Magnetic Hard Drives Module 1 Magnetic Hard Drives

Magnetic Hard Drives Module 1 - Magnetic Hard Drives Trainer Dr. Andrew Blyth, Ph. D.

What does ICT Disposal mean to you? Disk Manufactures

What does ICT Disposal mean to you? Magnetic Computer Hard Drive Current Max Size for a Magnetic Computer Hard Drive is 12 TB

What does. Connector ICT Disposal mean to you? SATA Device Appearance of Serial ATA Connectors (Drawing courtesy of Molex) Device plug connector Serial ATA signal connector Serial ATA (pin S 1) power connector (pin P 1) Device connector sizes and locations Serial 2. 5" power signal Serial power signal 3. 5” Legacy Power (vendor specific) (5. 25” form factor also defined for devices like tape drives and DVDs) in comparison… Parallel Host receptacle connector parallel ATA signals 3. 5” 4 -pin power

What ICT Disposal mean to you? The Diskdoes Interface • Small Computer System Interface (SCSI), was standard on servers, workstations, Commodore Amiga, Atari ST and Apple Macintosh computers through the mid-1990 s • Integrated Drive Electronics (IDE), later standardized under the name AT Attachment (ATA, with the alias P-ATA or PATA (Parallel ATA) retroactively added upon introduction of SATA) moved the HDD controller from the interface card to the disk drive. • This helped to standardize the host/controller interface, reduce the programming complexity in the host device driver, and reduced system cost and complexity. . • Fibre Channel (FC) is a successor to parallel SCSI interface on enterprise market. It is a serial protocol. In disk drives usually the Fibre Channel Arbitrated Loop (FC-AL) connection topology is used. FC has much broader usage than mere disk interfaces, and it is the cornerstone of storage area networks (SANs). • Serial Attached SCSI (SAS). The SAS is a new generation serial communication protocol for devices designed to allow for much higher speed data transfers and is compatible with SATA. SAS uses serial communication instead of the parallel method found in traditional SCSI devices but still uses SCSI commands. • Serial ATA (SATA). The SATA data cable has one data pair for differential transmission of data to the device, and one pair for differential receiving from the device.

What ICT Disposal mean to you? The ATAdoes Standard

What ICT Disposal mean to you? The ATAdoes Standard • This standard defines the commands that the Disk Drive will execute. • Standard commands include: • Read. LBA • Read. Multiple. LBA • Write. Multiple. LBA • Commands relating to the firmware include: • Identify Device • Smart. Read • Also there is a section in the standard that says disk vendors can add their own commands.

What does ICT Disposal mean to you? Disk Drive Technology • Hard disks may originate in the actual device or may be used as external storage. Several types of device and connector SCSI, ATA Etc. .

Disks from the Outside • Manufacturers labels: Serial Number, Disk Size, Model / Type, Jumper settings (M. S. CS). • Plus other useful information: • Date of manufacture • Country of manufacture • Firmware edition • Model Information WD 1200 JB-32 AAA 0 12000 Is the capacity JB are family and rotation speed (J) and interface (B) (AA) describes the PCB design of the hardware

What does Disposal mean to you? Disks from the. ICT Outside • The PCB has a number of key components: • • • CPU microchip – Modern Disks use ARM core processors A motor controller microchip ROM microchip Various components for controlling voltages etc. including fuses. The CPU, ROM and Motor controller chips all have some form of manufacturer marking which can be used to identify possible replacements. ROM/BIOS Cache Chip Motor Control Chip CPU/Main Controller IC

What Disposal mean to you? How we does Store. ICT Data

What does ICT Disposal mean to you? Internal Components • A modern HDD is a complex device with a number of internal components, these include: platters, head armature, voice coil, magnet, read / write heads, motor, mountings and air-filters.

What does. Build ICT Disposal mean to you? The Physical

What does ICT Disposal mean to you? Error Correction • Modern drives make extensive use of error correction codes (ECCs). • These techniques store extra bits, determined by mathematical formulas, for each block of data; the extra bits allow many errors to be corrected invisibly. • The extra bits themselves take up space on the HDD, but allow higher recording densities to be employed without causing uncorrectable errors, resulting in much larger storage capacity. • For example, a typical 1 TB hard disk with 512 -byte sectors provides additional capacity of about 93 GB for the ECC data.

What does ICTDisk Disposal mean to you? Inside the Hard • The sector is the smallest addressable unit. A specific sector can be found addressed by using the cylinder address (C) the Head (H) and the Sector (S). • The CHS method has been replaced by the Logical Block Address (LBA) method which assigns a sequential address to each sector (but which may not relate to it’s physical location)

What does Disposal The Heads and. ICT the Plattersmean to you?

Questions

Group Discussion How do we perform Data sanitization on a Standard Computer Hard Disk?

What DCO anddoes HPA ICT Disposal mean to you? • HPA and DCO • Host Protected Area (HPA) Can be identified by commands READ_NATIVE_MAX_ADDRESS which provides total sectors on the disk and IDENTIFY_DEVICE which provides total sectors a user can identify • Device Configuration Overlay (DCO) similar to the HPA and can exist at the same time. Can be detected using READ_NATIVE_MAX_ADDRESS and DEVICE_CONFIGURATION_IDENTIFY To capture all of the data on the disk the HPA and DCO may need to be removed. Firmware DEVICE_CONFIGURATION_IDENTIFY READ_NATIVE_MAX_ADDRESS IDENTIFY_DEVICE User Area HPA DCO

What HPA anddoes DCO ICT Disposal mean to you? • The Host Protected Area (HPA) is defined as: • • • A reserved area of the Hard Disk Drive. It was designed to store information in such a way that it cannot be easily modified, changed, or accessed by the User, BIOS or OS. The area can contain information ranging from HDD utilities, to diagnostic tools, as well as boot sector code. The Device Configuration Overlay (DCO) allows system vendors to purchase hard disks (HDD) from different manufactures and potentially different sizes, an then to configure all HDDs to have the same number of sectors. • • An example of this is using a DCO to make a 500 GB hard disk look like a 320 Gb hard disk. This is used in RAID storage arrays.

What ICT Disposal The Hostdoes Protected Area mean to you? The Host Protected Area (HPA) as defined is a reserved area on a Hard Disk Drive (HDD). It was designed to store information in such a way that it cannot be easily modified, changed, or accessed by the user, BIOS, or the OS. • This area can contain information ranging from HDD utilities, to diagnostic tools, as well as boot sector code. The HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS. • Using Linux, there are various ways to detect the existence of an HPA. Recent versions of Linux will print a message when the system is booting if an HPA is detected. For example: dmesg | less hdb: Host Protected Area detected. current capacity is 12000 sectors (6 MB) native capacity is 120103200 sectors (61492 MB) • Some rootkits hide in the HPA to avoid being detected by anti-rootkit and antivirus software. •

What ICT Disposal mean to you? The Roledoes of Firmware • No disk is manufactured flawless, there will be some sectors on the drive which can not be used. • At the time of production these flaws are recorded in the disk firm as the ‘P’ (permanent / primary / production) list. • • As the disk ages and through wear & tear other sectors may fail – this is recorded in the ‘G’ (growth) list. This is transparently handled by the disk and occurs ‘beneath’ the operating system. • • This is called the P-List This is called the G-List The potential impact in terms of forensic recovery: • The G-list may become full and as a result the disk may stop working* • When wiping the disk the sectors in the lists are not seen by the OS so data may be left on these bad sectors • It may also be possible to manipulate these lists to conceal information in a ‘bad’ sector the potential for steganography

What does ICT Disposal. Overlay mean to you? The Device Configuration • Device Configuration Overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in the DCO, it is not accessible by the BIOS, or the user. However, certain tools can be used to modify the DCO. • The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are non existent or that the drive is smaller than it actually is. • To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. • Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command.

What ICT Disposal mean to you? The Roledoes of Firmware • Firmware performs a number of key functions • Defect control Via P and G lists • LBA to CHS mapping (U list) • SMART logs • + others; Device Model Number, capacity etc… • Some of these can be manipulated possibly to the advantage of a suspect possibly by an investigator recovering a disk.

What ICT Disposal mean to you? The Roledoes of Firmware • Part of the Firmware converts the LBA to the actual CHS locations on the disk. So • A = (C. Nheads + h). Nsectors + (s-1) • Where • • • A is the LBA Address Nheads is the number of heads on the disk Nsectors is the number of sectors per track CHS is the CHS address So • For geometry 1020 16 63 of a disk with 1028160 sectors CHS 3 2 1 3150=(3* 16+2)* 63 • For geometry 1008 4 255 of a disk with 1028160 sectors CHS 3 2 1 3570=(3* 4+2)*255 • For geometry 64 255 63 of a disk with 1028160 sectors CHS 3 2 1 48321=(3*255+2)* 63 • For geometry 2142 15 32 of a disk with 1028160 sectors CHS 3 2 1 1504=(3* 15+2)* 32 is LBA

What ICT Disposal mean to you? The Roledoes of Firmware • Self-Monitoring, Analysis, and Reporting Technology (SMART) is aimed at predicting drive failure. • Par of an earlier ATA standard it has a number of criteria which are monitored and logged as "threshold not exceeded" or “threshold exceeded“ Attributes include read error, seek error temperature, etc. • The Smart attributes monitored depends on the manufacturer, the following all implement some level of SMART.

What does Disposal mean to you? The P-List and. ICT G-List • A standard hard disk maintains two lists that identify mad sectors on a hard disk, the P-List and the G-List. • The P-List stands for the Product/Primary Defect List and is the list of bad/defective Logical Block Addresses (LBA) that is identified on the drive when it is produced by the manufacturer. • The G-List stands for the Growth Defect List and is the list of bad sectors that is maintained by the firmware and updated when a LBA does mad. • Commercial Data Recover tools such as PC 3000 and MRTLab will allow you to access the G-List and P-List on a hard drive.

What does ICT Disposal mean to you? Smart Logs • S. M. A. R. T. (Self-Monitoring, Analysis and Reporting Technology; often written as SMART) is a monitoring system included in computer hard disk drives (HDDs), solidstate drives (SSDs), and e. MMC drives. • Its primary function is to detect and report various indicators of drive reliability with the intent of anticipating imminent hardware failures. • Each drive manufacturer defines a set of attributes and sets threshold values beyond which attributes should not pass under normal operation. • Each attribute has a raw value that can be a decimal or a hexadecimal value, whose meaning is entirely up to the drive manufacturer (but often corresponds to counts or a physical unit, such as degrees Celsius or seconds), a normalized value, which ranges from 1 to 253 (with 1 representing the worst case and 253 representing the best) and a worst value, which represents the lowest recorded normalized value. • Tools such as smarttools, smartctl and atatools allow you to access the S. M. A. R. T. logs

What does ICT Disposal mean to you? Smart Logs

Questions

Group Discussion How do we perform Data sanitization on the DCO, HPA and Firmware?

What Disposal mean to you? The RAIDdoes File ICT System • A Raided File system is all about reliability and scalability

What Disposal mean to you? The RAIDdoes File ICT System • RAID 0 • RAID 0 (block-level striping without parity or mirroring) has no (or zero) redundancy. It provides improved performance and additional storage but no fault tolerance. Any drive failure destroys the array, and the likelihood of failure increases with more drives in the array. • RAID 1 • • In RAID 1 (mirroring without parity or striping), data is written identically to two drives, thereby producing a "mirrored set"; the read request is serviced by either of the two drives containing the requested data, whichever one involves least seek time plus rotational latency. Similarly, a write request updates the stripes of both drives. The write performance depends on the slower of the two writes. At least two drives are required to constitute such an array. While more constituent drives may be employed, many implementations deal with a maximum of only two. The array continues to operate as long as at least one drive is functioning. • RAID 2 • In RAID 2 (bit-level striping with dedicated Hamming-code parity), all disk spindle rotation is synchronized, and data is striped such that each sequential bit is on a different drive. Hamming-code parity is calculated across corresponding bits and stored on at least one parity drive. This theoretical RAID level is not used in practice

What Disposal mean to you? The RAIDdoes File ICT System • RAID 3 • In RAID 3 (byte-level striping with dedicated parity), all disk spindle rotation is synchronized, and data are striped so each sequential byte is on a different drive. Parity is calculated across corresponding bytes and stored on a dedicated parity drive. Although implementations exist RAID 3 is not commonly used in practice. • RAID 4 • • RAID 4 (block-level striping with dedicated parity) is equivalent to RAID 5 except that all parity data are stored on a single drive. In this arrangement files may be distributed among multiple drives. Each drive operates independently, allowing I/O requests to be performed in parallel. [citation needed] RAID 4 was previously used primarily by Net. App, but has now been largely replaced by an implementation of RAID 6 (RAID-DP). • RAID 5 • RAID 5 (block-level striping with distributed parity) distributes parity along with the data and requires all drives but one to be present to operate; the array is not destroyed by a single drive failure. Upon drive failure, any subsequent reads can be calculated from the distributed parity such that the drive failure is masked from the end user. RAID 5 requires at least three disks.

Questions

Group Discussion So how can we perform data sanitization on a RAID?