Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SV: Two hash

from [Svein Yngvar Willassen] Network Security [Permanent Link]
Subject: SV: Two hash
Date: Wed, 29 Dec 2004 10:03:16 +0100 
Greg,

I have observed the behaviour you are describing (Linux removing HPA at
boot) approximately one year ago with a SuSE distribution.
Unfortunately, I am at present unable to find data on which version of
SuSe or kernel version.

The "setmax" program sets the user addressable area in the drive. This
is a permanent setting until another call to the same procedure in the
drive changes it again. I'm not sure about the procedure you are
suggesting, removing HPA at boot. If a suspect has set a HPA, then it
should be noted and documented by the investigator, since the act of
trying to hide data helps understanding the subject's intentions. If you
remove the HPA at boot, the setting will be lost, and you will be unable
to document its size.

My suggestion is therefore that all forensic utilities should warn about
host protected area and document it before it can be removed by the
investigator.


From your posting, it seems you have had actual cases where subjects

have set HPA. Is this the case?  If so, it clearly demonstrates the need
for HPA support in forensic tools.

--
Svein Y. Willassen, M.Sc



-----Opprinnelig melding-----
Fra: Greg Freemyer [mailto:greg.freemyer@gmail.com] 
Sendt: 28. desember 2004 23:53
Til: Brian Carrier
Kopi: Forensics
Emne: Re: Two hash

Brian,

I'm surprised to say I'm getting the same behavior you reported.

I just tested with the 2.6.8 kernel as you did.

I'm not sure which kernel I had used for my earlier testing (maybe
2.6.4?), and to be honest I had only done some superficial testing so
I may have been wrong about the actual behavior.

Fortunately the 2 subject drives I have imaged with an HPA were done
using the ImageMaster Solo2 which does properly handle the HPA.

Given the behavior of 2.6.8, how would you image a drive with an HPA
while not modifying the subject drive?

The DOS program "reserve" from MyKey Technolgies claims to be able to
do a temporary HPA change, but I have not used it to do so.  (I'm not
sure when / how the permanent HPA value is restored.)

I'm not familiar with the setmax program, does it perform a temporary
change to the HPA?

If so, would this simple sequence work?

    bootup
     setmax --delta 0 /dev/hdc
      dd if=/dev/hdc ....
     poweroff

This assumes the temporary HPA change is reset by a power reset.

Thanks
Greg

On Tue, 28 Dec 2004 15:27:49 -0500, Brian Carrier
<carrier@cerias.purdue.edu> wrote:

On Dec 13, 2004, at 1:02 PM, Greg Freemyer wrote:


I still think you have an HPA on the drive.  (Host Protected Area)

Linux 2.6 by default will see the HPA and ignore the artificial
restriction.  i.e. It will note the presence of the HPA in messages,
but uses the true physical size not the HPA size.


I finally had some time to look into this more.  Are you saying that

if

a hard disk has an HPA then running 'dd' on the disk device (i.e.
/dev/hdX) will include the HPA?  This has not been my experience.

Here is an example from my Core 2 (2.6.8 kernel) system:

I start with a normal disk and hdparm shows the full number of sectors
# hdparm -I /dev/hdb
[...]
LBA    user addressable sectors:  120103200
[..]

I create an HPA using setmax.c [1] so that the disk has only 15,000
sectors and the rest is in an HPA.
# setmax --max 15000 /dev/hdb

I reboot and check dmesg and see that the drive has an HPA:
# dmesg | grep hdb
[...]
hdb: Host Protected Area detected.
hdb: 15000 sectors (7 MB) w/1821KiB Cache, CHS=14/255/63, UDMA(66)
[...]

I double check using hdparm to make sure the HPA exists:
# hdparm -I /dev/hdb
[...]
LBA    user addressable sectors:      15000

I triple check with diskstat from TSK:
# diskstat /dev/hdb
Maximum Disk Sector: 120103199
Maximum User Sector: 14999

** HPA Detected (Sectors 15000 - 120103199) **

I image the device and get only 15,000 sectors (which would not

include

the HPA):
# dd if=/dev/hdb of=/dev/null
15000+0 records in
15000+0 records out

Can you clarify what you meant by Linux ignoring the HPA?

brian

[1] http://www.win.tue.nl/~aeb/linux/setmax.c




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Two hash, Greg Freemyer
Next by Date:  Re: Two hash, Bill Rossi
Previous by Thread:  Re: Two hash, Greg Freemyer
Next by Thread:  Re: SV: Two hash, Greg Freemyer
Indexes:  [Date] [Thread] [Top] [All Lists]