Hacking Exposed
Page 6
Spindle Motor As you may have guessed, the spindle motor spins the platters. These motors are engineered to very strict standards, since they have to be able to maintain precise speeds and must not vibrate. These motors rotate at a constant rate (such as 3600, 4200, 7200, 10,000, or even as high as 15,000 RPM). A feedback loop is set up inside the motor to ensure that it rotates at exactly the correct speed. On older hard drives, the motor was on the bottom of the drive, but now they are built into the hub of the platters to conserve space and allow for more platters in the drive.
Hard Drive Interface The hard drive interface is the protocol used by the hard drive to communicate with a host computer or network. Following are the types of interfaces commonly used by personal computers:
• PATA/EIDE (Parallel Advanced Technology Attachment/Enhanced Integrated Drive Electronics) PATA, also referred to as EIDE, is the old standard for connecting hard drives and other devices to the motherboard using a ribbon cable and a 40-pin connector. These types of drives are typically hooked up externally to a computer using USB or Firewire converter. You may occasionally encounter these drives installed in older computers.
• SATA (Serial Advanced Technology Attachment) SATA is the serial interface that has come to replace PATA. It uses a much narrower cable and has faster data transfer speeds. These drives can be connected internally to the motherboard or externally as eSATA, USB, or Firewire converters.
• SCSI (small computer system interface) SCSI drives are often seen in servers and RAID controllers, but occasionally you’ll find personal computers with them as well, although they are quickly being replaced by SATA. SCSI can be used as both an external and internal interface.
• SAS (Serial-Attached SCSI) SAS drives are the progression of SCSI drives into a point-to-point serial protocol. SAS also offers faster transfer speeds over its predecessor in addition to using a narrower cable. More devices can also be supported on the SAS bus. It’s worth noting that SATA devices can be hooked up to SAS controllers.
Storing Data on the Hard Drive
Now that you have a grasp on what parts are inside the metal enclosure, let’s focus on the platters and how they store the data. Modern hard drives hold a massive amount of information. Over the years, a structure has developed that optimizes the speed that this data is read off the drive. Figure 2-6 shows a cross-section of the platters.
Figure 2-6 Structure of the platters
A very logical and structured layout controls how data is stored on rotational magnetic media. Three basic units denote position of data on a hard disk: head, sector, and cylinder.
Head The head came about when multiple platters were added to the hard drive assembly. The head number corresponds to the platter that holds the data.
Sector The name sector is derived from the mathematical term for a pie-shaped division of a circle (think of a triangle with one vertex at the center of the circle and two on the circle itself). This term was chosen because sectors were originally broken out in this shape on the physical disk. Each sector contains 512 bytes of user data and some extra bits for error-correction and metadata. A sector is the “atomic unit” of a hard disk: it’s the smallest unit of data that a hard disk can effectively read. On older hard disks, the actuator couldn’t handle having different numbers of sectors for each track. Because of this, the shape of the sector was maintained and the density of the bits on the platter was lessened as you went to the edge of the disk. This changed with zone-density recording, where a variable number of sectors could be included per track. Sectors are rolled up into units known as clusters when a file system is placed on the disk—that will be discussed in more detail in the OS-specific chapters (Chapters 6, 7, and 8) when we talk about the different file systems.
Track/Cylinder Think about a phonograph needle traveling around an LP. Now think about the concentric rings inside a tree. Tracks on a hard disk are laid out in the same fashion. These are the actual streams of data that are written to the hard drive. On multi-head hard drives, the cylinder is the combination of each track on all platters that can be accessed with the head in a certain position.
Logical Block Addressing
Large Block Addressing (LBA) happens when engineers guess about maximum limits— and guess wrong. LBA is a “hack” to get around the upper limit placed on drive size by the IDE bus system. Old IDE drives incurred a 504MB limit on how much data could be accessed. To get around this, hard-drive manufacturers figured out a way to “lie” to the BIOS about the size of the disk. Instead of addressing things by cylinder, sector, and head, only one value is used for sector number. This is similar to a phone number. The traditional system has a country code, area code, and then a local phone number. The LBA equivalent of this gives everyone in the world a local phone number without an area code or country code. The reason this works is because it leaves the geometry translation to the drive itself (which isn’t limited to 504MB), instead of allowing the BIOS or bus to do it.
Floppy Disks
Floppy disks are the eight-tracks of the computing world. Most people have used them and very few people have fond memories of the experience. These workhorses can be kicked, warped, melted, poked, and suffer any other number of abuses and they still keep going. While they aren’t used much anymore, you will still run across them if you are working on an investigation with a timeframe that goes far enough back. For instance, several years ago I worked an investigation that required us to look at data from 1988, on large 5.25-inch floppies. These drives and associated media are similar in structure and form to the hard disk. As you can see in Figure 2-7, many of the same parts are used in both designs.
Figure 2-7 Parts of a floppy disk
Just like the parts, the actual structure of the disk is similar to a one-platter hard disk. The platter is encased in either a hard or soft plastic cover that protects the storage disk inside. In the upper corner of the disk is a notch that can be set to write-protect the disk. The main difficulty you may have in a forensics investigation involving floppy disks is the formatting. OS and file system vendors created interesting ways to store more information on the disks than they could previously hold. The typical 3.5-inch disk would hold 1.44MB of data, but by using compression or extra sectors on the disk, an extra half meg of storage could be squeezed on. Woe be the investigator who has to figure out one of these cryptic methods of storing data on the disk. They are poorly documented and more than a few different ways are used to store on the disk, with no real identifying marks.
If you do find yourself in one of these “historic” investigations and run across a type of media for which you don’t have a reader, may I suggest your local thrift store. I have yet to be disappointed by the varied and complete collection of drives and media you either forgot about or never knew existed. And it can all be yours for a very reasonable price and good cause.
Working with Rotational Media
You will spend the majority of your time during investigations working with hard drives. Unfortunately, these are the trickiest of media to manage and investigate, and you’ll encounter a ton of pitfalls when dealing with imaging, investigating, and documenting such media. The long and short of it is this: Always use forensically designed and validated tools when you deal with disks. Some tools on the market claim to pull complete disk images, but fail to do so. Other programs claim to wipe drives completely, but don’t. If you go up against an expert who is out to make your life hard, he or she will try to derail your investigation by placing bad data in end sectors and playing games with the media in general. Know the drives and layout inside and out. Use tools that you understand completely and know exactly how they work, and they’ll do what you expect them to do.
Tape Backup Drives
While working in the server group of a large computer manufacturer, I learned the value of good, regular backups. It is rare these days to find a server that doesn’t have some form of tape backup unit attached to it for data recovery purposes. Given the fact that data suc
h as e-mail and office documents are normally centralized on these servers, you will probably be dealing with an investigation of a tape backup at some point in the future. Start crying now. The number of different hardware drive types, software packages that perform backups, and the percentage of backups that actually succeed make pulling evidence off a tape drive a dicey proposition at best. Let’s look at three of the most common drive types: DAT, DLT, and LTO.
Digital Audio Tape (DAT) Drives
DAT drives are among the most common type of tape drives. They are more often referred to by their data recovery name, Digital Data Storage (DDS). As you can see from the following table, several generations of DDS drives exist, each with its own transfer rates and capacities.
These drives were originally created for use in high-end audio applications, but after a few tweaks for robustness, they now work well for backups. They employ a helical scan technique that allows data to be tightly packed on the media, requiring less actual tape than traditional tape methods. As a tradeoff, however, they experience a lot of friction when writing to the tape. This causes the tape head to gain residue over time and can actually silently hamper the writing of data onto the tape. Also, when you are dealing with these drives, keep in mind the difference between a DDS and a DAT. The DAT is held to a much lower standard of quality and manufacturing than the DDS. DATs can cause problems down the line with tape breakage and loss of data.
Digital Linear Tape (DLT) and Super DLT
As its name implies, the DLT technology relies on a linear recording method. The tape itself has either 128 or 208 total tracks. The capacities and transfer rates of the drives vary based on the generation and format of the DLT drive, as shown in the following table.
These tracks are written in pairs along the entire length of the tape. The heads are then realigned, and two more tracks are written in the opposite direction. This process continues until the tape is full. The design of the DLT drive is a bit different because it has only one spindle in the tape itself. The other spindle is in the drive and the tape is wound back onto the cartridge upon ejection. This design is superior to DAT because it places less tension on the tape with less friction, and thus the drive requires less maintenance and has a lower failure rate. The super DLT is essentially the same technology, but it uses a combination of optics and magnetism (laser-guided magnetic recording, or LGMR) to increase the precision of the tape.
Linear Tape-Open (LTO)
LTO drives also uses a linear recording method. It is an open standard that was developed jointly by Hewlett-Packard, IBM, and Seagate. LTO tapes were initially designed to come in two form factors: Accelis and Ultrium. The Accelis was designed for fast data access, but it did not become as popular as the more widely known Ultrium, which is known for its high capacity. This made the Ultrium more practical for use due to increasing hard disk drive capacity and decreasing hard drive prices. The Accelis never became commercially available, while the Ultrium is now a top competitor for DLT due to its higher transfer rates and data capacity. Several generations of LTO drives also exist, as shown in the following table.
Multi-loaders
Many times, the amount of data that needs to be backed up exceeds the capacity of a single tape. In such cases, multi-tape loader mechanisms are used. These can be anything from two-tape contraptions to advanced robotic arms that sling tapes around. From an investigator’s standpoint, make sure you always find out not only what multi-loader was used, but also how the software stored data on the multiple tapes. Working with an archive created on a multi-loader is a tricky proposition and usually requires that you purchase hardware and software similar to what was used to create the archive. This gets expensive quickly, so make sure your contract has a clause stipulating that the client pays for materials.
Working with Tape Drives
Working with tape drives boils down to two simple questions: What type of tapes are being used, and what software created the archive? If you can easily answer these questions, you are home free, because you will be able to pull the archive off the tapes. Unfortunately, more often than not, you will be handed a pile of tapes created many years ago, before any of the current staff was employed. Someone will hand you a box, give you his or her best guess as to how it was created, and wish you good luck. Chapter 10 discusses in detail how to manage and investigate such situations.
Optical Media
I can still remember getting my first CD-ROM drive, eagerly awaiting what would happen when I saw my first full-motion video, roughly the size of a postage stamp with sound recorded in a tin can. I think it involved a growing plant. These days, optical media is everywhere in the forms of CD-ROM and DVD. With the widespread ability for users to burn their own discs, such media are finding their way into more and more court cases. Chances are you will deal with them either directly as evidence or as a transport mechanism for opposing counsel to give you evidence during discovery. It’s important that you understand how these technologies work and how they can be manipulated.
CD-ROM
The CD-ROM, shown in Figure 2-8, is the father of the optical revolution. These discs use a red laser as the read mechanism to extract data off the drive. Like hard disks, CD-ROMs use high and low polarization to set the bits of data; however, CDs have reflective pits that represent the low bit. If the pit is nonexistent, the data is a 1; if the pit exists, it’s a 0.
The laser mechanism actually detects how far into the disc the beam has gone and how it is refracted to determine whether the pit exists. This explains why getting a scratch or smudge on a disc renders it erroneous. The laser becomes “confused” as to the data and “punts.” As density was the limiting factor on hard drives, laser wavelength is the limiting factor for capacity on these discs. Red is the largest of the visible spectrum, meaning that a red laser-based drive will be able to store the least amount of data. CD-ROMs have their own file system that is independent of the operating system. This is commonly referred to as the Joliet file system, and with certain parts of the disc populated, the disc can become bootable. The standard size for a CD-ROM disc is 650MB, but it can be written “outside of tolerance” to hold more data.
Figure 2-8 Parts of a CD-ROM
Digital Video Disc (DVD)
In function, DVDs are similar to CD-ROM technology with some tweaks. First, DVDs use a much more precise laser. Since the laser has a smaller wavelength, the data density is much greater, so the disc can hold more data. The entire DVD holds up to 4.8GB of data. The structure of a DVD is shown in Figure 2-9.
In addition, DVDs use a multilayer system that allows multiple discs to be overlaid onto one disc. The setup is much like the platters on a hard disk. The laser is focused on the layer holding the data being read, allowing it to pull data from only that layer. In addition to this multi-layering, you may have heard of HD-DVD or Blu-ray. These technologies use a blue laser to read the data, with a much smaller wavelength. The computer applications of these technologies allow for as much as 50GB to be stored on a single disc.
Figure 2-9 The structure of a DVD
Working with Optical Media
Working with optical media from a forensics standpoint is a bit easier than working with other types of media, because the media is inherently read-only, which means you have to do much less work to show that the data on the disc hasn’t been modified. Even so, you should make sure that you never work with originals, no matter how tempting it may be. Make a copy and archive the original in accordance with your evidence storage policy.
If you are exporting files to a CD or DVD, watch out for filename and file path limitations. Because of the file system type used on these media, you may encounter issues with characters, filenames, and/or file path lengths that are fine on other file systems. If you do come across this, we recommend using either a filename translation spreadsheet or some type of archiving system (zip, tar, and so on).
Memory Technologies
If you have used a digital camera, an MP3 player, or
a PDA/smartphone, you have used a memory technology. These are the memory cards and cartridges that store the pictures, music, and data for these devices. As you can imagine, they often become evidence in investigations, so it’s a good idea for you to understand how they work and what you are up against.
USB Flash Drives
USB flash drives are also known as thumb drives. They are the keychains, necklaces, and doodads that have become the gift of choice for people in the IT world. While a thorough understanding of how these drives work requires an electrical engineering degree, here is the digest version. Flash drives have no moving parts. Each bit is set by using a two-transistor cell, and the value is changed in each cell using a technique called Fowler-Nordheim tunneling. The memory bank then communicates with the computer using a controller and USB interface, much like a hard disk communicates over IDE or SCSI. An important thing to remember about these drives is that some of them have a physical switch that forces a read-only mode. Use this whenever you are extracting data for investigation.