8.4 Storage Media and Data Hiding

8.4 Storage Media and Data Hiding

[On binary systems] each data element is implemented using some physical device that can be in one of two stable states: in a memory chip, for example, a transistor switch may be on or off; in a communications line, a pulse may be present or absent at a particular place and at a particular time; on a magnetic disk, a magnetic domain may be magnetized to one polarity or to the other; and, on a compact disk, a pit may be present or not at a particular place. (Sammes and Jenkinson 2000)

Although storage media come in many forms, hard disks are the richest sources of digital evidence on computers. Even modern photocopy machines have hard drives and can be augmented by connecting external controllers with a CPU, RAM, and high capacity hard drives to accommodate more complex printing more quickly. Understanding how hard drives function, how data are stored on them, and where data can be hidden can help digital investigators deal with hard drives as a source of evidence.

There are several common hard drive technologies. Integrated Disk Electronics (IDE) drives - also called Advanced Technology Attachment (ATA) drives - are simpler, less expensive, and therefore more common than higher performance SCSI drives. Firewire is an adaptation of the SCSI standard that provides high-speed access to a chain of devices without many of the disadvantages of SCSI such as instability and expense. Regardless of which technology is used, all hard drives contain spinning platters made of a light, rigid material such as aluminum, ceramic, or glass. These platters have a magnetic coating on both sides and spin between a pair of read/write heads - one head on each side of a platter. These heads, moving over a platter like the needle of a record player but floating above the surface of a spinning platter on a cushion of air created by the rotation of the disk, can align particles in the magnetic media (called writing) and conversely, can detect how the particles on the platter are aligned (called reading). Particles aligned one way signify a binary one (1) and particles aligned the other way signify a binary zero (0) as shown in Figure 8.3.

Figure 8.3: Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0). Image from http—//www.ntmdt.ru/applicationnotes/MFM/ (reproduced with permission).

Data are recorded on a platter in concentric circles (like the annual rings of a tree trunk) called tracks. The term cylinder is effectively synonymous with track, collectively referring to tracks with the same radius on all platters in a hard drive. Each track is further broken down into sectors, usually big enough to contain 512 bytes of information (512 8 ones and zeros).^[3] Many file systems use two or more sectors, called a cluster, as their basic storage unit of a disk. For instance, Figure 8.4 shows a disk with 64 sectors per cluster, resulting in 32 kbytes per cluster (64 sectors 512 bytes/sector 1024 bytes).

Figure 8.4: A depiction of platters, tracks, sectors, clusters, and heads on a computer disk.

As shown in Figure 8.4, the location data on a disk can be determined by which cylinder they are on, which head can access them, and which sector contains them; this is called CHS addressing. Therefore, the capacity of a hard disk can be calculated by multiplying the number of cylinders, heads, and sectors by 512 bytes. The numbers of cylinders, heads, and sectors per track are often printed on the outside of the hard drive and the calculated capacity (C H S 512 bytes) can be compared with the amount of data extracted from a hard drive to ensure that all evidence has been obtained. For instance, a hard drive with 1024 cylinders, 256 heads, and 63 sectors contains 8455716864 bytes (1024 256 63 512 bytes). This equates to 8.4 Gbytes (8455716864 bytes 1024 bytes 1024 bytes) where 1 Gbyte can contain about one billion characters.

There are a few nuances to hard drives that enable a wily individual to conceal the presence of large amounts of data on them. The first cylinder on a disk (a.k.a. the maintenance track) is used to store information about the drive such as its geometry and the location of bad sectors. By intentionally marking portions of the disk as bad, an individual can conceal data in these areas from the operating system. The evidence collection tools described in this text are not fooled by this technique and some utilities such as Anadisk^[4] can copy the maintenance track of a floppy disk. Another potential area for data hiding is the Protected Area on post 1998-ATA disks. As the name suggests, most programs cannot access this area but tools such as BXDR^[5] have been developed to detect and copy this area.

^[3]Sectors are actually 557 bytes but only 512 bytes are used to store data. The additional space is used for low-level encoding data. A discussion of the low-level encoding schemes on magnetic media such as Frequency Modulation (FM), Modified Frequency Modulation (MFM), Run Length Limited (RLL), and Advanced Run Length Limited (ARLL) encoding methods is available in (Sammes and Jenkinson 2000).

^[4]http://www.forensics-intl.com/anadisk.html

^[5]http://www.sandersonforensics.co.uk/BXDR.htm