Upload
sandeep-nair
View
100
Download
2
Embed Size (px)
Citation preview
Malware and steganography inhard disk firmware
Arun ThomasCB.EN.P2CYS15004
Introduction
How data can be concealed in the hard diskmodifying the firmware
• by
• Impact of drive operation by malicioussoftware.
Keywords: Firmware, Steganography, Malware
Hard disk
• Hard disk is a complex device providing highVolume non-volatile storage. A disk is
acomposed of number of elements includingvoice coil, read/ write heads, casing, mountings,a motor and a controller board. There are
incommonly used form factor:3.5 inch useddesktop and 2.5 inch used in laptop.
Data Storage
All information stored on a hard disk is recorded
•in tracks which are concentric circles placed onthe surface of each platter. Each track can holdmany thousands of bytes of data. Each track isbroken into smaller units called sector. Eachsector hold 512 bytes of user data.
• There are areas on the drive that are not meantfor user data storage. Some of these additionalregion are addressable by the operating systemare reserved for different purpose. purposes. The
forthe
Host Protected Areaother
provides storagediagnostics and utilities required byPC manufacture. A device configuration overlayis used by manufacturers to configure drive size.
Hard drive
Firmware
firmware functionality
• control the correct internaloperation of the hard drive allowing it tointeract with operating system. When the harddrive is powered down after use, it is thefirmwaresequence.
whichFirmware
executesprovides
aa
shutdownnumber of
function including SMART monitoring anddefect control monitoring.
• SMART monitoring(Self Monitoring Analysisand Reporting Technology) monitors a numberof manufacture dependent criteria to ensure the drive is operating correctly
• The firmware is responsible for monitoringdefect control . The sector recorded in P list
theand G list are automatically bypassed bydrive.
Steganography using Firmware
• A hard disk drive is populated with variety ofmixed data files. A randomly selected text filewas chosen and edited to include a distinctkeyword. This disk support two error list in thefirmware. One firmware relating to productiondefect and another list relating to failing trackson the drive. We located the physical location oftext file using firmware analysis and repair tool.
Firmwaredefective recovery entry list modified
errortracktool
list on the drive relating towas modified using databy including an additional
relating to the physical location of theoperatingtext file. The windows
system could not access this location.The firmware recovery tool was usedagain to remove the previously added entry.
The data and text file containing keyword isnow accessible on the drive.
Malicious modification of Firmware
• A malicious user with high level of technicalknowledge will be able to modify firmware byembedding malware on the drive . Malware prevent firmware from operating normally by modifying the firmware .Malware can damage the drive by disabling smart system, corruptingphysical to logic translation table, altering theread or write head to damage the circuitry, reducemotor speed abruptly to destroy the air bearing causing a head crash and damage to the disk platter.
Forensic Impact
• There are limited number of tools available toperform repair or modification on firmware. It isdifficult to identify whether firmware has beentampered of modified. Firmware implantationvaries between manufacturers and various modelsof the drive. There are portions of code unique toindividual disk drive. Even with correct tools itcan be very difficult to find or reverse this type of
widelymodification. The correct training is notavailable and is expensive.
Thank You