Re: Hidden hard drive partitions

On Thu, Sep 30, 2010 at 12:34 AM, Jason Hsu, embedded engineer, Linux
user <jhsu802701 <at> jasonhsu.com> wrote:
> I've heard that some hard drives contain hidden partitions that Darik's Boot And Nuke cannot erase.
 Supposedly, law enforcement requires manufacturers to include the hidden partition so that the
criminals cannot erase their tracks.  Only law enforcement has the special software needed to access
the hidden partition.

I found this article on HPA:
http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf

I used to work with a computer forensics tech who was fully trained in
the use of Encase (one of the most common forensics toolkits).  I now
work with drive geeks, who have told me this stuff before.  In general
conversation with them,  I gather the following:

There is area on the disk that cannot be read or written by the BIOS
or OS, that drive manufacturers reserve.  One of the tricks used by
drive manufacturers is that they will build a drive (let's say 120GB)
and use this area to lower the presented space to 40, 60, 80, 100, or
120GB of useable space. They also do the same with write cache etc.
One drive, 6 different markets, six different prices.

If you KNEW WHAT YOU WERE DOING, you could read/write data to this
area of the disk.  You won't accidentally get there, as the
manufacturers have done everything they can to keep you out.

Because this is a manufacturer region reserved for their stuff, they
don't seem thrilled that ANYONE (including law enforcement) wants to
hack into that region.  Encase couldn't do it a few years back, maybe
now it can.  It is unlikely that law enforcement would have the tools

Re: Hidden hard drive partitions

On Thu, Sep 30, 2010 at 9:04 AM, Jeremy <jeremy <at> lizakowski.com> wrote:
> There is also the issue of incomplete erasures.  Even if you could
> wipe every sector, a slight ghost image remains.  That's why many
> tools offer to rewrite each sector multiple times.  But even that
> assumes it can move over the magnetic media in exactly the same
> position - physical media will always be impefect.

This used to be a major issue, but with modern drives the bit density
is so high that all available evidence supports a single-pass
overwrite being sufficient to completely obscure data from any
possible recovery.  So unless you're still using a drive from 1988 or
something, don't worry about it.

 - Tony

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
tclug-list <at> mn-linux.org
http://mailman.mn-linux.org/mailman/listinfo/tclug-list

Re: Hidden hard drive partitions

> -----Original Message-----
> From: tclug-list-bounces <at> mn-linux.org
> [mailto:tclug-list-bounces <at> mn-linux.org]On Behalf Of Tony Yarusso
> Sent: Friday, October 01, 2010 1:18 AM
> To: TCLUG Mailing List
> Subject: Re: [tclug-list] Hidden hard drive partitions
> 
> 
> On Thu, Sep 30, 2010 at 9:04 AM, Jeremy <jeremy <at> lizakowski.com> wrote:
> > There is also the issue of incomplete erasures.  Even if you could
> > wipe every sector, a slight ghost image remains.  That's why many
> > tools offer to rewrite each sector multiple times.  But even that
> > assumes it can move over the magnetic media in exactly the same
> > position - physical media will always be impefect.
> 
> This used to be a major issue, but with modern drives the bit density
> is so high that all available evidence supports a single-pass
> overwrite being sufficient to completely obscure data from any
> possible recovery.  So unless you're still using a drive from 1988 or
> something, don't worry about it.
> 
>  - Tony

Mostly true, but residual waveforms still exist, and a full forensic recovery would read waveforms from
special heads and do a scientific version of PRML data recovery (adjacent bits interact and alter
waveforms in predictable ways).  That's more tedious than most can imagine, but pretty effective. 
Requires clean rooms and research quality lab equipment that is rare even within drive manufacturer's facilities.

Expensive enough and difficult enough so it's something only the really bad guys need to worry about  

Re: Hidden hard drive partitions

Show me evidence that this can be done.  All of that residual waveform
stuff is no longer detectable on modern drives.

Re: Hidden hard drive partitions

> -----Original Message-----
> From: tclug-list-bounces <at> mn-linux.org
> [mailto:tclug-list-bounces <at> mn-linux.org]On Behalf Of Tony Yarusso
> Sent: Friday, October 01, 2010 2:59 AM
> To: TCLUG Mailing List
> Subject: Re: [tclug-list] Hidden hard drive partitions
>
>
> Show me evidence that this can be done.  All of that residual waveform
> stuff is no longer detectable on modern drives.

Too hard.  You show evidence that it cannot, including all variants of
platter imaging.  Didn't say the drive "as delivered" could do it.  I worked
in the most advanced read/write end of the industry doing modeling, etc.. If
you have, you probably wouldn't ask.  If you haven't you might not have the
PRML analysis, head design variant knowledge, knowledge of excess written
space in data imaging on tracks, and spin stand background to follow the
evidence.  Didn't say it was easy or cheap.  Did say it isn't trivial.

Chuck

Re: Hidden hard drive partitions

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
tclug-list <at> mn-linux.org
http://mailman.mn-linux.org/mailman/listinfo/tclug-list

Re: Hidden hard drive partitions

I had believed that a hard drive could be securely erased by multiple over-writes with random bit patterns,
such that not even the NSA could salvage anything useful.

Chuck, when you said "Not so", you made me sit up in surprise.  I am genuinely curious.  Could you refer us to
technical articles that explain how experts can retrieve data from drives that have been subjected to
rigorous shredding (eg, with utilities such as DBAN http://www.dban.org/)?  (If indeed that is your claim.)

Hoping to avoid a flamewar -- Dean

At 10/1/2010 11:38 AM, T L wrote:
>It is logically impossible for Tony to prove a negative, but all you'd have to do is one current reference to
show that you're not just blowing smoke. Care to do so?
>
>Thomas
>
>>On Oct 1, 2010 4:51 AM, "Chuck Cole" <<mailto:cncole <at> earthlink.net>cncole <at> earthlink.net> wrote:
>>
>>> -----Original Message-----
>>> From: <mailto:tclug-list-bounces <at> mn-linux.org>tclug-list-bounces <at> mn-linux.org
>>> [mailto:<mailto:tclug-list-bounces <at> mn.>tclug-list-bounces <at> mn...
>>
>>> Sent: Friday, October 01, 2010 2:59 AM
>>> To: TCLUG Mailing List
>>> Subject: Re: [tclug-list] Hidden...
>>
>>> Show me evidence that this can be done. All of that residual waveform
>>> stuff is no longer detect...
>>Too hard.  You show evidence that it cannot, including all variants of
>>platter imaging.  Didn't say the drive "as delivered" could do it.  I worked
>>in the most advanced read/write end of the industry doing modeling, etc.. If
>>you have, you probably wouldn't ask.  If you haven't you might not have the
>>PRML analysis, head design variant knowledge, knowledge of excess written
>>space in data imaging on tracks, and spin stand background to follow the
>>evidence.  Didn't say it was easy or cheap.  Did say it isn't trivial.
>>
>>Chuck

Re: Hidden hard drive partitions

On Fri, Oct 01, 2010 at 12:11:19PM -0500, Dean.Benjamin <at> mm.com wrote:
> I had believed that a hard drive could be securely erased by multiple
> over-writes with random bit patterns, such that not even the NSA could
> salvage anything useful.
>
> Chuck, when you said "Not so", you made me sit up in surprise.  I am
> genuinely curious.  Could you refer us to technical articles that
> explain how experts can retrieve data from drives that have been
> subjected to rigorous shredding (eg, with utilities such as DBAN
> http://www.dban.org/)?  (If indeed that is your claim.)

I don't know what Chuck knows and what he can tell, but I do know that
some parts of the US government used to take all the hard drives out
from computers before selling them for reuse or scrap.  I presume the
hard drives were shredded in large batches or hammered-in in small
batches.

Cheers,
florin

--

-- 
Bruce Schneier expects the Spanish Inquisition.
      http://geekz.co.uk/schneierfacts/fact/163

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
tclug-list <at> mn-linux.org
http://mailman.mn-linux.org/mailman/listinfo/tclug-list

Re: Hidden hard drive partitions

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
tclug-list <at> mn-linux.org
http://mailman.mn-linux.org/mailman/listinfo/tclug-list

Re: Hidden hard drive partitions

On Fri, Oct 1, 2010 at 1:09 PM, Florin Iucha <florin <at> iucha.net> wrote:
>  I do know that
> some parts of the US government used to take all the hard drives out
> from computers before selling them for reuse or scrap.  I presume the
> hard drives were shredded in large batches or hammered-in in small
> batches.

And many organizations continue to participate in this horrifically
environmentally harmful practice even though it is no longer necessary
because they are misled about the current state of forensics.

 - Tony

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
tclug-list <at> mn-linux.org
http://mailman.mn-linux.org/mailman/listinfo/tclug-list