Atola Technology

Verifying Damaged Target Images with Segmented Hashing

Last November Atola Technology team presented a new hashing method called Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:

Hash, start LBA, end LBA

By validating all hashes on the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.

While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.

For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.

Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.

Verifying segmented hashes

For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let’s simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.

Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.

Change one byte in Disk Editor

 

Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

 

Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.

Segmented hash verification report

This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.

Extracting and Resetting an Unknown ATA Password

Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.

When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight’s password recovery functionality, therefore this information is not important for the purpose of this guide.

 

To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.

Password Extraction, Reset and Reset until power cycle

Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:

  • To display the password without unlocking the device at this moment, click Extract button. This option does not require write protection on the source port to be switched off.
  • To work with the data on the drive without permanently resetting the password, tick Reset Password until power cycle checkbox and then click on Reset button. This way write protection stays enabled on the source port, and no changes can be made to the drive.

NB. If Reset Password until power cycle option is selected, no power cycles that are executed in the course of automatic checkup, imaging or other operations will affect the temporary unlocked status of the device. Only a deliberate power cycle, such as clicking on Power button, will change the Security status of the drive back to Locked.

  • Finally, to permanently unlock the device, switch off write protection and then click on Reset button.

For the list of hard drives currently supported by Insight’s automatic password recovery, please follow this link.

Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link.

Lifting HPA and DCO restrictions

Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.

To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

  1. The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
  2. Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
  3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.

To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.

Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive’s firmware, and Write Protection won’t let perform such changes.

Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

Lift HPA until power cycle

Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.

To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.

This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.

NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.

For more information about imaging of freezing drives, please follow this link.

Calculating Hash During Imaging

Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.

To view the hashing options:

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. Select the target device or file
  3. In Preset line click on the Show settings link
  4. In the upper part of the Passes and Hash tab there are three checkboxes:
  • Pre-hash source device
  • Hash source during imaging
  • Post-hash target device(s)

Multiselect is available, which allows an operator to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.

Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.

Imaging a Source Drive to an E01 File with a Double Hash

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file you have to add a new target file.

Selecting a new E01 file

1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.

2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.

3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):

4. Click on Select button in the Target Device Selection window.

As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).

Imaging & calculating the hashes

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. In Preset line click on the Show settings link
  3. In Passes and Hash tab check the Hash source during imaging box
  4. In Hash method drop-down menu select Linear
  5. In Hash type drop-down menu select MD5 and SHA-1
  6. Click on Start imaging button

Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page: