Interesting topic.

On May 27, 2005, at 6:21 AM, Steven McLeod wrote:

> SMART Anti-Forensics

How is this anti-forensics? This term has many definitions depending
on who is using it, but the typical usage is for techniques that the
attacker uses to make the investigation more difficult. This does not
seem to do that.

> This paper highlights an oversight in the current industry best
> practice
> procedure for forensically duplicating a hard disk. A discussion is
> provided
> which demonstrates that although the forensic duplication process may
> not
> directly modify data on the evidence hard disk, a hard disk will
> usually
> modify itself during the forensic duplication process.

The concept of knowing what changes as a result of an acquisition is
interesting, but the question is where to draw the line. The
interesting point (in my opinion) of your paper is to consider what
non-user data are modified on a disk as it is acquired.

But, it is deeper than just the SMART power cycle count. The process
of disabling SMART (or an HPA or DCO for that matter) also updates the
disk configuration and changes it. Therefore, your suggestion that
write blockers and other acquisition devices should disable SMART would
change the state of the disk. In fact, every read from the disk
modifies the disk configuration and cache contents. We can't get
around that unless we remove the platters from each disk and put them
in special hardware.

I view this problem similar to a physical crime scene. Crime scene
investigators take as many precautions as possible to not change the
scene, but they need to walk around it. They change the direction of
carpet fibers and introduce dust and other small particles when they
open and close the door. Is this also an oversight?

The point of the acquisition is to copy and preserve the state of data
that could be evidence. If the SMART data, low-level disk
configuration, and disk caches aren't being used as evidence, then is
it ok if they are changed? If not, then we need to seriously change
the acquisition process and have mobile clean rooms.

> The paper highlights some consequences, for example that an attacker
> who has
> compromised the computer containing the hard disk can programmatically
> detect
> that the hard disk has been forensically duplicated, or otherwise
> powered on
> and accessed via a mechanism other than via the operating system
> installed on
> the hard disk.

In the example in your paper, the attacker would likely first notice
that something was wrong because the system uptime would show that it
was rebooted. They don't need the SMART information to realize there
was a system power cycle. I agree that if the goal is to be 100%
covert then the SMART information should be considered, but the OS
uptime needs to be fixed first. :)

Your findings were that no disk properly implemented SMART. If,
theoretically, they did implement SMART would you have to disable SMART
before the disk is powered off? It seems that if you find a disk that
is already powered off or if you do not want to run any tools on the
running system before the power cycle, then you cannot avoid updating
the power cycle value.

thanks,
brian

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

[ reply ]