Monday, March 02, 2009

Partition and Disk Management: Part V – HDD Sector Spying

So much material, so little time.

In many of these prior posts, I alluded to or specifically mentioned the actual data (or lack thereof) on the drives.

All these posts have been born out of a recent round of conversations and events in system image work and system drive preparations.

This post builds on all of those posts and hopefully ties things up a bit.

Why play Peeping Tom?

What I would like to do is present a number of freeware (most all at least) utilities that allow one to view hard disk drive or flash “drive” media at the sector level.

Why?  Well a number of reasons come to mind, though certainly not all inclusive:

  1. As I mentioned before, Heartland’s grief began apparently, because of a sophisticated trojan that hid (in portion) in unallocated space on servers.
  2. Some software could be used in an attempt to hide data from prying eyes (or law enforcement) by placing data in sections of a disk not normally accessible under the OS.
  3. Data from a prior owner may be present in that space and create headaches for a new owner.
  4. Confidential data remnants could be present (related to #3 above).
  5. Efficacy of “secure-wipe”, data-destruction software, or products that “sanitize” or “zero-out” drives or files can be tested and measured.
  6. File recovery and capture from a boot-damaged OS.
  7. It’s cool to do.
  8. Verification of whole-disk-encryption software.

Though this post is based on a combination of those things, primarily it comes from a combination of reasons #5 and #8 above.

Encrypting and Wiping

Last week l33t network analyst Mr. No was working on a field project.  Part of that assignment meant shuffling a number of desktop systems previously assigned to new owners.

Our policy is to do (at least) a one-pass secure wipe of the system prior to redeployment to a new users.

(A Probie asked me why this policy was and I explained that it ensured that anything found on the drive after issuance had to be answered to by the assigned owner.  It helps to baseline a system and discourage (but not prevent) claiming, say after a forensics review, that any non-approved data on the drive was a carryover and not theirs.  Yes, malware or other hacks or methods could get data on someone’s pc around the owner’s knowledge, but this at least sets a standard. It also prevents carryover of any “inherited” system issues that could occur because of a previous owners use of the system.  We just like giving everyone a fresh start.)

Mr. No was using a particular commercial application to secure-wipe the systems (3-pass if I recall) and though they were new and fast system, it was still taking over an hour to pre-prep the drive before he could apply the image and finish the deployment process.  What should have been a one-hour or less process was actually taking close to two-hours.

Compounding this, the drives were whole disk encrypted, and there was some confusion by the probies that they had to decrypt the drive entirely, before secure erasing the disk, then formatting and reimaging it.  (Sheesh, the whole drive-decrypt process alone can take anywhere from four to eight hours!)

Mr. No understood that was pretty lame, but did feel that a whole-disk wipe was still required.  He referred to some yet produced post explaining (as I understood his concerns) that our particular whole-disk encryption solution only was a boot-overlay protection. That it only served like an overlay to the boot process to prevent unauthorized access to the OS boot loader. If you could bypass that, then the data on the drive was free and clear like normal.  That’s why a full disk wipe was still required.

That didn’t make any sense to me based on my understanding of the product in question.  I felt that the based on what I had read, the entire physical drive (under our policy settings) was encrypted, that the encryption loader was located at the “front end” of the drive, that the rest of the drive contents would be fully encrypted and appear as “random garbage”, and that to effectively “secure-wipe” the drive, one only needed to zero-out the “front end” of the drive for about a minute’s secure-wipe run.  That would destroy all the data to potentially reload/decrypt the drive, and thus rendered all the remaining sector patterns as “randomized” patterns.

We discussed this for a while and in the end, the proof was in the pudding.  I had to off-line boot two systems—one WDE and one not—and take a tour of them at the sector level.

What I found was indeed, that on a non-encrypted system, there was a lot of data that was in a “clear-text” format that I could see across the drive. If I used one of many file recovery programs I could probably recover all the data.

On the encrypted system, I could indeed view a lot of data from the whole-disk encryption pre-boot loader configuration files at the beginning, but after that, the rest of the drive sectors was fully filled with what appeared to be random garbage noise.  No file recovery program would be able to extract anything from that mess.

So, based on previous posts and “clinical-studies” a full-single-pass sector overwrite should be sufficient to sanitize a drive, and if the system is whole-disk encrypted (at least with our deployed product), a single-pass sector overwrite of the front hundred or so sectors should also be sufficient.  What was taking hours to “wipe” now takes just a few minutes.

Sector-viewing tools

I already had two “portable” freeware tools that allowed me to view the sector data on hard-drives but I wanted to be sure I wasn’t missing out on any new ones that might be fuller featured or more portable to run off a USB stick from a WinPE booted OS.

My faves were still there, and there were a lot more guest to invite to my party.

So this list is dedicated to all the hard-drive jockeys out there, be you sysadmins, forensics gurus, or just curious.

As usual, a few words of caution are in order:

Some tools do not offer to mount the media in “read-only” mode.  Therefore if you aren’t careful you do run the risk of directly changing file data on the drive-sector level.  That could could cause strange or systemic issues leading to corrupted files, data, or a non-booting system.

M’kay?

The list is not necessarily presented in any particular order, but I will try to list the ones I’m most likely to use first.

HxD - (freeware) - mh-nexus’s application was a new-to-me find and quickly made it to the top of my go-to list.  Not only is it fast, it allows mounting of entire disks and system processes running in memory into the viewer.  When you mount a disk to view, it defaults to open as “read-only” (bypassable) to ensure no accidental overwriting occurs as you inspect them. Copy, export, compare, search, view, analyze, and many more functions are supported.  It works great under WinPE 2.0 and3.0 boot disks.  Total size is just under 2 MB.  For fast and focused sector viewing, this is a shining star. Download in either a full-installer or “portable” file configuration.

Frhed - Free hex editor - (freeware) – I linked to the new project page, but the original frhed Homepage also has some useful information.  Super-tiny, the entire application folder weighs in at just 447 kB in total.  It allows opening drives (only in a read-only mode) as well as files in both read-only (enabled by default) or read/write mode.  For quick, fast, and portable viewing of sector data, it’s a great pick.  For those programming pros who need to do file manipulations at the sector level, it has enough of the basics to make it a worthy backup tool.

Roadkil's Sector Editor - (freeware) – Super-tiny (92 kB) and portable, this is the probably the best “all-in-one” sector viewing application out there from a size and portability perspective.  It does seem to mount the drive in “read/write” mode, but does have an “undo changes” feature.  You can search, print, save and copy sector information, as well as change it.  The navigation controls are pretty sparse.  Jump to a particular sector or use the forward/back buttons to scroll.

Disk Investigator - (freeware) – I still like this application a lot, but one drawback is that while it is portable on running XP/Vista systems (say via USB stick) it does not work under WinPE and is grouchy under Vista.  Several things still lead me keep it handy.  First it is very small (383 kB) for the whole folder contents.  It allows either a disk-based sector view or a file/directory based browsing view for file/sector location.  It has an “undelete” function as well as the ability to search sectors for text strings. For use on XP systems, it is worth looking into

Tiny Hexer - (freeware) - mirkes.de’s website is sparse and most users would probably pass it up. However, a look at some screenshots convinced me I had better download it and take it for a spin.  I wasn’t disappointed.  Turns out “Tiny” is a bit of an exaggeration.  The program is portable but definitely not tiny either in program size nor features!   Unpacked, the program folder weighs in at 7.29 MB.  Open a drive or image file. By default it is not read-only, but it can be selected so easily.  You can open a running process in memory and view it’s hex information as well as files proper. Read, write, copy, paste, and print options are all supported. Character translations are many as well as advanced scripts, ADS management, structure viewing, comparisons, and bookmarking.  It reminds me a bit of HxD in the layout, but it seems much fuller featured.

NT Disk Viewer - (freeware) – Low on my list due to the funky GUI interface and what could be some character translation issues, it nevertheless performs well and at a single-file size of 273 kB isn’t a large house-guest.  It works well on WinPE boot disks.  I would probably only use it if I needed to take a first-pass look at a system and didn’t have any of my other tools at hand.

Not Free but Recommended

These are big-guns.  Generally they are much more full-featured for professional usage by programmers and application hackers.

I provide them as they were recommended by folks who’s opinions I trust, or they might be worth looking at for heavy lifting.  They might be “portable” but I really can’t say.

WinHex - (free to try) – Positioned clearly as a forensics-grade examination tool, this is one of two recommended to me by forensics guru Harlan Carvey.  It really did knock my socks off.  While the previously mentioned freeware applications are great for system administration work, review and exploration of drives and USB media, and general sector review, if you are interested in forensics class work, this seems to be probably the best of the best.  No installation was required. I downloaded the offered zip file, unpacked, and was on my way running the winhex.exe file.  Upon launch I first had to note if I wanted to enable “write protection by default” (awesome) as well as select a “computer forensics interface” (allows creation of case-file and notes) as well as a “reduced user interface” mode if the forensics interface was enabled.  I’m not nearly sophisticated in my knowledge to go through all the amazing details and items this tool provides.  Needless to say it is incredible and will likely require lots of reading of the User manual (PDF) and time spent to familiarize oneself with the things possible.  Must be checked out by forensics pros and sysadmins alike! Highly recommended for a reason! I haven’t tried running under WinPE environment and the application folder size is a very light 2.57 MB for such a full-featured program.

Hex Workshop - (free to try) – Multi-paned application that not only provides direct disk-based sector viewing, copying, and searching, but a whole lot more.  By default drives can be opened and viewed, but are not done so in read-only mode.  Like other programs noted here, it is easy to select to do so just before you open up the disk.

Free Hex Editor Neo - (free to try/limited features) – I like the GUI interface which is kinda “roundy”. It allows mounting of disks and also processes running in memory.  These are opened in “read-only” mode by default which is nice.  However, you have to registry/buy the product to unlock those features.  As such I really couldn’t test the advanced features it offers in comparison to many features I am interested and already available in the free ones listed here.

UltraEdit - (free to try – trial time-limited) – Another app recommended by forensics expert Harlan Carvey.  I spent a short amount of time with it and it indeed has a lot of features. Unfortunately I couldn’t quickly find any way to actually use it mount a drive and view the sectors themselves.  That may be a feature but I couldn’t work it out quickly enough.

Related Hex Editor (or not) programs

These are programs I use or uncovered that are related to sector-based drive viewing or manipulation, but not necessarily in the same class as those previously mentioned.

Hex Editor XVI32 - (freeware) – Awesome and dangerous tool to open files on a hex-level and modify them.  Useful for viewing file hex code in a small and fast program, but very easy to make unintended changes.  Not for cowards.

Victoria - (freeware) – OK. Unless you are a hard-drive professional or system administrator, I’d advise you to quickly move on.  If you are one of the elite few, this is a wicked-cool application that will allow you to view raw sector information on drives. It also does almost a bazillion other hard drive configuration tweaks, changes, tests and stuff.  Not for amateurs.  Not something you are just going to download, unpack, run and use out of the box.  Heavy duty but really, really neat tool for spindle-heads.  Before considering downloading, read this Victoria For Windows Detailed English Manual first before making sure this is what you really want to play with.  I bet you do anyway!

HDDGURU: MHDD - (freeware) – Yes it is DOS GUI based.  Yes it doesn’t seem to have been updated recently.  Yes there probably are many other tools worth looking into.  Yes it might be handy to keep around just in case all else fails. MHDD documentation.

ZeroView - (freeware) – Scroll just past midway down the page to find this tool.  “"Ever worry that the system you are seizing uses whole disk encryption? Use ZeroViewTM freeware to find out." Burn ZeroView to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need.”  It’s a single GUI-based tool to explore the 0-sector to see if it contains any whole-disk encryption clues.

Dimio's HDHacker -  (freeware) - “HDHacker is a stand-alone micro-utility that saves, visualizes, and restores the MBR (from a physical drive), the BootSector (from a logical drive) or any specified sector from any disk (even removable disks).”  Won’t let you view the entire drive sectors but if you are just interested in viewing or backing up the MBR, this is the tool for your.  20 KB big.

Boot Sector Explorer – DiamondCS - (freeware) – like HDHacker, this GUI-based tool “…allows you to quickly and easily read and write to both the boot sectors of your logical drives such as PhysicalDrive0 and the Master Boot Records (MBRs) of physical drives such as C:, D: etc. It can even examine drives that aren't hard drives, including CD-ROMs, DVDs, USB sticks and more.”

HexDump - (freeware) – CLI tool that dumps the hex/text from a passed filename.

BinText - (freeware) – Foundstone tool that allows you to load a file into the application, then examine it for strings.  I use this one to quickly look at suspicious malware-related files to see if any easy clues can be gleaned.

Cygnus Hex Editor - (freeware) – Strictly a file hex editor/viewer.  Not for disk-sector viewing However it is just 436 kB in a single executable.  Figured it was worth mentioning.  Nice GUI.

Sector Inspector (SecInspect.exe) – Microsoft command-line utility.  Could provide some useful information in file and system inspection.  See these related posts from forensics gurus for recipe ideas: Interesting Tool – SecInspect (Windows Incident Response blog) and Forensic Incident Response: Sector Inspector (from HogFly’s blog).

Pocket Hard-Drive Utilities – Grand Stream Dreams post roundup of various other hard-drive tools not related to sector viewing but neat to know anyway.

Whew!

Hope folks find this roundup useful!

My USB stick is much fuller from the work.

Cheers!

--Claus V.

No comments: