Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill, Paul; Oyinloye, Toyosi; Eze, Thaddeus; Speakman, Lee

Item

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill, Paul
;
Oyinloye, Toyosi
;
Eze, Thaddeus
;
Speakman, Lee

Affiliation

University of Chester; University of Salford

Publication Date

2022-06-08

Collections

Computer Sciences

Show all metadata

Files

Conference proceeding

Adobe PDF, 389.28 KB

Abstract

The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how to communicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager. This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.

Citation

Underhill, P., Oyinloye, T., Speakman, L., & Eze, T. (2022). Forensic trails obfuscation and preservation via hard drive firmware. In T. Eze, N. Khan, & C. Onwubiko (Eds.), The 21st European Conference on Cyber Warfare and Security: 16th-17th June 2022, University of Chester, England (pp. 419-428). Academic Conferences International

Publisher

Academic Conferences International

URI

http://hdl.handle.net/10034/626980

Type

Conference Contribution

ISBN

9781914587412

Additional Links

https://papers.academic-conferences.org/index.php/eccws
https://www.academic-conferences.org/conferences/eccws/

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill, Paul
;
Oyinloye, Toyosi
;
Eze, Thaddeus
;
Speakman, Lee

Citations

Advisors

Editors

Other Contributors

Affiliation

EPub Date

Publication Date

Submitted Date

Collections

Files

Other Titles

Abstract

Citation

Publisher

Journal

Research Unit

URI

DOI

PubMed ID

PubMed Central ID

Type

Language

Description

Series/Report no.

ISSN

EISSN

ISBN

ISMN

Gov't Doc

Test Link

Sponsors

Additional Links

Embedded videos

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill, Paul ; Oyinloye, Toyosi ; Eze, Thaddeus ; Speakman, Lee

Citations

Advisors

Editors

Other Contributors

Affiliation

EPub Date

Publication Date

Submitted Date

Collections

Files

Other Titles

Abstract

Citation

Publisher

Journal

Research Unit

URI

DOI

PubMed ID

PubMed Central ID

Type

Language

Description

Series/Report no.

ISSN

EISSN

ISBN

ISMN

Gov't Doc

Test Link

Sponsors

Additional Links

Embedded videos

Underhill, Paul
;
Oyinloye, Toyosi
;
Eze, Thaddeus
;
Speakman, Lee