AFAUC -- Anti-forensics of Storage Devices by Alternative Use of Communication Channels

Abstract

Since the end of the 1990ies side channel attacks became a very prominent branch of cryptography. In other areas of computer security, however, side channels are not well studied. It is the primary goal of this paper to raise the awareness of the community about the potential existence of side channels during a forensic investigation. We present a concept called AFAUC - anti-forensics of data storage by alternative use of communication channels. The general idea is to confuse the investigator by abusing a communication channel for unintended purposes. As a concrete example of AFAUC, we access a storage device through its diagnostic interface to obfuscate data on that device. More precisely, we analyse if it is feasible in practice to abuse an existing communication channel, which was designed for a different purpose, to hide data in an area of a hard disc drive (HDD), which is not accessible by an investigator and which is different from the well-known Host Protected Area and Device Configuration Overlay, respectively. The basic idea is to access the HDD via its diagnostic interface in an unintended manner and to manipulate its size in the firmware setting. We show that this is possible even without any expensive tool for a Samsung HDD. Evaluation including a test in a law enforcement laboratory revealed that the hidden data would not be detected in an ordinary case. Hence AFAUC may be used by skilled, but not well-funded users. Although AFAUC is a classical dual-use technology, we would like to initiate the community to come up with further alternative use cases of communication channels to support users in oppressive countries to defend themselves. In contrast to the underground economy these users are typically not well-funded and thus depend on reliable anti-forensic methods.