Forensic limbo: Towards subverting hard disk firmware bootkits |
| |
| Institution: | 2. Department of Anesthesia, Critical Care and Pain Medicine, Beth Israel Deaconess Medical Center, Harvard Medical School, Boston, MA;3. Department of Anesthesia and Pain Management, Toronto General Hospital, University Health Network, University of Toronto, Toronto, Canada;1. Teesside University, United Kingdom;2. National Institute of Standards and Technology, United States;1. Dept. of Computer Science, Royal Holloway, University of London, UK;2. IRIT, University of Toulouse III, 31062 Toulouse, France;3. Insight Centre for Data Analytics, University College Cork, Ireland;4. Department of Computer Science, University of Oxford, UK |
| |
| Abstract: | We discuss the problem posed by malicious hard disk firmware towards forensic data acquisition. To this end, we analyzed the Western Digital WD3200AAKX model series (16 different drives) in depth and outline methods for detection and subversion of current state of the art bootkits possibly located in these particular hard disks' EEPROMs. We further extend our analysis to a total of 23 different hard drive models (16 HDDs and 7 SSDs) from 10 different vendors and provide a theoretical discussion on how hard disk rootkits residing in the firmware overlays and/or modules stored in the special storage area on a HDD called the Service Area could be detected. To this end, we outline the various debug interfacing possibilities of the various hard disk drives and how they can be used to perform a live analysis of the hard disk controller, such as dumping its memory over JTAG or UART, or how to access the Service Area via vendor specific commands over SATA. |
| |
| Keywords: | Anti-forensics Hard disk firmware rootkit Hard disk firmware bootkit |
| 本文献已被 ScienceDirect 等数据库收录! |
|
