Forensically imaging a hard drive is typically defined as making a bit-by-bit copy of all the sectors on the drive. It is usually not mentioned that hard disk drives also contain service areas which store information used for internally managing the drives (e.g. defect management). Information in the service area of a drive is not presented to the user, is inaccessible using standard ATA commands and is not captured from the original drive during the traditional forensic imaging process. One of the key pieces of information typically found in the service area of a hard drive is S.M.A.R.T. data, which can be valuable during digital forensics investigations.
What Is S.M.A.R.T.?
S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) is an internal monitoring and reporting technology built into most modern hard drives. Its main purpose is to detect anomalies and predict failure. Drive manufacturers implement a set of S.M.A.R.T. attributes as well as threshold values for the attributes during the normal operation of the drive. Let’s take a look at a couple of S.M.A.R.T. attributes which could be useful during a digital forensics investigation:
Power-On Hours: Indicates the number of hours (or other unit of time depending on implementation) the drive was powered on during its life. This could help establish for how long a hard drive was used, or whether or not it was powered on between inspections.
Power Cycle Count: Indicates the number of full power on/off cycles. Could help establish how many times the drive was power cycled, or whether or not the drive was turned on between inspections.
S.M.A.R.T. data can be queried using various tools such as smartmontools. The example listing in Figure 1 below is for a 320 GB SATA drive from a system which was turned on 24/7 for an extended period of time. The Power On Hours Count value (31269) indicates that the drive was powered on for 31,269 hours which corresponds to over 1,302 days (~3.5 years). The Power Cycle Count of 58 indicates that the drive has had 58 full power on/off cycles. By recording this information, we can later detect if the drive continued to be used when it was supposed to be kept in storage.
Figure 1 – Example S.M.A.R.T. Data
Please note that, some S.M.A.R.T. attributes are known to wrap around (reset to zero once a certain number is reached) on certain drive models. Therefore, the attribute values should be reviewed in the context of the drive model and date of manufacture, and should be corroborated with other data sources when possible.
Effects of Forensic Acquisition on S.M.A.R.T. Data
Even though forensic imaging of a hard drive does not modify the user data found on the original drive, the S.M.A.R.T. data on the original drive is not write-protected and can be modified by the hard drive itself during imaging. For example, connecting the original evidence drive to a write blocker, turning it on and imaging it is expected to change, among other things, the Power Cycle Count and Power on Hours Count (on some models) values. These changes should be taken into account if S.M.A.R.T. data is utilized during the digital forensics investigation.
S.M.A.R.T. data found on hard drives has the potential to be valuable in digital forensics investigations. Digital forensic examiners should be aware of what is and what is not included in a forensic image, and take steps to capture and document S.M.A.R.T. data when applicable.
Additionally, any effects that the forensic data acquisition process has on S.M.A.R.T. data should be taken into consideration during digital forensics investigations.