Skip to main content

Research Repository

Advanced Search

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill, Paul; Oyinloye, Toyosi; Speakman, Lee; Eze, Thaddeus

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware Thumbnail


Authors

Paul Underhill

Toyosi Oyinloye

Thaddeus Eze



Abstract

The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how tocommunicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager.
This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.

Presentation Conference Type Conference Paper (published)
Conference Name 21st European Conference on Cyber Warfare and Security
Start Date Jun 16, 2022
End Date Jun 17, 2022
Acceptance Date Apr 13, 2022
Online Publication Date Jun 15, 2022
Publication Date Jun 16, 2022
Deposit Date Mar 10, 2025
Publicly Available Date Mar 11, 2025
Journal European Conference on Cyber Warfare and Security
Print ISSN 2048-8610
Electronic ISSN 2048-8602
Publisher Academic Conferences and Publishing International
Peer Reviewed Peer Reviewed
Volume 21
Issue 1
Pages 419-428
DOI https://doi.org/10.34190/eccws.21.1.188
Keywords Hard drive firmware, digital forensics, data recovery, data manipulation, security analysis.

Files





You might also like



Downloadable Citations