lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 May 2005 11:11:33 +0200
From: Arne Vidström <arne.vidstrom@....se>
To: bugtraq@...urityfocus.com
Subject: Commonly used disk imaging and wiping tools can be tricked to miss
 parts of a disk


Hello,

Device Configuration Overlays (DCO) is a not so well known optional 
feature set in the ATA-6 standard and forwards. It is supported by a lot 
of, but not all, modern disks. Using DCO it is possible to tell a disk 
that it should appear smaller than it really is, thus hiding an 
arbitrarily large part of the disk from the operating system.

We have made some tests with DCO and a few common imaging and wiping 
tools. It seems that most tools are *not* capable of handling DCO at all.

For example we have found that even using the DOS boot floppy of EnCase 
Forensic Edition 4.18a, the part of a disk hidden with DCO will not get 
aquired.

Another really bad thing is that disk wipe tools do not wipe a disk with 
a DCO set on it. For example, the very common tool ExpertEraser 2.0 from 
IBAS can be tricked into wiping as little of a disk as wished by setting 
a DCO on the disk before the wipe.

I would like to emphasize that these are only examples of tools that 
cannot handle DCO, so simply switching to another manufacturers tool 
will *not* solve the problem. Because the issue affects so many tools we 
have chosen not to try to contact all manufacturers before releasing 
this information.

There is a freeware tool coded by me that can set & discover & remove DCO:

http://vidstrom.net/stools/taft/

We have been using it for our research for a few months now but I 
haven't published it until now.

Also, I have written a report (which was finished already in January 
this year) on this and other issues related to ATA and Computer 
Forensics but it has taken time to get it through all the formalities 
with classification and such, so it will probably take another couple of 
weeks before I can publish it.


Regards /Arne Vidström

Researcher, IT Security
Swedish Defence Research Agency
http://www.foi.se


Powered by blists - more mailing lists