A proof of concept to effectively hide data on a hard drive has been developed. The method buries information on the hard drive’s service area making it totally inaccessible to all detection methods such as antivirus solutions. The data is even invisible to software designed to completely purge a drive of all data.
Every hard drive has a service area. This is a partition used by the operating system of the drive for internally managing the drive. Every drive manufacturer sets aside certain tracks on the drive for this purpose. In addition to storing the hard drive operating system and tests, it is also used for the translator table which stores the location of the drive tracks as well as the location of bad sectors.
A hard drive unit contains it’s own small computer with printed circuit board, microprocessor, random access memory (RAM), and flash memory to store code when powered off. When powered on, the hard drive microprocessor boots with code from the flash memory which causes the drive to spin so that the drive operating system can be read from the service area. This occurs before the PC operating system is loaded.
Accessing the hard drive service area to store additional data requires knowledge of vendor-specific commands (VSCs). These commands are unique to the hard drive manufacturer and are not publicly disclosed. There are five hard drive manufacturers – Seagate/Maxtor, Western Digital, Hitachi/IBM, Toshiba/Fujitsu, and Samsung.
The amount of available space in the service area varies according to the drive manufacturer, and is generally significant. For example, a Western Digital Hawk drive has 141MB space in the service area, of which only 12MB is used by the manufacturer. A Western Digital Hulk drive has 450MB space in the service area, of which only 52MB is used. As drives become more complex, the size of the service area has increased.
Data in the service area cannot be removed even with data sanitation software tools used to purge a drive of all data, and remains hidden to all data identification tools such as signature scanning that run within the PC operating system.
How much of a threat could this method of hiding data be? It is very difficult to hide data in the drive’s service area because it requires the manufacturer’s VSCs. Experimentation to guess VSCs is difficult as it easily results in hard drive failure or loss of data. However there is significant space to hide meaningful data, for any hacker with access. As this method will evade all known detection methods, it would be extremely dangerous should the VSCs end up in the wrong hands. This could occur through a rogue employee, or from a State directive demanding information about the VSCs from a hard drive manufacturer. To this end, it would be interesting to establish, for each of the five hard drive manufacturers, in which countries do employees with VSC knowledge, reside.
More information on the proof of concept developed by Ariel Berkman of Recover Information Technologies, is here.