Forensically imaging a hard drive is typically defined as making a bit-by-bit copy of all the sectors on the drive. It is usually not mentioned that hard disk drives also contain service areas which store information used for internally managing the drives (e.g. defect management). Information in the service area of a drive is not presented to the user, is inaccessible using standard ATA commands and is not captured from the original drive during the traditional forensic imaging process. One of the key pieces of information typically found in the service area of a hard drive is S.M.A.R.T. data, which can be valuable during digital forensics investigations.
What Is S.M.A.R.T.?
S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) is an internal monitoring and reporting technology built into most modern hard drives. Its main purpose is to detect anomalies and predict failure. Drive manufacturers implement a set of S.M.A.R.T. attributes as well as threshold values for the attributes during the normal operation of the drive. Let’s take a look at a couple of S.M.A.R.T. attributes which could be useful during a digital forensics investigation:
Power-On Hours: Indicates the number of hours (or other unit of time depending on implementation) the drive was powered on during its life. This could help establish for how long a hard drive was used, or whether or not it was powered on between inspections.
Power Cycle Count: Indicates the number of full power on/off cycles. Could help establish how many times the drive was power cycled, or whether or not the drive was turned on between inspections.
S.M.A.R.T. data can be queried using various tools such as smartmontools. The example listing in Figure 1 below is for a 320 GB SATA drive from a system which was turned on 24/7 for an extended period of time. The Power On Hours Count value (31269) indicates that the drive was powered on for 31,269 hours which corresponds to over 1,302 days (~3.5 years). The Power Cycle Count of 58 indicates that the drive has had 58 full power on/off cycles. By recording this information, we can later detect if the drive continued to be used when it was supposed to be kept in storage.
ID Current Worst Threshold Data Status (01) Raw Read Error Rate 114 99 6 81696809 ok (03) Spin Up Time 97 97 0 0 ok (04) Start/Stop Count 100 100 20 116 ok (05) Reallocated Sector Count 100 100 36 0 ok (07) Seek Error Rate 85 60 30 377203607 ok (09) Power On Hours Count 65 65 0 31269 ok (0A) Spin Retry Count 100 100 97 0 ok (0C) Power Cycle Count 100 100 20 58 ok (B7) SATA Downshift Count 100 100 0 0 ok (B8) End To End Error Detection 100 100 99 0 ok (BB) Uncorrectable Error Count 100 100 0 0 ok (BC) Command Timeout 100 100 0 0 ok (BD) Unknown Attribute 100 100 0 0 ok (BE) Airflow Temperature 72 61 45 572194844 ok (C2) Temperature 28 40 0 81604378652 ok (C3) Hardware ECC Recovered 48 39 0 81696809 ok (C5) Current Pending Sector 100 100 0 0 ok (C6) Offline Uncorrectable 100 100 0 0 ok (C7) Interface CRC Error Count 200 200 0 0 ok (F0) Head Flying Hours 100 253 0 44981192522408 ok
Figure 1 – Example S.M.A.R.T. Data
Please note that, some S.M.A.R.T. attributes are known to wrap around (reset to zero once a certain number is reached) on certain drive models. Therefore, the attribute values should be reviewed in the context of the drive model and date of manufacture, and should be corroborated with other data sources when possible.
Effects of Forensic Acquisition on S.M.A.R.T. Data
Even though forensic imaging of a hard drive does not modify the user data found on the original drive, the S.M.A.R.T. data on the original drive is not write-protected and can be modified by the hard drive itself during imaging. For example, connecting the original evidence drive to a write blocker, turning it on and imaging it is expected to change, among other things, the Power Cycle Count and Power on Hours Count (on some models) values. These changes should be taken into account if S.M.A.R.T. data is utilized during the digital forensics investigation.
Conclusion
S.M.A.R.T. data found on hard drives has the potential to be valuable in digital forensics investigations. Digital forensic examiners should be aware of what is and what is not included in a forensic image, and take steps to capture and document S.M.A.R.T. data when applicable.
Additionally, any effects that the forensic data acquisition process has on S.M.A.R.T. data should be taken into consideration during digital forensics investigations.