NORMALIZACIÓN Y DOCUMENTACIÓN

[15767.918079] usb-storage 2-6.2:1.0: USB Mass Storage device detected

[15767.918195] usb-storage 2-6.2:1.0: Quirks match for vid 174c pid 55aa: 400000 [15767.918222] scsi host15: usb-storage 2-6.2:1.0

...

[15777.728944] sd 15:0:0:0: [sdk] 3907029168 512-byte logical blocks:

(2.00 TB/1.81 TiB) ...

[15777.820171] sd 15:0:0:0: [sdk] Attached SCSI disk

From a forensics perspective, it’s important to note that the transport protocol used does not affect the contents of the USB disk and has no effect on the cryptographic hash of the forensic image. In fact, it is advantageous to use UAS-based write blockers for the performance benefits (Tableau USB3 write blockers use UAS, for example).

NOTE One word of advice: when you’re using the higher speeds of USB3, the quality of the USB cables becomes an issue. Longer, lower-quality USB3 cables can produce read errors during acquisition. For those working in a professional forensic laboratory, it’s worth investing in short, high-quality USB3 cables.

Advanced Format 4Kn

As disk capacities increased, the industry discovered that it could improve disk efficiency by switching from 512-byte sectors to 4096-byte sectors. The International Disk Drive Equipment and Materials Association (IDEMA) developed the Advanced Format standard for 4096-byte physcial sectors (see http:// www.idema.org/ ?page_id=2369 ). Since 2009, hard disk manufacturers have committed to using IDEMA’s Advanced Format standard to produce 4K sector disks. Even with 4K physical sectors, most disks today emulate 512-byte sectors and are called Advanced Format 512e disks. Disks that provide the host system and OS with native 4K-sized sectors are called Advanced Format 4Kn disks. Advanced Format 4Kn disks are still rare in the low-end marketplace but are used in enterprise environments. For higher-capacity enterprise disks, most enterprise disk manufacturers offer two models: 512e and 4Kn. Figure 1-28 shows the official logo for 4Kn disks.

You’ll find a good overview of Advanced Format and 4K sectors on YouTube at https:// www.youtube.com/ watch?v=TmH3iRLhZ-A/ .

Figure 1-28: Advanced Format 4Kn logo

When the Linux kernel detects an attached disk, it displays the number of sectors and the logical sector size (in some cases, it may also explicitly display the physical size). The following partial dmesg output shows two equal-sized disks, one with Advanced Format 512e and the other with 4Kn.

Dividing the number of 512-byte sectors by 8 or multiplying the number of 4K sectors by 8 shows the disks are equal in capacity but have different sector counts.

...

[ 13.605000] scsi 1:0:1:0: Direct-Access TOSHIBA MG03SCA300 0108 PQ: 0 ANSI: 5

...

[ 16.621880] sd 1:0:1:0: [sdb] 5860533168 512-byte logical blocks: (3.00 TB/2.73 TiB)

...

[ 14.355068] scsi 1:0:2:0: Direct-Access ATA TOSHIBA MG04ACA3 FP2A PQ: 0 ANSI: 6

...

[ 16.608179] sd 1:0:2:0: [sdc] 732566646 4096-byte logical blocks: (3.00 TB/2.73 TiB)

On a Linux system, you can use the /sys pseudo filesystem to find the logical and physical sector sizes of a disk. For example, you can determine the physical and logical sector sizes of the attached disk /dev/sda as follows:

# dmesg ...

[ 16.606585] sd 1:0:0:0: [sda] 7814037168 512-byte logical blocks: (4.00 TB/3.64 TiB)

...

# cat /sys/block/sda/queue/logical_block_size

These two methods show reading from the /sys pseudo filesystem (which you can also do as a non-root user) and using the^blockdevcommand.

Some SSDs allow you to choose the physical sector size with a firm-ware tool. For example, some recent Intel SSDs can change sector size between 512 and 4096 using a command line tool provided by Intel (https://

downloadcenter.intel.com/download/23931/ ).

Several aspects of 4K disks are of interest to the digital forensics com-munity and are discussed in the rest of this section. Some early Western Digital Advanced Format 512e disks had a jumper setting (jumpers 7 and 8) to internally offset the sectors to align the beginning of default XP partitions with the start of a 4K sector. This jumper setting to realign the disk greatly improved performance. Changing such sector alignment jumpers will affect forensic acquisition hash and potentially affect the analysis of a disk. When forensically imaging or verifying a disk, it is crucial to use the same jumper settings as when the drive was first seized.

The use of 4Kn disks will affect the value of slack space. RAM slack or memory slack is the unused part of the last sector of a file (not to be con-fused with file slack, which is the unused part of the last filesystem block of a file). When you’re using 4Kn disks with filesystems that use 4K blocks, the RAM slack and file slack are the same. OSes that pad the unused portion of a 4K sector with zeros before writing will eliminate the possibility of any useful data in file slack on filesystems with 4K blocks.

Forensic software that assumes a 512-byte sector size may fail or, worse, produce incorrect results. When you’re using 4Kn disks, it’s important to confirm that the forensic software recognizes and uses 4Kn sectors. Sleuth Kit will default to 512-byte sectors and must be explicitly told to use 4K sec-tors for 4Kn disks. The following example showsmmlsproducing incorrect results by default and correct results when specifying the correct sector size.

# mmls /dev/sde DOS Partition Table Offset Sector: 0

Units are in 512-byte sectors

Slot Start End Length Description

00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: --- 0000000000 0000000255 0000000256 Unallocated 02: 00:00 0000000256 0732566645 0732566390 Linux (0x83) 03: --- 0732566646 5860533167 5127966522 Unallocated

...

00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: --- 0000000000 0000000255 0000000256 Unallocated 02: 00:00 0000000256 0732566645 0732566390 Linux (0x83)

#

After specifying the 4096-byte sector size with the-bflag, the sectors of the Linux partition are represented as 4K units, and there is no unallocated area at the end of the drive. An example of successfully acquiring a native 4K sector disk is shown in “The dcfldd and dc3dd Tools” on page 144.

The use of Advanced Format 4Kn disks is still uncommon. It’s unclear how 4Kn sector disks will impact existing forensic acquisition and analysis software currently on the market, in particular where forensic tools funda-mentally assume a 512-byte sector size. This is an area where more research by the digital forensics community is needed.