“On the other hand, you have different fingers.”
Transposition magic is a lot of fun to watch. In the blink of an eye, a coin, a card, or an animal, disappears and magically transforms into something else with a whimsical hand movement and mysterious command. Two objects can change places with each other. A masterful magician can even appear to transform the object into something else entirely.
When it comes to your company’s data and intellectual property though, no one wants to end up misled. When an employee cleans out their desk and leaves your business and you take the initiative to do your due diligence and conduct an employee exit investigation, the old switcheroo, the bait and switch, and the rickroll are a whole lot less fun.*
*Admit it, you knew precisely where this link was going to go before you clicked it.
Employee Exit Examination
Our client submitted a 320 GB Seagate hard drive to Tetra Defense, formerly Gillware Digital Forensics, as part of an employee exit examination. It’s prudent for businesses to image and archive the disk images from a company-owned computer or mobile device when an employee leaves—and not just for those bitter and acrimonious exits, either. However, in this case, a bitter and acrimonious exit was what had happened.
A mid-sized utility sector company employee had parted with the business under strained circumstances. When they returned their laptop, an HP EliteBook laptop purchased sometime in 2012, IT staff turned it on. Immediately they discovered that the hard drive within seemed to have no operating system to boot into. The company attempted to use off-the-shelf data recovery software to retrieve data from the drive and got absolutely nothing back for their efforts. They suspected that the hard drive had been wiped, and wanted confirmation of this. They came to us asking to determine whether the drive was indeed empty—and if this was the case, what had happened to the hard drive.
We immediately found something that didn’t add up.
During the Tetra intake process, we always check the details of submitted hard drives. In this case, the manufacture date of the Seagate 320 GB hard drive was July of 2016. Considering that the HP EliteBook computer had been purchased in 2012… Presto Change-o! We had just found an immediate indicator that the hard drive wasn’t original to the laptop.
Our next clues as to what was going on would come from a particular feature of hard drives known as SMART.
We’re SMARTer Than That, Aren’t We?
To pull this magic trick apart, we needed to get SMART. The SMART (Self-Monitoring, Analysis, and Reporting Technology) area of modern hard drives contains a plethora of useful diagnostic information.
SMART is a monitoring system for computer hard disk drives (HDDs) and solid-state drives (SSDs) that interacts with the hard drive firmware to detect and report on a variety of indicators of drive health. The SMART area keeps track of (among other things) drive make, model, firmware version and capacity, the number of power cycles, and the amount of start/stops. Many forensic write-blockers read SMART data and report it to the examiner through their hardware interfaces.
SMART is a little piece of hard drive magic. It exists within the Service Area (aka the System Area) of a hard drive. Because the Service Area exists outside the LBA (Logical Block Address) area of a drive, standard ATA (Advanced Technology Attachment) commands don’t reach it. Data in the Service Area is inaccessible to the user and not addressed by most digital forensic imaging/analysis tools, wiping tools, or antivirus scanners.
Voilà! The perfect magician’s cabinet of forensics.
My longtime friend Todd Shipley has studied, tested, and written about System Area phenomena, as well as the illusions many forensic examiners have about the totality of the drive images they make. If you thought you were getting all of the data from the first to the last bit on the drive platter during acquisition, think again! It is entirely possible to hide data in the System Area, not to mention leveraging this hidden area of the drive for malware and data exfiltration ala Equation Group.
Now You See it!
Luckily, nothing so complicated was in play in this case. Using our handy-dandy WiebeTech Forensic Ultradock, we checked the SMART data related to the number of power cycles and start/stop cycles the 320 GB hard drive had undergone in its curiously-short lifetime. With the help of the SMART data, we uncovered a shocking truth. It was nearly brand new!
Next, we created a forensic image of the user addressable area of the hard drive. Nobody had formatted the drive. In fact, it was entirely zero filled. We found no indication that anybody had written any data to the hard drive inside the company’s computer. In fact, we found no indication that this hard drive had ever lived in any other computer. It was an impostor!
Here’s what we knew now:
- The hard drive had been manufactured well after the estimated date of manufacture and sale of the laptop.
- The new hard drive had no user data on it; in fact, it had never been used.
- The ex-employee under investigation had pilfered the old hard drive and its data and substituted a new, unused hard drive to cover their tracks.
Revealing the Magician’s Secrets
Unfortunately, magic isn’t real. It’s all a trick—an act of misdirection, hiding the wires and secret props in places we’re unlikely to look and drawing our attention away from anything that would give the magician’s trick away. Prestidigitation exploits our natural blind spots—or creates new ones if needed.
Fortunately, sleight-of-hand doesn’t work on us. We simply follow all the clues we can find and see where they take us.