S.M.A.R.T. Data in Computer Forensics

By January 9, 2014Articles

Forensically imaging a hard drive is typically defined as making a bit-by-bit copy of all the sectors on the drive. It is usually not mentioned that hard disk drives also contain service areas which store information used for internally managing the drives (e.g. defect management). Information in the service area of a drive is not presented to the user, is inaccessible using standard ATA commands and is not captured from the original drive during the traditional forensic imaging process. One of the key pieces of information typically found in the service area of a hard drive is S.M.A.R.T. data, which can be valuable during digital forensics investigations.

What Is S.M.A.R.T.?

S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) is an internal monitoring and reporting technology built into most modern hard drives. Its main purpose is to detect anomalies and predict failure. Drive manufacturers implement a set of S.M.A.R.T. attributes as well as threshold values for the attributes during the normal operation of the drive. Let’s take a look at a couple of S.M.A.R.T. attributes which could be useful during a digital forensics investigation:

Power-On Hours: Indicates the number of hours (or other unit of time depending on implementation) the drive was powered on during its life. This could help establish for how long a hard drive was used, or whether or not it was powered on between inspections.

Power Cycle Count: Indicates the number of full power on/off cycles. Could help establish how many times the drive was power cycled, or whether or not the drive was turned on between inspections.

S.M.A.R.T. data can be queried using various tools such as smartmontools. The example listing in Figure 1 below is for a 320 GB SATA drive from a system which was turned on 24/7 for an extended period of time. The Power On Hours Count value (31269) indicates that the drive was powered on for 31,269 hours which corresponds to over 1,302 days (~3.5 years). The Power Cycle Count of 58 indicates that the drive has had 58 full power on/off cycles. By recording this information, we can later detect if the drive continued to be used when it was supposed to be kept in storage.

ID                               Current  Worst  Threshold Data            Status   
(01) Raw Read Error Rate         114      99     6         81696809        ok       
(03) Spin Up Time                97       97     0         0               ok       
(04) Start/Stop Count            100      100    20        116             ok       
(05) Reallocated Sector Count    100      100    36        0               ok       
(07) Seek Error Rate             85       60     30        377203607       ok       
(09) Power On Hours Count        65       65     0         31269           ok       
(0A) Spin Retry Count            100      100    97        0               ok       
(0C) Power Cycle Count           100      100    20        58              ok       
(B7) SATA Downshift Count        100      100    0         0               ok       
(B8) End To End Error Detection  100      100    99        0               ok       
(BB) Uncorrectable Error Count   100      100    0         0               ok       
(BC) Command Timeout             100      100    0         0               ok       
(BD) Unknown Attribute           100      100    0         0               ok       
(BE) Airflow Temperature         72       61     45        572194844       ok       
(C2) Temperature                 28       40     0         81604378652     ok       
(C3) Hardware ECC Recovered      48       39     0         81696809        ok       
(C5) Current Pending Sector      100      100    0         0               ok       
(C6) Offline Uncorrectable       100      100    0         0               ok       
(C7) Interface CRC Error Count   200      200    0         0               ok       
(F0) Head Flying Hours           100      253    0         44981192522408  ok

Figure 1 – Example S.M.A.R.T. Data

Please note that, some S.M.A.R.T. attributes are known to wrap around (reset to zero once a certain number is reached) on certain drive models. Therefore, the attribute values should be reviewed in the context of the drive model and date of manufacture, and should be corroborated with other data sources when possible.

Effects of Forensic Acquisition on S.M.A.R.T. Data

Even though forensic imaging of a hard drive does not modify the user data found on the original drive, the S.M.A.R.T. data on the original drive is not write-protected and can be modified by the hard drive itself during imaging. For example, connecting the original evidence drive to a write blocker, turning it on and imaging it is expected to change, among other things, the Power Cycle Count and Power on Hours Count (on some models) values. These changes should be taken into account if S.M.A.R.T. data is utilized during the digital forensics investigation.

Conclusion

S.M.A.R.T. data found on hard drives has the potential to be valuable in digital forensics investigations. Digital forensic examiners should be aware of what is and what is not included in a forensic image, and take steps to capture and document S.M.A.R.T. data when applicable.

Additionally, any effects that the forensic data acquisition process has on S.M.A.R.T. data should be taken into consideration during digital forensics investigations.

Arman Gungor

About Arman Gungor

Arman Gungor is a certified computer forensic examiner (CCE) and an adept e-Discovery expert with over 21 years of computer and technology experience. Arman has been appointed by courts as a neutral computer forensics expert as well as a neutral e-Discovery consultant. His electrical engineering background gives him a deep understanding of how computer systems are designed and how they work.