Analysis of the possibilities of preventing leakage of information stored on hard drives.

Analysis of the possibilities of preventing leakage of information stored on hard drives.

1. Introduction

The total computerization of the infrastructure of industrialized countries has currently led to the rapid development of technical intelligence tools (TIS), allowing the extraction of confidential information from computers and computer networks.

The prospects of this direction are determined by the steadily growing document flow carried out with the help of electronic means of communication, and the introduction of so-called “paperless technologies” both in the sphere of business and in the sphere of public administration.

Significant volumes of confidential information stored in the databases of computers of various governmental and non-governmental structures represent real commercial value, and their leakage in some cases can directly affect state security.

This circumstance has given a powerful impetus to the development of all kinds of software and hardware for extracting information from computers and computer networks in the past decade.

The so-called “open” networks with access to the Internet and regularly subjected to attacks by hackers and intelligence agencies of various levels disguised as hackers have proven to be especially vulnerable.

It should be noted that the owners of most networks have duly realized the danger of information leakage.

This is evidenced by the ever-growing flow of publications devoted to the development of all sorts of encryption systems, access control, closing electromagnetic leakage channels, etc.

The proposed article examines a specific channel for leaking confidential information that has been undeservedly overlooked in publications of recent years, allowing unauthorized and incompromising copies (tens and hundreds of GB) of information stored on hard disk drives (HDD) of personal computers.

2. HDD as a source of potential threats to information security

Placing confidential information in long-term non-volatile memory devices of computers creates the possibility of forming specific channels for its leakage.

The most common devices for this purpose at the moment are hard disk drives (HDD).

The widespread use of HDDs is facilitated by a number of positive operational qualities: reliability, speed of access and relative cheapness per unit of stored information.

The features of HDDs that make them attractive for events using TSR include:

• large volumes of stored information, from hundreds of MB to tens of GB;
• non-volatile storage of information, since its state is not affected by the presence or absence of power supply;
• absence of domestic HDD production in Russia.

Threats to information stored on HDDs can be divided into complex, when the HDD with the information stored on it acts as an element of a hardware-software or software TCP, and direct, in which the HDD acts as the main and only element of the TCP. The first type of threats, associated with the development of all kinds of software and hardware backdoors, is not discussed in this article.

Positions for using TSR that provide data retrieval from HDDs can be created in advance during the design and manufacture of the specified products in the form of targeted hardware or firmware redundancy, since almost all computers are equipped with imported HDDs. Another way is to place additional firmware and/or hardware by computer manufacturers. The first way assumes the presence of a government order in manufacturing countries to create positions for TSRs, the second is also available to corporations of various levels.

In both cases, information leakage is possible according to the following generalized scenarios:

• retrieval of information, selected by a certain feature and archived in technical” zones, from HDDs during their operation as part of a computer or computer network.
• accumulation of information on HDDs with subsequent imitation of their failure.

In the first case, direct (using radio repeaters, hardware and software bugs, undocumented network capabilities, etc.) transmission of information is possible.

The capacity of an unformatted modern HDD and one formatted with standard software differs by 16-19%.

This creates the possibility, along with the reservation of information on the disk for bad sectors and service information, to carry out secret duplication and storage of confidential information. In addition, it is considered that the area for parking the read-write heads cannot contain any information.

It is noteworthy that for standard software tools for checking HDD and high-level formatting, the secretly accumulated information will remain invisible and inaccessible. At the same time, there is a risk of detection of this information leak channel by a sufficiently large fleet of specially developed monitoring tools. However, in the second case, these tools are powerless to detect anything.

The second option for organizing information leakage is effective with the targeted delivery of computer equipment to a specific organization with subsequent warranty service of computers from the supplier company or in a certain service center, since the warranty agreement, as a rule, covers the entire delivery and assumes gratuitous replacement of the HDD while maintaining its marketable appearance with a working copy.

In this case, the object of the TSR application itself makes efforts to transfer the HDD with the accumulated information to the interested party.

The company providing technical maintenance usually imposes strict requirements for the safety of various types of markers and seals, which in itself guarantees the safety of the accumulated TSR information. After appropriate repair, the information contained on the HDD becomes available for copying.

It should be especially noted that if the HDD is inoperative, it, as a rule, cannot be restored (with a competent imitation of a malfunction) at service stations in Russia (due to the lack of our own production facilities) and must be transferred to a company outside our country. Monitoring the contents of the HDD using standard diagnostic tools is impossible, since it is inoperative for them. It is impossible to erase information from a “failed” drive for the same reason. And since the stored information is non-volatile, it confidently withstands the crossing of any number of borders without any customs control.

Based on the practice of large domestic companies entering into contracts for the creation and maintenance of computer networks with equally large foreign corporations, this is usually what happens.

3. Possible ways to eliminate information leakage along with the drive

The elimination of the specific information leakage channels described above can only be achieved by guaranteed destruction of data contained on the failed HDD (or simulating a malfunction) before it is transferred to the supplier or service center. Possible options are shown in Fig. 1.

Fig. 1 Possible options for influencing the HDD to prevent leakage of confidential information stored on the HDD

Further actions directly follow from the degree of confidentiality of the lost information stored on the failed HDD. If a possible information leak does not affect the security of a legal entity or an individual, then the actions are standard — contacting a service center with a request to repair or replace the drive if it cannot be restored. If the information is of great value, then it is advisable to destroy it on the HDD.

Destruction of information can be achieved by mechanical or thermal processes. In the first case, the HDD is physically destroyed in such a way as to exclude the possibility of reading information in any way from its working disks. In the second case, heating the drive to a temperature of 800-1000 degrees Celsius provides a complete guarantee of destruction of information on the drive. In this case, the information becomes absolutely unrecoverable for a whole range of reasons, including the transition of the magnetic material of the coatings through the Curie point. This method of destroying information can be recommended for media containing state secrets.

There is a third (in addition to mechanical and thermal) way to guarantee the destruction of data contained on a failed HDD (or one simulating a malfunction), which allows the drive to be handed over to the company providing warranty service. This way allows you to avoid visible mechanical and electrical damage and thereby fulfill the requirements of the maintenance contract. Destruction of confidential information can be achieved by placing the HDD in a sufficiently powerful constant magnetic field, which completely changes the orientation of the magnetic domains on the HDD surfaces. In this case, as with the use of heating, the loss of information on the HDD becomes irreversible. An additional guarantee of the impossibility of restoring information destroyed in this way is provided by the design features of modern HDDs.

Modern HDD devices are practically standard for all manufacturers. They do not have specialized hardware for determining the position of the heads relative to the disk surface. Service and stored information are applied and read by the same heads. Precise positioning is achieved by processing the signal from the heads themselves by the head movement motor control circuit. These HDDs do not have marks for the start of rotation and the position of the heads associated with the mechanics of the corresponding drive.

For the control circuit to work, two main types of service information are applied to the disks: physical markings for precise positioning of the heads and data for the operation of the HDD parameter translation firmware.

Thus, when exposed to a powerful external magnetic field, both the data stored on the drive and the service information will be destroyed. For this reason, in the case of forced re-marking of the HDD, the positions of the sectors will be shifted relative to their position during the previous marking. The magnitude of the shift is random and depends on the position of the disk-head system at the time of recording the initial mark during low-level re-formatting. This fact excludes the possibility of restoring the destroyed information by multiple reading of the erased disk and subsequent correlation processing of its physical dump.

4. Physical principles of information destruction by an external magnetic field

The physical principles of the processes occurring in a storage device under the influence of an external magnetic field are related to its design features and the specifics of the materials used.

Since the characteristics of the material from which the surface coatings of modern HDDs are made are usually not published by the manufacturers, we will make an indirect assessment of the probable value of the ratio of the erasing field strength and the parameters of the working surfaces.

As a starting point, it is advisable to take the ratio of the characteristics of the coatings of computer magnetic tapes and the magnetic field strength of the demagnetizing magnetic heads. The coatings of modern magnetic tapes are characterized by the following parameters: coercive force Hc = 18-24 kA/m, residual magnetic induction Br = 0.08-0.15 T, coefficient the squareness of the hysteresis loop kп = 0.75-0.82.

In this case, the erasure field strength is H = 64-96 kA/m [1]. Consequently, the value of the erasure field strength for magnetic tape under the condition of single-pass action exceeds the value of the coercive force by 4 times.

The general trend of increasing the capacity of HDDs by increasing the data recording density has predetermined the use of magnetoresistive read heads in modern drives, which have minimal geometric dimensions, and technologically combined write heads with them.

The need to simultaneously increase the speed of drives determines the use of hard magnetic materials as coatings for the working surfaces of disks, which have a narrow magnetic hysteresis loop and ensure sufficiently low energy losses due to magnetization reversal.

Thus, to implement the specified trends in the development of modern HDDs, the material of the surface coating of the drive must ensure maximum residual magnetic induction Br (data reading) at a moderate field strength H during the process of recording information.

Modern achievements in the field of physical chemistry in the application of magnetic recording material in the form of a thin film or fine powder on a non-magnetic substrate, which corresponds to the technological process of manufacturing the working surfaces of HDD disks, make it possible to implement the maximum Br for this technology at a moderate Hc (usually from 50 to 80 kA/m depending on the recording density, the method of recording information, etc.) [2].

Therefore, drawing an analogy with the above relationship between the values ​​of the erasure field strength H and the coercive force Hc for magnetic tape, it is correct to assume that in order to destroy the semantic integrity of information on a HDD by remagnetizing the working surfaces, the value of the erasure field strength, with a single impact, should be 200-320 kA/m.

With multiple impacts, the value of the erasure field strength may be slightly less due to the effect of residual magnetization reversal.

The demagnetizing effect of the external field depends on its strength and the orientation of the magnetic induction vector. The relationship between induction and magnetic field strength is determined by the formula

, (1)

where H/m – magnetic constant;
— relative magnetic permeability of the material (medium), H/m;
— magnetic field strength, A/m.

Taking = 1000-1500 H/m, which corresponds to a fairly typical value for hard magnetic materials, for H = 200-320 kA/m we obtain the value of magnetic induction B = 0.25-0.6 T.

With regard to permanent magnets, such a value of induction in the air gap can be achieved only for an intermetallic compound of iron group metals with rare earth elements, such as samarium-cobalt (SmCo5). Based on such alloys, magnetic materials with record values ​​of Hc (640-1300 kA/m) and fairly high Br (0.77-1.0 T) have been developed [2].

The calculated value of the erasure field strength can also be achieved with a pulsed effect on the HDD of an external magnetic field created by electromagnets.

When determining the parameters of the demagnetization process, it is necessary to take into account the fact that in order to reduce the influence of external magnetic fields on the working surfaces, HDDs are mounted in massive metal cases, usually made of aluminum and its alloys, with a wall thickness of up to 5 millimeters. The amplitude of the field strength in this case will decrease as it penetrates deep into the protective case of the drive according to the exponential law [3]:

,(2)

where

— amplitude of magnetic field strength, A/m;
z – distance from the surface, m;
— attenuation coefficient;
f – frequency of electromagnetic oscillations, Hz;
— specific electrical conductivity, S/m.

Graphs of changes in the amplitude of the magnetic field strength depending on the thickness of the HDD case for different durations of exposure are shown in Fig. 2.

Fig. 2 Graphs of the change in the amplitude of the magnetic field strength depending on the thickness of the HDD case

In general, as the frequency, electrical conductivity, magnetic permeability increase and the distance from the surface of the case increases, the electromagnetic field significantly attenuates.

Consequently, high-frequency electromagnetic fields (t imp 10 μs) actually propagate only in a thin surface layer and have no effect on the information stored on the HDD.

Constant and weakly variable (with frequencies less than 1 Hz) magnetic fields penetrate the protective casing without significant weakening.

5. Structure and operating principles of the installation for destroying information on HDDs using an external magnetic field

As noted earlier, the following conditions must be met in the installation for destroying information on HDDs using an external magnetic field:

• The HDD must be placed in the device entirely (without dismantling), since in this case the safety of the seals and markers of the supplier company is ensured.
• The acting external field must be constant or slightly variable (with a fundamental harmonic frequency of < 1 Hz) and uniform.

• The field strength should be at least 200-320 kA/m.

There are two possible approaches to creating installations with the technical characteristics listed above. The first is to use a powerful permanent magnet based on a samarium-cobalt composition or similar lanthanide-based compositions.

However, calculations show that to create a uniform field in the air gap when placing a HDD with a maximum form factor of up to 87.5 mm (taking into account the drives used in servers), a permanent magnet of complex shape with a field concentrator is required.

Considering the technological capabilities of the modern industrial base, its creation is fundamentally possible, but for a single copy or a small series it is economically impractical.

The second approach involves the use of an electromagnetic installation.

However, here too, technological problems arise.

Implementation of an impact with a field strength of about 320 kA/m for about 1 second requires the presence of a core made of electrical steel.

To create a magnetic field of the above strength in a gap with the required maximum form factor when using standard magnetic materials, a power source with a capacity of at least 10-15 kVA is required.

The power dissipated by such a permanent electromagnet necessarily requires corresponding intensive forced heat removal using a cooling liquid.

A more productive approach is used to create powerful magnetic fields in controlled thermonuclear fusion installations.

It involves accumulating energy in a capacitor bank with subsequent discharge to the inductor coil.

The large capacity of the capacitor bank allows for a damped oscillatory process in the inductor gap with parameters that ensure guaranteed destruction of information on the HDD.

In this case, the HDD is placed entirely in the inductor gap, and the power consumption used to charge the capacitor bank is reduced to 1-1.5 kVA.

There is no need for forced liquid cooling of the inductor.

Thus, all requirements for guaranteed destruction of information on HDDs are met, and at the same time the installation is suitable for placement in an office or company.

Conclusions

1. Placing confidential information in hard disk drives creates the possibility of forming specific channels for its leakage.

2. There are technically feasible methods for guaranteed destruction of data contained on a failed (or simulated failure) HDD, without physical damage to its structural elements and the manufacturer's seals.

3. One of the promising areas of creating means of destroying information on HDDs, both in working and non-working states, is the use of generators of a cyclic, weakly alternating (with a frequency of ~ 1 Hz) pulsed magnetic field that, if sufficiently intense, completely reorients the domain structures of the carrier.

BESEDIN Dmitry Igorevich
BOBORYKIN Sergey Nikolaevich
RYZHIKOV Sergey Sergeevich, Candidate of Technical Sciences

List of References

Elements and Devices of Automatics/V.S.Podlipensky, Yu.A.Sabinin, L.Yu.Yurchuk. Ed. by Yu.A.Sabinin, St. Petersburg: Polytechnic, 1995.

Chemical Encyclopedia. In 5 volumes. T.2/M.: Great Russian Encyclopedia, 1998.

Abakumov A.A. Magnetic introscopy. – M.: Energoatomizdat, 1996.