Forensics: Imaging the HPA

Host Protected Area or Hidden Protected Area

This is an area of the hard drive that can be hidden from the O/S, but can be accessed during BIOS and therefore has value for a variety of reasons.  This is not the same as the DCO which is hardware locked and is not accessed via a computer during normal usage.

Examples of the HPA being used for genuine/commercial reasons include:

Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).

Dell notebooks hide Dell MediaDirec utility in HPA.  IBM and LG notebooks hide system restore software in HPA.

HPA is also used by various theft recovery and monitoring service vendors. For example the laptop security firm ComputTrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. This is a good example of using the HPA because even if a stolen laptop has its hard drive formatted the HPA remains untouched

Can the HPA be imaged?

Yes ,  some  tools allow for this.  Linen for example will allow the HPA to be imaged.  It is the Linux environment, rather than EnCase specifically, that allows the HPA to be imaged.

Certain write blockers such as Tableau, will allow the imaging of the HPA as the hardware handles the issues of the HPA.

Hardware Cloners, by the likes of ICS and LogiCube, can also image the HPA and DCO

Forensic Cloner: ImageMASSter Solo-3 Forensic Cloner

The ImageMASSter Solo-3 Forensic is the ICS equivalent of the LogiCube Talon.

While it has a better look to it than the Talon ( good metal casing compared to a cheap look plastic case) some of  its specifications are not quite as good, as the ICS. 3 GB per min compared to 4 GB per minute.

Solo3 Forensic Cloner

Also the Solo-3 does not have  removebale media for storing logs. However it can image the DCO and HPA areas of the hard (according to the specifications).

Forensic Cloners: ICS Mass Cloner

For years Logicube have always produce a cloner that is slightly faster, or with slightly more features than ICS. But now ICS have produced the mother of all cloners the  Rapid Image 7020.

ICS Mass Cloner

This machine, with levers big enough to make Dr Frankenstein happy, can image 10 drives at a time. Each with a maximum speed of 6 GB min. This would mean that a total of  60 GB a min or 3.6 TB of data per hour can be imaged with one device.

It also has the ability to log everything that is occurring, through a SQL database.  For those collecting hundreds of drives onsite, this would all the process to be done simply and easily, from a single centralized room.

But the device is not without its problems. Firstly, its $11,000 (USD). While that’s not very much for any company involved in large scale data collection, its still a hefty chunk of change. For the same price 10 laptops could be bought, to achieve the same goal  (but with more cables).

Secondly, by default, it does not seem very portable, what with those big levers. Large data collections are not a problem in the lab, but onsite. So it needs to be taken onsite.

Thirdly, it doesn’t support laptops by default, that’s an “add on” and its not clear if can support 10 laptop drives at a time, or just a few.

They still don’t produce Eo1 images, but staying with the DD image, which means there is no compression.

Overall its big, its yellow, it can image a lot of drives, and will be great for those large scale onsites, where you fully immerse yourself in the company. But for the smaller cases, imaging using the local machine, or with laptops its just too much.

Forensics Cloners: Talon

The Forensic Talon cloner, by Logicube, has been available for serveral years now, and at the time of its release it was the fastest on the market.

The Pro’s:

• Its fast. Very fast. It states it can get upto 4 GB a min, and it can. If both drives are good S-ATA drives you will get those speeds.
• It has a really good logging functionality, and stores everything you need to on flash media.
  

  Talon Cloner

• It can conduct a “keyword search” across the drive during the imaging (don’t expect the functionality of EnCase or FTK).
• It has a good level of functionality, with cloning, imaging, and wiping functionality, as well as MD5 of SHA hashing, and verification methods.
• If can be used as a write blocker as well as a cloning/imaging device.
• It checks to see if data is moving over the cables correctly.

The Cons

• Its plastic and feels cheap. Its not, but it looks and feels it.
• The logging is fantastic, but it if the flash media is not present it will not image as it cannot log. i.e. if you leave the  flash media out of the kit, by mistake, you may as well not have the cloner at all.
• It images to FAT32 only, no NTFS capability, and file names are restricted to 8 characters.
• If you open the device, while the external IDE cables are connected (easy and often done) it can damage the connectors and ruin the cloner
• The verification methods, involving data lines, can some times produce false negatives. I.e. The system will sometimes state that there is an error with the imaging/cloning functionality, even though the image is good.

Forensic: EnCase Verification, MD5, and Other Myths

Encase is without doubt the most popular forensics tool on the market, however due to the name of one its features, it has also started one of the most common myths. Verification.

When EnCase completes an image it then conducts a “verification” and when it completes, it brings up a variety of hash values, and confirms that the data has “verified”. Excellent. Data verified…no not at all.

The EnCase verification does not check the original data, it check the destination data. This is an often misunderstood point, but one that can be critical.

A very simple test of this, for the doubting Thomas out there, is to simply disconnect the original drive while the verification is being carried out. The verification will still complete, successfully, despite the fact there is nothing to verify against. The reason is this:

The verification checks the image file, it verifies the integrity of the image files, an important process. It does not check if the data imaged is correct – a very important difference.

Example: Company X is at an clients site  imaging hard drives, they are using Tableau write blockers, connected to laptops and imaging to USB drives from a well known brand (inside the USB case is a 3.5 inch 500 GB S-ATA).  The drive to be imaged is an old 2.5 inch IDE drive.

The 2.5 inch drive, an old laptop drive, is taken out of the laptop and connected, via a 2.5 to 3.5 inch converter to the tableau write blocker, which is then connected, via USB, to the the laptop.

The person imaging selects the source drive, the 2.5 inch and sets the destination drive as the USB drive, this means that the data takes the following route.

1) It is read from the old, dusty, 2.5 inch hard drive.

2) It goes out the 2.5 inch pins, into the 3.5 inch converter.

3) From the 3.5 inch converter it goes along an IDE cable.

4) From the IDE cable it goes along to the Tablea write blocker.

5) The black box that converts the IDE to a USB.

6) The tableau then transmitts the data down a USB cable.

7 ) The USB cable connects to the laptop USB port.

8 ) The laptop USB port then connects to the motherboard.

9) The data is then transferred internally, and EnCase then “reads” the data.

10) Encase then “write the data” out and it travels along the mother board to another USB port.

11) From the USB port it goes down a USB cable to the USB drive.

12 ) The USB drive then converts to a 3.5 inch S-ATA drive.

13) The 3.5 inch S-ATA then write the data.

It is not until step (9) that Encase reads the data. It is that data that EnCase then writes, and then verifies what it has written. If it is feasible for an error to occur between 9 and 13, hence the need for the verification, it is also feasible, if not more so, that an error occurs between 1 and 9.

If the hard drive is not working correcty, or the cables are damaged, or the pins are not aligned correctly, or any of a host of other reasons then the hard drive will not image correctly. 99% of the time this error will be a very obvious error, e.g the hard drive will not spin up, or it cannot be seen – which is a good error to have, as it can be addressed.

Sometimes, very rarely but sometimes, the drive will image, but it will be producing junk data, or “skewed” data. While this is rare, it certainly does happen (unlike the theoretical problem of MD5 collisions). i.e. this is a real world problem, not just one confined to labs and mathematics papers.

In the worst case scenario this means that data will be imaged, Encase will read it, write it, and then verify it. The person conducting the image will then leave the scene and state, without intending to lie, that they have a 100% accurate image of the data.When in actual fact they have junk. This can, and does lead to all sorts of problems.

In one case the image of a single hard drive was taken at a “suspects” home, the image was verified and then taken back to the office.  The image was later investigated, from the investigation the examiner concluded that the user had wiped their drive with a tool that deliberately made a mess of the MFT.

What had actually happened is that the image of drive was poor, and much of the MFT was skewed during the imaging process, probably due to bad electronics/electrics somewhere in the imaging process. i.e. they had not taken a good image. But the person investigating the drive did not know/understand this and as a result produce a very detailed report explaining how the drive had been deliberately wiped to hide information.

The suspect/victim of this allegation was fortunate in that the computer was working (and shown to be working) prior to the image being taken and was working after the image being taken; this was, oddly, recorded by the person conducting the image. From this alone it was very obvious that the one and only drive in the computer could not have been wiped. But, in this case a long and detailed report, accusing the suspect/victim of wiping evidence  was submitted. While there was no evidence of the original allegations, the report stipulated, at great length, that the suspect had wiped their drive, and therefore conclusions could be drawn from that. The person writing the report was adamant that the image was correct, because it verified when he wrote the report. Even though he was hundreds of miles from the actual hard drive, the myth of EnCase Verification was so strong, that he believed that the verification guaranteed the quality of the data. A common belief.

A second image was taken, correctly, and the drive examined. From this it could be seen that there was no evidence of wiping, nor evidence of the original allegations. The  suspect/victims statement that that there computer was working were fully corroborated, and they were proved innocent.