6

I know that it's possible for a computer to set up logging or auditing, and keep track of what devices are plugged into IT. But do external harddrives keep track of what computers THEY are ever plugged in to? Intentionally, or unintentionally? (Assume they have just been taken out of the box from Best Buy -- specops IT hasn't loaded anything on.)

I'm trying to analyze a Samsung T5 right now but I want to know in general.

If the answer is Yes, or Maybe, should wiping the hard drive get rid of this information, or is it stored DEEP in the drive, somehow? I'm always suspicious of how much "wiping" does, even with a multi-pass algorithm.

jibarron64
  • 63
  • 3
  • 2
    I don't think that there is even a way for hard drives to get these information, i.e. actively detect what device they are connected to. But drives store information about power cycles etc, so if all you want to know how much the drive was used before you can look at these S.M.A.R.T information using a variety of tools. – Steffen Ullrich Mar 06 '21 at 05:56
  • 1
    Not necessarily, but [certain operating systems](https://www.youtube.com/watch?v=8LGDM9exlZw) append a unique identifier to every accessed file, so that they can track how information spreads. –  Mar 06 '21 at 14:49
  • @MechMK1 This is very interesting -- but, should I interpret it as saying that *typical* operating systems will *not* do that? (Only North Korean ones?) – jibarron64 Mar 06 '21 at 16:19
  • 2
    *To my knowledge*, they won't. Plugging a file into any OS I've ever encountered aside from RSOS didn't alter the file hash –  Mar 06 '21 at 19:08

2 Answers2

4

In my experience I have never seen any storage devices that does this by themself.

As others in the comments has mentioned: Some information like hours powered on, the number of timed powered on and some other information are stored in the hard drive and are accessible using SMART.

However, many operating systems including Windows, macOS and Android will create files on connected storage devices.

Windows will create a hidden system folder named System Volume Information. MacOS will create a hidden folder named __MACOSX and perhaps .DS_Store. Android will create a folder named Android.

Other OSes might create other folders.

Depending on your needs, wiping a hard drive (with physically spinning disks) should be secure enough if totally wiped at once or more, or even destroying it physically should be of help, but even a severely damaged hard drive might still make it possible to retrieve some information from it, so drilling holes, sanding the plate and apply a strong magnetic field to them and dispose of the pieces might be the best thing to do.

knowsshit
  • 301
  • 1
  • 3
  • I did find things like a .Spotlight file (apparently to make searching the drive easier), though I looked for, and couldn't find, __MACOSX. How would it be "hidden" though? I think of `.filename` as 'hidden', but double-underscore files I can see in the file system just fine – jibarron64 Mar 06 '21 at 16:39
  • @jibarron64 - Yes the created hidden *(simple hidden as .filename or equivalent)* information generally has a GUID (Globally Unique IDentifier) and an associated date. However the association is from computer to drive, not the reverse. Meaning that if you have the computer, you can determine if a given drive was previously connected to it. You cannot start with the drive and identify the computer. – user10216038 Mar 06 '21 at 17:01
3

I did not yet come across a device which does that (in an easy to recognize way*) but in theory they could. And in practice they sometimes do.

In the end a harddrive is a cpu (often an ARM processor) + ram (cache) + bios/bootloader (on the CPU itself or the NAND or some other chip) + lots of attached storage (not everything of that being visible to the average end user)

Something like a stripped down Raspberry Pi, just with a dumb OS. For external devices you often have an additional cpu+eeprom for the USB side of the device.

The dumb OS normally only does stuff relevant for doing storage things. But even at that level it at least needs to know what data is going through the dumb OS so in principle it sees that which could just belong to this Computer. If it saves that is a different question.

Some skilled person could install a not so dumb OS to save more data about what the device is doing. This has actually been happening since quite a while (look up HDD/USB firmware malware)

Just overwriting from the OS side won't help you in these special cases.

* I do have an USB SATA adapter which inside the firmware keeps track of the "other" side (i.e. names of HDD's attached to it). Some other adapter also seems to flip some bit when it is attached to something. I also have a HDD which after a while changes dozens of lines in the firmware, could be normal logging or maybe saving stuff like bad sectors or maybe saving my nuclear launch codes.

yeet
  • 31
  • 1