I have read in numerous places that some people write data in bad blocks in order to avoid being caught. How is that possible since bad blocks are supposely inaccessible?
Thanks
It depends on what sort of bad blocks you are talking about
Bad blocks at a file system level are not innacessible, they are just marked as not to be used - quite different.
I have read in numerous places that some people write data in bad blocks in order to avoid being caught. How is that possible since bad blocks are supposely inaccessible?
Thanks
Do you have any examples of where you've seen this discussed as something that's being widely used? This isn't something that I've come across and I can think of several secure ways of storing data so you don't "get caught" that would seem more feasible.
It may be possible, if you make "good blocks" seem like "bad blocks" through editing the bad sectors lists in the hard drive firmware. So, those blocks will not visible to operating system and the data in those blocks will not be accesible.
It may be possible, if you make "good blocks" seem like "bad blocks" through editing the bad sectors lists in the hard drive firmware. So, those blocks will not visible to operating system and the data in those blocks will not be accesible.
Nice theory. )
Please name (or describe/provide a link to documentation for) at least one method/tool to edit the bad sectors list on at least one current hard disk drive model. (and to revert the operation so that the data can become accessible again)
jaclaz
if you mean bad blocks as bad sectors you can access hard drive smart which is list of bad sectors with Pc3000 or other smart tools you can access and edit some of bad sectors
if you mean bad blocks as bad sectors you can access hard drive smart which is list of bad sectors with Pc3000 or other smart tools you can access and edit some of bad sectors
Well, it is IMHO not really handy to store data that only a PC-3000 can (maybe) access.
jaclaz
There's bunch of tools that can work with HDD FW - PC3K, MRT, DFL, cheap and expensive, even some software utilities may work with HDD FW. However, this "breach" exists in theory, on practise there is more handy way to hide/protect data - encryption. On other hand, classiŃ forensiŃ analysis isn't sufficient, as someone may hide real data into P-list or G-list of HDD wink
Hi,
Aditya Here from India.
i have used PC-3000 and it is possible with PC-3000 to turn a good sector into bad sector for hiding data intentionally. In Actual, the sector is a good sector but PC-3000 makes it a bad sector using its sector level access to the hard Disk. Also, the user using the PC-3000 can turn that bad sector (made by Pc-3000 only) back into good sector again .
Also, this Pc-3000 has a great feature of enabling and disabling heads of Hard Disks.
i will give a preview of a case .
I recieved a HDD for an investigation case and after imaging it turned out to be a 250 Gb hard disk ( the label on the hard disk was scrapped) but on investigation it was found that the hard disk a good data but NO OPERATING SYSTEM was installed on it ( Thats was suspicious). So, using PC-3000 we found that One head out of the 2 heads of the hard disk was disabled. As we enabled the other Head of the Hard, we got more 250 Gb storage data in the Hard Disk which made a conclusion that hard Disk was of 512Gb actually and user had made it hidden.
So, using PC-3000 we found that One head out of the 2 heads of the hard disk was disabled. As we enabled the other Head of the Hard, we got more 250 Gb storage data in the Hard Disk which made a conclusion that hard Disk was of 512Gb actually and user had made it hidden.
Or maybe the disk head was disabled for some other reasons.
Who was actually the user?
I mean, a twentyish or thirtyish IT engineer suspected to be a member of an international criminal organization or a middle aged housewife?
As said before, not really a "handy" way to store data.
If I get this right the usage paradigm should be something *like*
- disconnect hard disk from *whatever* it is connected to
- connect it to a PC-3000 <- this is typycally a US$ 5K+ piece of equipment+yearly subscription, if I recall correctly) and surely not easy to hide or "portable"
- enable the disabled head
- connect the hard disk to *something*
- read/write data on the disk
- disconnect hard disk from *whatever* it is connected to
- connect it to a PC-3000
- disable the temporarily enabled head
- connect the hard disk to *something* (optional)
[/listo]
Maybe something that may be used to get past a border control, but IMHO overly complex even for that (it would need two PC-3000's one on each side of the border).
Now, for some selected hard disk models, a "purely" software tool may do, but a PC-3000 (or similar hardware high cost tools)?
And the need to disconnect/reconnect the disk (to connect to the TTL port to send "native" commands to the firmware) ?
?
jaclaz