|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
+
|-
+
|<ctime>1195819392</ctime>
+
|The file's inode's creation time, as a Unix timestamp.
+
|-
+
|<atime>1195794000</atime>
+
|The file's access time, as a unix timestamp.
+
|-
+
|<byte_runs>121130496:3210</byte_runs>
+
|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
+
|-
+
|<fragments>1</fragments>
+
|The number of fragments in the file.
+
|-
+
|<md5>c27c0730b858bc60c8894300a98bba55</md5>
+
|The file's MD5, as a hexadecimal hash.
+
|-
+
|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
+
|The file's SHA1, as a hexadecimal hash.
+
|-
+
|<partition>1</partition>
+
|The partition number in which the file was found.
+
|-
+
|<frag1startsector>236583</frag1startsector>
+
|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
+
|}
+
  
==See Also==
+
== Other Tools ==
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
+
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
 +
* [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
 +
* [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
 +
* [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
 +
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
  
[[Category:XML Forensics]]
+
== External Links ==
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
 +
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
 +
* [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
 +
* [http://en.wikipedia.org/wiki/Device_configuration_overlay Wikipedia article on Device Configuration Overlay]
 +
* [http://en.wikipedia.org/wiki/Host_protected_area Wikipedia article on Host Proteced Area]

Revision as of 06:51, 27 July 2012

Device Configuration Overlay (DCO) and Host Protected Area (HPA).

Detection

Linux

Using hdparm

HPA

Command:

# hdparm -N /dev/sda

Disabled HPA:

/dev/sda:
 max sectors   = 1465149168/1465149168, HPA is disabled

Enabled HPA:

/dev/sdc:
 max sectors   = 586070255/586072368, HPA is enabled

DCO

Command:

# hdparm --dco-identify /dev/sda

Example output:

/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
	Transfer modes:
		 mdma0 mdma1 mdma2
		 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
	Real max sectors: 1465149168
	ATA command/feature sets:
		 SMART self_test error_log security HPA 48_bit
		 (?): selective_test conveyance_test write_read_verify
		 (?): WRITE_UNC_EXT
	SATA command/feature sets:
		 (?): NCQ SSP

Removing HPA

Linux

Using hdparm

Command:

# hdparm -N p586072368 /dev/sdc

(permanently (!) set max visible number of sectors, see example above)

Other Tools

  • TAFT (The ATA Forensics Tool) claims the ability to look at and change the HPA and DCO settings.
  • SAFE-Block, claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
  • HDD Capacity Restore, a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
  • Tableau TD1 can remove the HPA and DCO.
  • Blancco-Pro 4.5 reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.

External Links