THE PROBLEM

Self-Monitoring, Analysis and Reporting Technology (SMART) was pioneered by IBM in 1992 with their Predictive Failure Analysis mechanism, and was subsequently enhanced by Compaq's IntelliSafe technology [1]. SMART has been implemented in the majority of ATA (IDE) and SCSI hard disks since 1995, and allows the hard disk to perform self-tests as well as track and store performance and statistical information which can help predict impending failure of the hard disk. This information includes the total amount of time the hard disk has been powered on for (referred to as Power_On_Hours, or Power_On_Minutes for some brands of hard disk), the number of times the hard disk has been powered on (referred to as Power_Cycle_Count), other attributes chosen by each hard disk vendor such as the hard disk's current temperature, and a log of low level hard disk errors [2] [3]. SCSI hard disks typically do not provide the same detailed level of SMART information to the user as ATA/IDE hard disks [1], so this paper will focus on IDE hard disks.

Freely available utilities [4] complete with source code can be downloaded from the Internet which allow software to read the hard disk's SMART information. Source code to access SMART information can be incorporated into an attacker's back door program which executes when the operating system boots. This allows the attacker to keep track of the number of times the hard disk has been powered on via the Power_Cycle_Count SMART attribute value. Also, the attacker can keep track of the total amount of time the hard disk has been powered on for via the Power_On_Hours SMART attribute value, and compare this value with the total amount of time which the attacker's back door program has been running. The current industry best practice procedure for forensically duplicating a hard disk typically results in the modification of the Power_Cycle_Count and/or the Power_On_Hours SMART attribute values. The attacker can therefore detect if the hard disk has been powered on or accessed for a length of time by a software or hardware mechanism other than the compromised operating system running on the compromised computer.

The rest of this paper will focus on whether SMART attribute values can be prevented from being modified, since although there are some undocumented SMART functions [5] [6], the specifications do not provide a mechanism to set attribute values to an arbitrary number.

The specifications also state that the data structure containing returned SMART attribute values consists of read only attribute fields which cannot be modified [7]. It is unfortunate that SMART attribute values cannot easily be modified to arbitrary numbers, otherwise they could be reset to their original values once the forensic duplication process has been completed.