Paul Underhill
Forensic Trails Obfuscation and Preservation via Hard Drive Firmware
Underhill, Paul; Oyinloye, Toyosi; Speakman, Lee; Eze, Thaddeus
Authors
Abstract
The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how tocommunicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager.
This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.
Presentation Conference Type | Conference Paper (published) |
---|---|
Conference Name | 21st European Conference on Cyber Warfare and Security |
Start Date | Jun 16, 2022 |
End Date | Jun 17, 2022 |
Acceptance Date | Apr 13, 2022 |
Online Publication Date | Jun 15, 2022 |
Publication Date | Jun 16, 2022 |
Deposit Date | Mar 10, 2025 |
Publicly Available Date | Mar 11, 2025 |
Journal | European Conference on Cyber Warfare and Security |
Print ISSN | 2048-8610 |
Electronic ISSN | 2048-8602 |
Publisher | Academic Conferences and Publishing International |
Peer Reviewed | Peer Reviewed |
Volume | 21 |
Issue | 1 |
Pages | 419-428 |
DOI | https://doi.org/10.34190/eccws.21.1.188 |
Keywords | Hard drive firmware, digital forensics, data recovery, data manipulation, security analysis. |
Files
Published Version
(251 Kb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by-nc-nd/4.0/
You might also like
Looping in OLSRv2 in Mobile Ad-Hoc Networks, Loop Suppession and Loop Correction
(2009)
Journal Article
Factors Amplifying or Inhibiting Cyber Threat Intelligence Sharing
(2024)
Presentation / Conference Contribution
An analysis of loop formation in OLSRv2 in ad-hoc networks and limiting its negative impact
(2008)
Presentation / Conference Contribution
Policing The Cyber Threat: Exploring the Threat from Cyber Crime and the Ability of Local Law Enforcement to Respond
(2018)
Presentation / Conference Contribution