Short and simple: How to install undetectable malware on a computer.
In 2012, I started giving public presentations on how to hide data in hard drives in ways which are undetectable with state of the art forensic software. I did this at computer forensic conferences. You may read a sample abstract from one of these conferences here:
and I tweeted about it here, for another event:
Nobody really cared, at least no one I knew about.
Basically, what I said in those presentations is that a variety of hooks and tools exist which allow a very technical team to install data (or programs) on computers in ways which will survive a reboot, a cold start, an OS installation, or a complete reformatting of the hard drive.
You can see my concluding slide here, where I predicted the underpinnings of the hack which is just now making news:
For the following to make sense, you have to have a rudimentary understanding of sectors, partitions, and so forth. Assuming you pass that test, in a nutshell, here’s the explanation of how it is done:
1) Hard drives are composed of areas which may be accessed by the computer, and another area which is inaccessible by the user. Your data, programs, partitions, and slack area all reside in the accessible area.
2) The drive manufacturer reserves a special area, which is often called the service area. It is inaccessible except by the specially priviliged; and that area is used to maintain spare sectors (when some magnetic media flakes off, and the hard drive automatically repairs itself, by substituting a replacement sector from the service area).
3) That service area also usually contains the firmware which the hard drive processor literally boots from. In other words, before your computer can boot off the hard drive, the hard drive must boot itself and start working. It boots off the service area.
4) If you hack the boot code, you can make the hard drive behave in any manner you want.
5) The boot code is just another computer program. You never see it, because it is hidden in the service area, and proprietary to Seagate, Western Digital, Hitachi, et al… all the major hard drive manufacturers.
6) But if you can dig into the service area, and figure out how the code works, you can maliciously change it.
Just about everything in my presentations was culled from existing web resources. I made a list of them and included them in a list at the end of the presentation. Here it is, kind of heavily redacted:
The bottom line is that anyone who knows the deep basics of hard drives has already done stuff you don’t know about, you can’t detect, and you can’t fix. Feeling small?
About James Wiebe:
James Wiebe is a digital forensic pioneer and an expert on hardware utilized in the forensic acquisition of hard drive data. He started WiebeTech in the year 2000 and was soon designing forensic write-blocking hardware and highly portable, rugged storage systems. He developed a list of federal, state and local customers who were among the forefront of digital investigations. James (along with his wife, Kathy) sold the business in 2008 to CRU but has remained active within the field, and is a popular speaker and lecturer on digital forensics, especially on storage systems. James is a 1979 graduate of Tabor College (Hillsboro, KS) and has a degree in mathematics with an emphasis on computer science. James and Kathy have two children, and live in Wichita, KS. James loves to fly, fly-fish, and camp in the wilderness. In his spare time, he is developing an aerospace company, Belite Aircraft.