The Impact of Hard Disk Firmware Steganography
on Computer Forensics

Iain Sutherland
Faculty of Advanced Technology
University of Glamorgan
CF37 1DL
+44(0)1443 654085
isutherl @glam.ac.uk

Gareth Davies
Faculty of Advanced Technology
University of Glamorgan
CF37 1DL
+44(0)1443 654085
gddavies@glam.ac.uk

Nick Pringle
Faculty of Advanced Technology
University of Glamorgan
CF37 1DL
+44(0)1443 654085
npringle@glam.ac.uk

Andrew Blyth
Faculty of Advanced Technology
University of Glamorgan
CF37 1DL
+44(0)1443 654085
ajcblyth@glam.ac.uk
 

ABSTRACT

The hard disk drive is probably the predominant form of storage media and is a primary data source in a forensic investigation. The majority of available software tools and literature relating to the investigation of the structure and content contained within a hard disk drive concerns the extraction and analysis of evidence from the various file systems which can reside in the user accessible area of the disk. It is known that there are other areas of the hard disk drive which could be used to conceal information, such as the Host Protected Area and the Device Configuration Overlay. There are recommended methods for the detection and forensic analysis of these areas using appropriate tools and techniques. However, there are additional areas of a disk that have currently been overlooked. The Service Area or Platter Resident Firmware Area is used to store code and control structures responsible for the functionality of the drive and for logging failing or failed sectors.

This paper provides an introduction into initial research into the investigation and identification of issues relating to the analysis of the Platter Resident Firmware Area. In particular, the possibility that the Platter Resident Firmware Area could be manipulated and exploited to facilitate a form of steganography, enabling information to be concealed by a user and potentially from a digital forensic investigator.

Keywords: Digital Forensics, Hard Disk Drive, Firmware, Steganography.