Extract SMART Data with smartctl

Logical Unit WWN Device Identifier: 50014ee25fcfe40c

NAA : 5

IEEE OUI : 0014ee Unique ID : 25fcfe40c Checksum: correct

The hdparm output contains a number of items of interest to forensic investigators, either for documentation or as information for further anal-ysis. To include the entire output ofhdparm -Iin a forensic report, you can redirect it to a text file.

A similar tool for querying SCSI drives is sdparm, which you can use to access SCSI mode pages. Running^sdparmwith the flags^{-a -l}retrieves a verbose list of disk parameters. A more concise query using^{sdparm -i}can extract the Vital Product Data (VPD), which provides unique identifying information about the make, model, and serial number of SCSI and SAS drives.

Extract SMART Data with smartctl

SMART was developed in the early 1990s to help monitor hard disks and predict failures. It was added to the SCSI-3 standard in 1995(SCSI-3 standard: X3T10/94-190 Rev 4) and the ATA-3 standard in 1997 (ATA-3 standard: X3.298-1997). Because certain details about the disk hardware may be of value in forensic investigations, in this section, you’ll learn several techniques to extract SMART information about the disk hardware.

Thesmartctlcommand is part of the smartmontools package and provides access to the SMART interface built into nearly all modern hard drives. Thesmartctlcommand queries attached ATA, SATA, SAS, and SCSI hardware.

SMART provides a number of variables and statistics about a disk, some of which could be of interest to a forensic investigator. For example:

• Statistics about errors on the disk and the overall health of the disk

• Number of times the disk was powered on

• Number of hours the disk was in operation

• Number of bytes read and written (often expressed in gigabytes)

• Various SMART logs (temperature history, and so on)²

The following example shows SMART data requested from a drive. The listing is annotated with comments relevant to forensic investigators.

The-xflag instructs smartctl to print all available information. The first block of output is the information section, which provides unique

2. SMART statistics and logs available vary among hard disk vendors.

identifying information about the drive. You can also retrieve most of this information using other tools, such as hdparm, as shown in previous examples.

# smartctl -x /dev/sda

smartctl 6.4 2014-10-07 r4002 [x86_64-linux-4.2.0-22-generic] (local build) Copyright (C) 2002-14, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===

Model Family: Western Digital Green Device Model: WDC WD20EZRX-00D8PB0 Serial Number: WD-WCC4NDA2N98P LU WWN Device Id: 5 0014ee 25fcfe40c Firmware Version: 80.00A80

User Capacity: 2,000,398,934,016 bytes [2.00 TB]

Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm

Device is: In smartctl database [for details use: -P show]

ATA Version is: ACS-2 (minor revision not indicated) SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s) Local Time is: Thu Jan 7 12:33:43 2016 CET

SMART support is: Available - device has SMART capability.

SMART support is: Enabled AAM feature is: Unavailable APM feature is: Unavailable Rd look-ahead is: Enabled Write cache is: Enabled

ATA Security is: Disabled, NOT FROZEN [SEC1]

Wt Cache Reorder: Enabled ...

The following SMART data section shows the health of the drive and the results of self-tests. An unhealthy drive is an early warning of possible acquisition issues. Additional SMART capabilities are then listed.

...

=== START OF READ SMART DATA SECTION ===

SMART overall-health self-assessment test result: PASSED

General SMART Values:

Offline data collection status: (0x82) Offline data collection activity was completed without error.

Auto Offline Data Collection: Enabled.

Self-test execution status: ( 0) The previous self-test routine completed without error or no self-test has ever been run.

Total time to complete Offline

data collection: (30480) seconds.

Offline data collection

capabilities: (0x7b) SMART execute Offline immediate.

Auto Offline data collection on/off support.

Suspend Offline collection upon new

SMART capabilities: (0x0003) Saves SMART data before entering power-saving mode.

Supports SMART auto save timer.

Error logging capability: (0x01) Error logging supported.

General Purpose Logging supported.

Short self-test routine

recommended polling time: ( 2) minutes.

Extended self-test routine

recommended polling time: ( 307) minutes.

Conveyance self-test routine

recommended polling time: ( 5) minutes.

SCT capabilities: (0x7035) SCT Status supported.

SCT Feature Control supported.

SCT Data Table supported.

...

The next section provides more statistics about the drive. Of possible forensic interest here are statistics on the history of the drive usage; for example, the cumulative number of hours the drive has been powered on (Power_On_Hours) and how many times the drive has been powered up (Power_Cycle_Count). Both attributes may correlate with the PC from where they were taken. The total logical block addresses (LBAs) read and written indicates the drive volume usage in the past.

...

SMART Attributes Data Structure revision number: 16 Vendor Specific SMART Attributes with Thresholds:

ID# ATTRIBUTE_NAME FLAGS VALUE WORST THRESH FAIL RAW_VALUE 1 Raw_Read_Error_Rate POSR-K 200 200 051 - 0

3 Spin_Up_Time POS--K 181 180 021 - 5908

4 Start_Stop_Count -O--CK 100 100 000 - 61 5 Reallocated_Sector_Ct PO--CK 200 200 140 - 0 7 Seek_Error_Rate -OSR-K 200 200 000 - 0 9 Power_On_Hours -O--CK 099 099 000 - 989 10 Spin_Retry_Count -O--CK 100 253 000 - 0 11 Calibration_Retry_Count -O--CK 100 253 000 - 0 12 Power_Cycle_Count -O--CK 100 100 000 - 59

192 Power-Off_Retract_Count -O--CK 200 200 000 - 33 193 Load_Cycle_Count -O--CK 199 199 000 - 3721 194 Temperature_Celsius -O---K 119 110 000 - 31 196 Reallocated_Event_Count -O--CK 200 200 000 - 0 197 Current_Pending_Sector -O--CK 200 200 000 - 4 198 Offline_Uncorrectable ----CK 200 200 000 - 4 199 UDMA_CRC_Error_Count -O--CK 200 200 000 - 0 200 Multi_Zone_Error_Rate ---R-- 200 200 000 - 4

||||||_ K auto-keep

The next section is the log directory, which describes the SMART logs available on the drive. The logs are included in thesmartctl -xoutput with repeating entries removed (“skipped”). Some of these logs may be of inter-est in a forensic invinter-estigation.

...

General Purpose Log Directory Version 1

SMART Log Directory Version 1 [multi-sector log support]

Address Access R/W Size Description 0x00 GPL,SL R/O 1 Log Directory

0x01 SL R/O 1 Summary SMART error log 0x02 SL R/O 5 Comprehensive SMART error log 0x03 GPL R/O 6 Ext. Comprehensive SMART error log 0x06 SL R/O 1 SMART self-test log

0x07 GPL R/O 1 Extended self-test log 0x09 SL R/W 1 Selective self-test log 0x10 GPL R/O 1 SATA NCQ Queued Error log 0x11 GPL R/O 1 SATA Phy Event Counters log 0x80-0x9f GPL,SL R/W 16 Host vendor specific log 0xa0-0xa7 GPL,SL VS 16 Device vendor specific log 0xa8-0xb7 GPL,SL VS 1 Device vendor specific log 0xbd GPL,SL VS 1 Device vendor specific log 0xc0 GPL,SL VS 1 Device vendor specific log 0xc1 GPL VS 93 Device vendor specific log 0xe0 GPL,SL R/W 1 SCT Command/Status 0xe1 GPL,SL R/W 1 SCT Data Transfer ...

The next section of log information displays the results of self-tests.

Failed self-tests are an early warning that the acquisition could have issues.

...

SMART Extended Comprehensive Error Log Version: 1 (6 sectors) No Errors Logged

SMART Extended Self-test Log Version: 1 (1 sectors)

Num Test_Description Status Remaining LifeTime(hours) LBA_of...

# 1 Short offline Completed without error 00% 0

-SMART Selective self-test log data structure revision number 1 SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS

1 0 0 Not_testing

2 0 0 Not_testing

3 0 0 Not_testing

4 0 0 Not_testing

5 0 0 Not_testing

Selective self-test flags (0x0):

After scanning selected spans, do NOT read-scan remainder of disk.

If Selective self-test is pending on power-up, resume after 0 minute delay.

SCT Status Version: 3

SCT Version (vendor specific): 258 (0x0102)

SCT Support Level: 1

Device State: Active (0)

...

The next output block describes a drive’s temperature statistics. This information could be useful to monitor during the acquisition process. For investigation purposes, the minimum and maximum temperatures reached during the drive’s lifetime might be of interest if correlated with environ-mental factors linked to a suspect’s PC. Vendor-specific SMART data is not part of the generic SMART standard, and you may need additional propri-etary documentation to understand it.

...

Current Temperature: 31 Celsius

Power Cycle Min/Max Temperature: 22/31 Celsius Lifetime Min/Max Temperature: 20/41 Celsius Under/Over Temperature Limit Count: 0/0

Vendor specific:

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...

Some SMART-capable drives maintain a log of temperature history. You can calculate the history from the interval multiplied by the history size. In this example, 478 minutes are roughly 8 hours of temperature data. Some disks have a temperature-logging interval set much higher (one hour or

more). The temperature-logging interval is potentially useful for investiga-tions: if a disk were seized immediately after a crime, known temperature variations might be correlated with the disk temperature record.

...

SCT Temperature History Version: 2 Temperature Sampling Period: 1 minute Temperature Logging Interval: 1 minute Min/Max recommended Temperature: 0/60 Celsius Min/Max Temperature Limit: -41/85 Celsius Temperature History Size (Index): 478 (175)

Index Estimated Time Temperature Celsius 176 2016-01-07 05:00 ?

-... ..(300 skipped). .. -477 2016-01-07 10:01 ?

-0 2016-01-07 10:02 29 **********

1 2016-01-07 10:03 30 ***********

... ..( 68 skipped). .. ***********

70 2016-01-07 11:12 30 ***********

71 2016-01-07 11:13 31 ************

... ..(103 skipped). .. ************

175 2016-01-07 12:57 31 ************

...

The final section of output in this example shows statistics of physical errors. It can be useful to compare these statistics with values during or at the end of an acquisition to ensure no physical errors arose during the process.

...

SCT Error Recovery Control command not supported

Device Statistics (GP/SMART Log 0x04) not supported

SATA Phy Event Counters (GP Log 0x11) ID Size Value Description

0x0001 2 0 Command failed due to ICRC error 0x0002 2 0 R_ERR response for data FIS

0x0003 2 0 R_ERR response for device-to-host data FIS 0x0004 2 0 R_ERR response for host-to-device data FIS 0x0005 2 0 R_ERR response for non-data FIS

0x0006 2 0 R_ERR response for device-to-host non-data FIS 0x0007 2 0 R_ERR response for host-to-device non-data FIS 0x0008 2 0 Device-to-host non-data FIS retries

0x0009 2 6 Transition from drive PhyRdy to drive PhyNRdy 0x000a 2 6 Device-to-host register FISes sent due to a COMRESET 0x000b 2 0 CRC errors within host-to-device FIS

0x000f 2 0 R_ERR response for host-to-device data FIS, CRC 0x0012 2 0 R_ERR response for host-to-device non-data FIS, CRC 0x8000 4 14532 Vendor specific

Other SMART logs might exist depending on the drive vendor. Consult the smartctl(8) manual page for more information about additional flags and queries that you can send to attached subject drives.

In document Practical Forensic Imaging - Securing Digital Evidence With Linux Tools (2016) (Page 140-146)