Malware and steganography inhard disk firmware

Arun ThomasCB.EN.P2CYS15004

Introduction

How data can be concealed in the hard diskmodifying the firmware

• by

• Impact of drive operation by malicioussoftware.

Keywords: Firmware, Steganography, Malware

Hard disk

• Hard disk is a complex device providing highVolume non-volatile storage. A disk is

acomposed of number of elements includingvoice coil, read/ write heads, casing, mountings,a motor and a controller board. There are

incommonly used form factor:3.5 inch useddesktop and 2.5 inch used in laptop.

Data Storage

All information stored on a hard disk is recorded

•in tracks which are concentric circles placed onthe surface of each platter. Each track can holdmany thousands of bytes of data. Each track isbroken into smaller units called sector. Eachsector hold 512 bytes of user data.

• There are areas on the drive that are not meantfor user data storage. Some of these additionalregion are addressable by the operating systemare reserved for different purpose. purposes. The

forthe

Host Protected Areaother

provides storagediagnostics and utilities required byPC manufacture. A device configuration overlayis used by manufacturers to configure drive size.

Hard drive

Firmware

firmware functionality

• control the correct internaloperation of the hard drive allowing it tointeract with operating system. When the harddrive is powered down after use, it is thefirmwaresequence.

whichFirmware

executesprovides

aa

shutdownnumber of

function including SMART monitoring anddefect control monitoring.

• SMART monitoring(Self Monitoring Analysisand Reporting Technology) monitors a numberof manufacture dependent criteria to ensure the drive is operating correctly

• The firmware is responsible for monitoringdefect control . The sector recorded in P list

theand G list are automatically bypassed bydrive.

Steganography using Firmware

• A hard disk drive is populated with variety ofmixed data files. A randomly selected text filewas chosen and edited to include a distinctkeyword. This disk support two error list in thefirmware. One firmware relating to productiondefect and another list relating to failing trackson the drive. We located the physical location oftext file using firmware analysis and repair tool.

Firmwaredefective recovery entry list modified

errortracktool

list on the drive relating towas modified using databy including an additional

relating to the physical location of theoperatingtext file. The windows

system could not access this location.The firmware recovery tool was usedagain to remove the previously added entry.

The data and text file containing keyword isnow accessible on the drive.

Malicious modification of Firmware

• A malicious user with high level of technicalknowledge will be able to modify firmware byembedding malware on the drive . Malware prevent firmware from operating normally by modifying the firmware .Malware can damage the drive by disabling smart system, corruptingphysical to logic translation table, altering theread or write head to damage the circuitry, reducemotor speed abruptly to destroy the air bearing causing a head crash and damage to the disk platter.

Forensic Impact

• There are limited number of tools available toperform repair or modification on firmware. It isdifficult to identify whether firmware has beentampered of modified. Firmware implantationvaries between manufacturers and various modelsof the drive. There are portions of code unique toindividual disk drive. Even with correct tools itcan be very difficult to find or reverse this type of

widelymodification. The correct training is notavailable and is expensive.

Thank You