Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Write-protect sctors?

from [Alex Butcher] Network Security [Permanent Link]
Subject: Re: Write-protect sctors?
Date: Wed, 06 Sep 2006 15:55:20 +0100
Florian Specker wrote: 
did you consider the possibility that the bad sector was not caused by
the rootkit? It's not uncommon that a disc contains bad sectors, which
you only remark when you actually read such a sector (or the whole disc,
e.g. dd it to another disc).

Bad blocks are detected on reads, but only remapped on write (and only then if the write initially fails).

If a write failure is passed through to the OS, then the disc has run out of 'spare' reserved blocks for remapping, and the drive should be retired immediately (the S.M.A.R.T. metrics should reflect this fact).

If, however, the drive passes through a _read_ error to the OS, it's possible (highly likely, even) to put things right by writing to that block (e.g. running badblocks in write-test mode, using a sector editor, dd'ing the entire drive or partition, or deleting the file that occupies the block in question, then immediately filling the filesystem with a dummy file). If the block is able to be remapped, then it *is* safe to use. If anyone's throwing away drives on the first read error, then I'll be happy to receive them, test them and use them for a few more years. I have personally forced drives to remap failed blocks using the techniques described above, and the discs are still reliable years later. :-)

As an aside, I run badblocks in write-test mode before partitioning and formatting in order to a) give the discs a soak test and b) attempt to force marginal blocks to be remapped /before/ they're storing real data.

Try to low-level format the disc after investigating the incident.

Modern discs should not, and indeed, cannot be low-level formatted. The best you can do is 'dd if=/dev/zero ...' them, or issue an ATA/SCSI FORMAT_UNIT command.

Another possibility is some SMART-related function, but that is pure
speculation, as I don't know too much about these features.

Some of the S.M.A.R.T. metrics may only be valid if you regularly run the S.M.A.R.T. self-tests.

Finally, once Linux is running, the BIOS cannot write-protect blocks.

Cheers & good luck cleaning up,
Florian


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: Write-protect sctors?, Alex Butcher <=
Indexes:  [Date] [Thread] [Top] [All Lists]