advertisement

Preventing hard disk firmware manipulation attack and disaster recovery by Dai Shimogaito

0 %
100 %
advertisement
Information about Preventing hard disk firmware manipulation attack and disaster recovery...
Technology

Published on March 12, 2014

Author: codeblue_jp

Source: slideshare.net

Description

In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.

Dai Shimogaito

CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.

Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
advertisement

Disaster Data Recovery method for HDD by Dai Shimogaito January, 17th, 2014 at CODEBLUE in Tokyo

1.To Recover Computer System which had suffered from natural disaster, like tsunami, river flood, storm, and earthquake Platter Surface Damage 2.To Protect Computer System and get Ready for a large scale crash. What is Disaster Recovery ? AFTER Disaster The most difficult problem for data recovery BEFORE Disaster Physical Damage caused by Software HDD Customization for Platter Damage

Three Failures Lead to Data Loss •  Logical Failure • System failure • Data corruption • Deletion of data. • Electronic Failure • Printed Circuit Board (PCB) • On or more of the PCB components • ROM or the System Area data is damaged. • Physical Failure • Sticktion • Spindle bearing is frozen • Head crash (dropped hard drive).

Features of HDD which suffered from natural disaster 1.  Chips on PCB are gone 2.  HDD falls down and gets stong shock 3.  Dirt comes inside HDD 4.  Water comes inside HDD Severe Damage ! Normal Data Recovery Process is useless, because the damage level is extremely high

After a Natural Disaster, HDD can look like this

What is Data Recovery ? Trying to image data from non-accessible HDD sector by sector. HDD Copy Broken No access to data (故障でアクセス不能) Good Full Access to data (正常動作するHDD)

What is Data Recovery ? Basically, parts replacement is the way for temporary repair. HDD Fire Accident

What is Data Recovery ? 100% clone is always preferrable, but the result depends on the type of damage to HDD and the data recovery process. 100 ← Low High →

Replaceability with Donor Part HSA YES [ Head Stack Assembly ] Head Map, Capacity, Architecture Family, Microjog SPM YES [ Spindle Motor ] Seizure Problem, Lubricating oil PCB YES [ Printed Circuit Board ] Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful FW YES & NO [ Firmware ] Unique module, Non-unique module, Regeneratable module, Essential Module Disk NO [ Platter ] Bad Sector, Scratch, particules on surface

Replaceability with Donor Part HSA YES SPM YES PCB YES FW YES & NO Disk NO

Replaceability with Donor Part HSA YES SPM YES PCB YES FW YES & NO Disk NO

Replaceability with Donor Part HSA YES SPM YES PCB YES FW YES & NO Disk NO

Replaceability with Donor Part HSA YES SPM YES PCB YES FW YES & NO Disk NO SA Service Area UA User Area SA SA SA SA SA SA SA SA SA SA SA SA SA SA SASA SA SA SA Firmware = Service Modules SA Modules are located on platters

Replaceability with Donor Part HSA YES SPM YES PCB YES FW YES & NO Disk NO Data is recorded into platters. Replacement means nothing.

Replaceability with Donor Part HSA YES [ Head Stack Assembly ] Head Map, Capacity, Architecture Family, Microjog SPM YES [ Spindle Motor ] Seizure Problem, Lubricating oil PCB YES [ Printed Circuit Board ] Serial ROM, NV-RAM, Fuse, Resister, Diode, Capacitor, Coil, Microchip / Repairment is also useful FW YES & NO [ Firmware ] Unique module, Non-unique module, Regeneratable module, Essential Module Disk NO [ Platter ] Bad Sector, Scratch, particules on surface If unique parts are corrupt, there is no way to recover data

The Most Difficult problem is Platter Damage 3.5inch PATA

The Most Difficult problem is Platter Damage 2.5inch SAS

The Most Difficult problem is Platter Damage

The Most Difficult problem is Platter Damage

The Most Difficult problem is Platter Damage

For a long time, DR from scratched disk has been impossible If the surface is partially damaged, there should be recoverable data in the areas which were not damaged.

Why is it so difficult to read damaged surface ? Let’s take an extreme close look at Disk & Head !

Disk Surface & Slider Flying Height 1-3 nm 3nm 1nmLubricant Layer                    潤滑層 Diamond Like Carbon Coating Layer  コーティング 層 Magnetic Layer                    磁性層 Disk Rotation Direction → 1~3nm Slider スライダ R/W Head

Slider The gap between Head and Disk is very small Flying Height 1-3nm

How head crash damages the surface Lubricant Layer DLC Layer Magnetic Layer Slider R/W Head Lubricant Layer DLC Layer Magnetic Layer Slider R/W Head Lubricant Layer DLC Layer Magnetic Layer Slider R/W Head

Cause of malfunction of HSA when reading damaged surface 1.  Scratch is not the main cause of the bad operation of Head Stack Assembly 2.  Particles on the surface stick to sliders. 3.  Slider’s flying becomes unstable because of the particles on the surface of the disk and the sliders. So, Let’s clean the surface !

Disk Burnishing Process

NO DUST NO PROBLEM

The 1st step of the research completed with a good result 0.02% 94% UP ! Newspaper : Nikkei Business Daily, 26th Septempber 2013

Precise surface analyzing is required for better recovery Optical Surface Analyzer

July 2012, research was started by Prof.Hiroshi Tani Prof. Hiroshi Tani @ Kansai Univ.

What we can do BEFORE disater occurs Physical Damage caused by Software ??? ソフトウェアがハードウェアを壊す???

Structure of HDD

What is the HDD’s Boot Sequence ? Start Finish Let’s go to the finish line together with everyone !

HDD’s Boot Sequence PowerON Ready Needs to complete each sequence, then can reach to “Ready” mode

FirmWare & Service Modules ( Service Area )

User Area & Service Area SA Service Area UA User Area SA SA SA SA SA SA SA SA SA SA SA SA SA SA SASA SA SA SA

SA Modules • P-List : Primary Defect List • G-List : Growth Defect List • Translator : LBA access PBA access • S.M.A.R.T. Self-Monitoring Analysis and Reporting Technology

Defects × × × × × × × × Defects info = Position of Bad Sectors in PBA

Defects info is Unique to each disk × × × × × × × × × × × × × × × × × × × ×× × × × × × × × × × × × × ×× ×

P-List : Primary Defect List G-List : Growth Defect List Defects info is Unique to each disk × × × × × × × × × × × ××× × × × × × × × ×

Number of Defects

PBA LBA LBA exists logically upon PBA. The following shows good sectors from address 0. 0 1 2 4 53 0 1 2 4 53 Physical Block Address 物理アドレス → Logical Block Address 論理アドレス →

Defects Controlling 0 1 2 4 53 0 1 3 42 物理アドレス → 論理アドレス → P-List Table 2 ・ ・ ・

Translator Converter function between LBA and PBA If the translator is broken, no data is accessible. One of the most important module. SA PBA 物理アドレス LBA 論理アドレス 0001 0687 1968 3786 9821 0001 0508 3544 9871 0051 Access Request From Host ホストからの アクセス要求Access to the physically Assigned position プラッタ上の指定 エリアにアクセス

SA Modules are loaded into PCB SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Complete (^o^)

When SA Modules loading completes fine PowerON Ready LBA Zone Wow , I did it ! I have access to all data ! LBA

Damage of SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error Can’t Read Or Module is corrupted ABORT

Damage of SA Module : No LBAAccess PowerON Ready LBA Zone I can’t access LBA zone, because there was a SA module error. The data should be in LBA Zone, but I can not access LBA 0 SA LBA HDD

NO SA NO DATA

If the SA module error was caused intentionally by ,,,,, SA

Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module

Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module

Damage of SA Module : No LBAAccess SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error Can’t Read Or Module is corrupted

Intentional Damage to SA module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error Can’t Read Or Module is corrupted

Damage of SA Module : No LBAAccess SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module SA Module Error Can’t Read Or Module is corrupted ABORT

BARUSER Let’s see what happens to HDD

BARUSER BARUSER = BARUSU + ER

Main Concept of HiDR ( High Integrity Data Recovery ) SA WD10EADS-22M2B0 SA 397

Main Concept of HiDR ( High Integrity Data Recovery ) WD10EADS-22M2B0 SA 397 7 7 ÷ 397 1.76%

Main Concept of HiDR ( High Integrity Data Recovery ) Only 1.76%

Hot Swap Method Patient PCB

Main Concept of HiDR ( High Integrity Data Recovery ) Non-Destructive Method even for HDD which doesn’t give its device ID. The least access to the magnetic disk for its booting is enough for data recovery. It is good to know the details of SA modules because the integrity of data recovery process becomes very high. Do not rely too much upon clean rooms because inside of the clean room is not always clean.

Security or Utility Hacked Cracked Good for Data leakage preventing Bad for Future data use

HDD customization against Future SA Damage Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 PlatterHead Head Map

HDD customization against Future SA Damage Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 System Head PlatterHead

HDD customization against Future SA Damage Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 System Disk PlatterHead

HDD customization against Future SA Damage Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 SA exists only on the system disk, h0 and h1 SA Region for h2,h3,h4,h5 are empty PlatterHead

HDD customization against Future SA Damage Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 Utilize the empty zone for SA backup ! PlatterHead

http://www.disaster-data-recovery.com/ Initial Response Guideline For Disaster Effected HDD 1.  Do NOT Power ON ! Do NOT Dry before cleaning ! Sea Water should be removed ASAP !

NO DATA NO LIFE Thank you very much 감사합니다 Muchas Gracias Благодарю вас

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

CodeBlue01 : Preventing hard disk firmware manipulation ...

... Preventing hard disk firmware manipulation attack and disaster recovery ... by Dai Shimogaito. ... Under Attack (Hard Edit) ...
Read more

CODE BLUE Conference - YouTube

... Drone attack by malware ... Preventing hard disk firmware manipulation attack and disaster recovery ... by Dai Shimogaito CODE BLUE Conference ...
Read more

Code Blue 2014 - Concise Courses Information Security ...

Dai Shimogaito: Preventing hard disk firmware manipulation attack and disaster recovery: Yuuhei Ootsubo: o-checker: Malicious document file detection tool
Read more

CODE BLUE : International Security Conference in Tokyo ...

Preventing hard disk firmware manipulation attack and disaster recovery by Dai Shimogaito. ... Dai Shimogaito. CEO of Osaka Data Recovery Founded in 1998.
Read more

CODE BLUE : International Security Conference in Tokyo ...

Preventing hard disk firmware manipulation attack and disaster recovery Dai Shimogaito: 18:00: Closing: Day2 : Feb.18th(Tues) Time Session;
Read more

libinjection: from SQLi to XSS by Nick Galbreath

libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs.
Read more

quizlet.com

quizlet.com
Read more