Many of the tools discussed previously (lsusb, lspci, lsblk, and so on) have queried the Linux system and kernel structures for information. How- ever, it’s possible to query a drive directly for additional information. The hdparm tool is useful for sending commands to most drives attached to a Linux system.
The hdparm tool operates by sending requests to the OS disk drivers (using ioctls) to retrieve information about the disk. From a forensics per- spective, a number of items may be of interest or useful to document: • Details about the drive geometry (physical and logical)
• The disk’s supported standards, features, and capabilities • States and flags related to the drive configuration • DCO and HPA information
• Security information
• Vendor information, such as make, model, and serial number • The WWN device identifier (if it exists)
• Time needed for secure erase (for most disks, this is roughly the acquisi- tion time)
For more detailed information about hdparm’s features, see the hdparm(8) manual page.
The following example shows how to use hdparm to get an overview of the disk using the-Iflag together with the raw disk device. The listing is annotated with comments relevant to forensic investigators.
The output begins with documenting information about the drive, including manufacturer, model, serial number, and the standards with which it is compliant. Also in the output are various drive parameters, such as physical and logical sector size, number of sectors, form factor, and other physical properties.
# hdparm -I /dev/sda /dev/sda:
ATA device, with non-removable media
Model Number: WDC WD20EZRX-00D8PB0 Serial Number: WD-WCC4NDA2N98P Firmware Revision: 80.00A80
Transport: Serial, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Supported: 9 8 7 6 5 Likely used: 9 Configuration:
Logical max current cylinders 16383 16383
heads 16 16
sectors/track 63 63 --
CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 3907029168 Logical Sector size: 512 bytes Physical Sector size: 4096 bytes device size with M = 1024*1024: 1907729 MBytes
device size with M = 1000*1000: 2000398 MBytes (2000 GB) cache/buffer size = unknown
Nominal Media Rotation Rate: 5400 Capabilities:
LBA, IORDY(can be disabled) Queue depth: 32
Standby timer values: spec'd by Standard, with device specific minimum R/W multiple sector transfer: Max = 16 Current = 16
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns ...
The next section of the output describes the features available on a drive, and the star (*) indicates if a feature is currently enabled. (To under-
stand vendor-specific features, you might need additional proprietary docu- mentation.) This is useful when you’re preparing for a forensic acquisition, because it indicates the status of security feature sets and other things like the DCO (Device Configuration Overlay feature set).
...
Commands/features: Enabled Supported:
* SMART feature set Security Mode feature set * Power Management feature set * Write cache
* Look-ahead
* Host Protected Area feature set * WRITE_BUFFER command
* READ_BUFFER command * NOP cmd
* DOWNLOAD_MICROCODE
Power-Up In Standby feature set
* SET_FEATURES required to spinup after power up SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set * Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT * SMART error logging * SMART self-test
* 64-bit World wide name
* WRITE_UNCORRECTABLE_EXT command * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * Gen1 signaling speed (1.5Gb/s) * Gen2 signaling speed (3.0Gb/s) * Gen3 signaling speed (6.0Gb/s) * Native Command Queueing (NCQ)
* Host-initiated interface power management * Phy event counters
* NCQ priority information
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT * DMA Setup Auto-Activate optimization
Device-initiated interface power management * Software settings preservation
* SMART Command Transport (SCT) feature set * SCT Write Same (AC2)
* SCT Features Control (AC4) * SCT Data Tables (AC5)
unknown 206[12] (vendor specific) unknown 206[13] (vendor specific) unknown 206[14] (vendor specific) ...
The next section of the hdparm output provides more detail about the currently active security features, which are important when you’re deter- mining if a drive is locked or encrypted. The time needed for a secure erase is also a rough estimate of how long an acquisition might take (if the subject drive is the performance bottleneck).
... Security:
Master password revision code = 65534 supported
not enabled not locked not frozen
not expired: security count supported: enhanced erase
324min for SECURITY ERASE UNIT. 324min for ENHANCED SECURITY ERASE UNIT. ...
The final section of the hdparm output displays the WWN again, but this time it’s broken down into the NAA (which describes the rest of the WWN), the IEEE OUI assigned vendor ID, and the rest of the WWN (which is unique to the drive).
...
Logical Unit WWN Device Identifier: 50014ee25fcfe40c
NAA : 5
IEEE OUI : 0014ee Unique ID : 25fcfe40c Checksum: correct
The hdparm output contains a number of items of interest to forensic investigators, either for documentation or as information for further anal- ysis. To include the entire output ofhdparm -Iin a forensic report, you can redirect it to a text file.
A similar tool for querying SCSI drives is sdparm, which you can use to access SCSI mode pages. Runningsdparmwith the flags-a -lretrieves a verbose list of disk parameters. A more concise query usingsdparm -ican extract the Vital Product Data (VPD), which provides unique identifying information about the make, model, and serial number of SCSI and SAS drives.