Security Ripcord

When acquiring data I am always worried about writing down a hard drive’s part number and serial number incorrectly. Sometimes the print is so small that an “8″ will look like a “B” or maybe the information has been obscured by other markings, stickers, or time. Some acquisition techniques such as HELIX Pro Version 3 and FTK Imager provide this information in their drive acquisition information file and I don’t need to worry about it. But HELIX Pro doesn’t really work for me any more and I find myself booting the system using a different Linux Live CD before falling back to HELIX, if necessary.

My favorite Live CD for data acquisition is Backtrack version 4 or 5 because it is also a part of my assessment toolkit. BT4/5 has a forensic boot mode which does not use the local drive’s SWAP partition and does not automatically mount any internal or external drives. Since it is actively maintain I can usually use it to boot any system as long as that system has a DVD drive. It would be nice to have a CD-ROM version of BT5 for systems that do not have DVD drives or the ability to boot to USB. (Yes, those types of systems are still out there.)

Unfortunately BT does not provide a scripted ability to gather information about an attached drive. Software that does provide this information does so (as far as I can tell) by using C code to query the kernel for a drive’s information. If I had time to sit down and write the code I would, but I would rather have a simple way to use system commands to provide me with this information. This is where “hdparm” and “sdparm” come into the picture. Both of these commands are designed to query a hard drive and provide various types of information.

The following is the logical process that I use to gather the information I need about an attached hard drive.

The “dmesg” command provides information about any drive connected to the system. I use this command to show me where the operating system is attaching a new drive I have plugged into the system via USB or Firewire (directly or via a write blocker). In the following case the operating system is allowing access to the Western Digital hard drive via the “/dev/sdb” device file. This means that the system is treating the drive as a SCSI device. It also means (generally) that the “/dev/sda” device has already been taken by another SCSI hard drive.

cutaway@smash:~$ dmesg | tail -17
[  383.584108] usb 1-2: new high speed USB device number 7 using ehci_hcd
[  383.719545] scsi4 : usb-storage 1-2:1.0
[  383.722070] input: Western Digital  External HDD     as /devices/pci0000:00/0000:00:1d.7/usb1/1-2/1-2:1.1/input/input12
[  383.722264] generic-usb 0003:1058:0705.0005: input,hidraw3: USB HID v1.10 Device [Western Digital  External HDD    ] on usb-0000:00:1d.7-2/input1
[  384.717116] scsi 4:0:0:0: Direct-Access     WD       3200BEV External 1.75 PQ: 0 ANSI: 0
[  384.736576] sd 4:0:0:0: Attached scsi generic sg2 type 0
[  384.738391] sd 4:0:0:0: [sdb] 625142448 512-byte logical blocks: (320 GB/298 GiB)
[  384.738961] sd 4:0:0:0: [sdb] Write Protect is off
[  384.738969] sd 4:0:0:0: [sdb] Mode Sense: 23 00 00 00
[  384.740263] sd 4:0:0:0: [sdb] No Caching mode page present
[  384.740271] sd 4:0:0:0: [sdb] Assuming drive cache: write through
[  384.745318] sd 4:0:0:0: [sdb] No Caching mode page present
[  384.745326] sd 4:0:0:0: [sdb] Assuming drive cache: write through
[  384.798801]  sdb: sdb1
[  384.801173] sd 4:0:0:0: [sdb] No Caching mode page present
[  384.801181] sd 4:0:0:0: [sdb] Assuming drive cache: write through
[  384.801188] sd 4:0:0:0: [sdb] Attached SCSI disk

Notice that the “dmesg” program provides manufacturer name, part number, and disk size information for this newly attached drive. The information that is missing is the drive’s serial number. To gather serial number we will need another method.

Linux operating systems usually come with the “hdparm” program as a core utility. This program is designed to “get/set SATA/IDE device parameters” from hard drives attached to the system. The following is the information this program provides pertaining to a locally attached hard drive. By locally attached I mean that this hard drive is directly connected to the system’s mother board.

cutaway@smash:~$ sudo hdparm -i /dev/sda

/dev/sda:

Model=ST9250827AS, FwRev=3.AAA, SerialNo=5RG08HAJ
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
BuffType=unknown, BuffSize=8192kB, MaxMultSect=16, MultSect=16
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=488397168
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes:  pio0 pio1 pio2 pio3 pio4
DMA modes:  mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 udma5 *udma6
AdvancedPM=yes: unknown setting WriteCache=enabled
Drive conforms to: unknown:  ATA/ATAPI-4,5,6,7

* signifies the current active mode

As you can see, by using the “hdparm” command, we now know the hard drive’s manufacturer part and serial number. Using the “-I” option actually gives us more information which could be useful to document.

cutaway@smash:~$ sudo !!
sudo hdparm -I /dev/sda
[sudo] password for cutaway:

/dev/sda:

ATA device, with non-removable media
Model Number:       ST9250827AS
Serial Number:      5RG08HAJ
Firmware Revision:  3.AAA
Transport:          Serial
Standards:
Used: unknown (minor revision code 0×0029) cutaway@smash:~$ sudo sdparm -C capacity /dev/sdb
/dev/sdb: WD        3200BEV External  1.75
blocks: 625142448
block_length: 512
capacity_mib: 305245.3

Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical         max     current
cylinders       16383   16383
heads           16      16
sectors/track   63      63
–
CHS current addressable sectors:   16514064
LBA    user addressable sectors:  268435455
LBA48  user addressable sectors:  488397168
Logical  Sector size:                   512 bytes
Physical Sector size:                   512 bytes
device size with M = 1024*1024:      238475 MBytes
device size with M = 1000*1000:      250059 MBytes (250 GB)
cache/buffer size  = 8192 KBytes
Nominal Media Rotation Rate: 5400
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec’d by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16  Current = 16
Advanced power management level: 254
Recommended acoustic management value: 254, current value: 0
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
Enabled Supported:
*    SMART feature set
Security Mode feature set
*    Power Management feature set
*    Write cache
*    Look-ahead
Host Protected Area feature set
*    WRITE_BUFFER command
*    READ_BUFFER command
*    DOWNLOAD_MICROCODE
*    Advanced Power Management feature set
SET_MAX security extension
*    48-bit Address feature set
*    Device Configuration Overlay feature set
*    Mandatory FLUSH_CACHE
*    FLUSH_CACHE_EXT
*    SMART error logging
*    SMART self-test
*    64-bit World wide name
*    IDLE_IMMEDIATE with UNLOAD
Write-Read-Verify feature set
*    WRITE_UNCORRECTABLE_EXT command
*    {READ,WRITE}_DMA_EXT_GPL commands
*    Gen1 signaling speed (1.5Gb/s)
*    Gen2 signaling speed (3.0Gb/s)
*    Native Command Queueing (NCQ)
*    Phy event counters
*    Device-initiated interface power management
*    Software settings preservation
*    SMART Command Transport (SCT) feature set
Security:
Master password revision code = 65534
supported
not     enabled
not     locked
frozen
not     expired: security count
not     supported: enhanced erase
Logical Unit WWN Device Identifier: 5000c5000990cb81
NAA             : 5
IEEE OUI        : 000c50
Unique ID       : 00990cb81
Checksum: correct

It would be nice if this command also provided the manufacturer name for the drive as the “dmesg” command did, but it is not completely necessary. A quick Google search shows that the Model Number for this drive is related to a Seagate drive.

Unfortunately we run into a problem with the “hdparm” command. This program does not work for drives attached to a system’s USB or Firewire ports. I am not exactly sure why this occurs, but it does have to do with the fact that drives attached via USB or Firewire do not return drive information when the kernel makes a “HDIO_GET_IDENTITY” request. Here is an example.

cutaway@smash:~$ sudo hdparm -i /dev/sdb
/dev/sdb:
HDIO_GET_IDENTITY failed: Invalid argument

To gather similar information we need to use the “sdparm” command. This command allows us to “access SCSI modes pages; read VPD pages; send simple SCSI commands” for a SCSI-based hard drive. To get a hard drive’s serial number using “sdparm” we need to directly query the VPD “page” that contains this information. Sometimes the “–inquiry” command will provide this information and sometimes it will not. By querying the “sn” page directly we can insure we get the hard drive’s part number and serial number with a single command.

cutaway@smash:~$ sudo sdparm –page=sn  /dev/sdb
/dev/sdb: WD        3200BEV External  1.75
Unit serial number VPD page:
WD-WXE308NF5233

If we need information pertaining to the drive’s capacity we will need to run an actual SCSI command to query the data from the drive. For this we will use the “-C” option and provide it the parameter “capacity”.

cutaway@smash:~$ sudo sdparm -C capacity /dev/sdb
/dev/sdb: WD        3200BEV External  1.75
blocks: 625142448
block_length: 512
capacity_mib: 305245.3

Be aware that the information provided by this command is dependent on how the drive responds to information requests. Most main stream hard drives and manufacturers will return good data. Some manufacturers and drive types (such as Flash drives) may not return the information you expect or require. Therefore, your mileage may vary.

This is all well and good, but as you will find out the “sdparm” program is not installed as a core utility on most Linux distributions. It has to be specifically installed. For Live CDs you may or may not be provided with this utility and this holds true for Backtrack as well. At least it did. The latest release, Backtrack 5r2 does include the “sdparm” program for the specific purpose of gathering this information from both the hard drive being aquired and the destination hard drive.

I have considered writing a python script that gathers this information. My first attempt queried “HDIO_GET_IDENTITY” and worked for local drives but not external drives. Thus leading me down this rabbit hole. I guess I will have to leverage Python’s subprocess capabilities to use the “sdparm” command to gather this information reliably. I was holding off on this script until “sdparm” was included in BT5r2. Now that it is released I guess I need to get busy. Check back soon.

Go forth and do good things,

Don C. Weber

---

Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.

---

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.