Self-Monitoring, Analysis and Reporting Technology (SMART)

Detecting unauthorized disk access using S.M.A.R.T.

People sometimes are encountering a problem of unauthorized access to their computer machine. Holidays, weekend journey, business trip - these are great opportunity for other people to get personal data from your hard disk. If you're unsure that someone will use your computer (and steal important data) while you're not in the job, here's the way to find out.

Imagine this situation: you're working on a secret data, to which nobody should have an access except of you. Running software solutions, like TSR utilities (which are logging into a file, time of entering to system) is unreliable - after logging into the system, file can be easily edited so it can equals previous state. At the other hand, mounting victim's hard drive into a thief's computer as a secondary disk disables nearly all system security - as he doesn't need to know BIOS or system (like Linux, Windows) password of your computer. In this situation, detecting unprivileged access (at first sight) is nearly impossible.

However, there is a way to check it - using S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) built into modern hard disks. This hardware technology stores many attributes of HDD's, such as temperature, spin-up time and error rates. The one and only utility you'll need is smartmontools (available for download at http://smartmontools.sourceforge.net, several operating systems including Linux, *BSD, Windows and MacOS are supported).

First install smartmontools, then run (for other OS it goes similar):

smartctl.exe -A /dev/hda

to see attributes for ATA hard disk connected to Primary Master channel. Results are shown below:

Atrributes, which we are looking for are number 4 (Start_Stop_Count), 9 (Power_On_Hours) and 12 (Power_Cycle_Count). Write down these values or save them as a text file (or image file by making a screenshot). Their descriptions are listed below in table.

ID	Name	Description
4	Start/Stop Count	Quantity of hard disk spindle start/stop cycles.
9	Power-On Hours	Quantity of elapsed hours (rarely minutes or seconds) in power-on state.
12	Power Cycle Count	Quantity of full HDD power on/off cycles.

The difference between Start/Stop Count and Power Cycle Count is based on embedded controller and spindle. Single power-on increases both values by 1 (hard disk controller and spindle have been started), but after this operation Power Cycle Count will not change until hard disk power-off and next power-on. However, while being in power-on state hard disk can go into sleep mode, which slows down a spindle. After returning from sleep mode to normal work, spindle is running again and Start/Stop Count attribute increases by 1 (second time). This situation is specially noticable while using ACPI/APM (Advanced Configuration and Power Interface / Advanced Power Management). At the other hand, when you turn-off computer, hard disk controller automatically changes it's state to 0, but it takes a little bit of time for spindle to slow down. If you power-on hard disk quickly (before spindle goes completely down) Power Cycle Count will increase, but Start/Stop Count don't (as spindle is still working and it doesn't had a full cycle). One full cycle means a single change of state from 0 to 1 (off -> on).

Unfortunately, the exact time (hour, minute, second) of previous power-on is not included in S.M.A.R.T. technology. This can be solved using a TSR utility, such as now (see attachments).

So, at the moment of first measure hard disk was turned on for 153th time and it's total working time is 283 hours. Second measure has to be done after intrusion suspicion, so you can compare previous values with the new ones:

As we can see Power_Cycle_Count attribute is now 155 and value of Start_Stop_Count is 151 (both increased by 2), so after the first measure this hard disk was powered on two times for a total amount of time 3 hours (Power_On_Hours = 286). This way you know that someone was using your hard disk during your absence. Moreover, data could be stolen. If you'd like to protect before such an actions - always encrypt your data and store private keys on a separate volume (floppy, USB or CD/DVD disk).

The main disadvantage of this solution is that you'll always need to get new S.M.A.R.T attributes (to compare with the old ones) before a possible accident. It's best for you to write a batch script which generates .txt file with all attributes and run it before shutdown, for example:

smartctl.exe -A /dev/hda >> attr.txt

Which can be later printed, so editing attr.txt file by a 'hacker' will make no difference for you.

Just because S.M.A.R.T. attributes are placed directly on a hard disk, this solution is independent of an attached computer. Taking hard disk out and mounting into a new machine will not change them. They are also available only for viewing, so none can change them. This feature is especially useful when going on holidays. Just check your S.M.A.R.T. attributes once, save/write/print them and compare when you return. Nice and easy.

Attachments:

smartmontools 5.37
now