Forensic Recovery and ATA-3 'Secure Mode', possible?

I was looking at an on-line manual for Pro Discover a few moments ago. I don't know enough about it to know if they are addressing the same problem or a different one. Anyhow, here it is for what its worth.

ATA Hardware/Host Protected Areas (HPA).
ATA Specifications added the “Protected Area” as a means for PC distributors to ship diagnostic utilities with PCs. Simply put, the hardware protected area is an area of the hard drive that is not reported to the system BIOS and operating system. Because the protected area is not normally seen, most disk forensics imaging tools will not image this area. We have seen an emergence of new utilities available allowing PC users to take advantage of this “Protected Area” to store user data. One such utility is the commercial product AREA51.

In some cases forensics examiners can identify the use of the protected Protected Area by analyzing the boot partition which may contain boot options for the area. Current versions of AREA51 modify the boot partition by changing the boot loader to include pointers to the protected area.

Users can also detect the Use of an ATA Protected Area by doing a little disk math. Consider the following scenario:

The user is about to image a disk which is labeled, or they know has a CHS (Cylinder Head Sector) value of 16383/16/63. In this case to find out the total number of sectors which should be reported simply multiply (Cylinders x Heads x Sectors). In this case 16383 x 16 x 63 = 16,514,064 total sectors. If the user started an image of the disk and noticed it only reported 4,192,965 sectors then they would be missing around 6 gigs of data area depending on how many bytes were used in each sector. To establish the total disk size use total sectors x bytes (normally 512). In this case the disk should be 8.4 GB, but was reporting about 2 GB.

ProDiscover® includes a device driver that allows ProDiscover® to detect and look inside the Hardware Protected Area. When ProDiscover® is launched the device driver reads all Hardware Protected Area information from the disk to detect if the HPA is in use then sends a single command, "SET MAX ADDRESS (Volatile option) any disk added to the project. This process allows users to image the complete drive. In accordance with the HPA technical specifications, once the machine is power-cycled the drive is automatically returned to its original state.

Often ProDiscover® will automatically detect and add file system partitions within the HPA to your directly added disks so they may be viewed as a normal partition in Content-View or Cluster-View. Since the HPA technical specification does not specify where a file system starts or what type of file system resides within the HPA, ProDiscover® provides a tool for scanning the HPA to detect any file systems inside and adding the file system partition to the current project. All file systems added to a project from the HPA will have [HPA] appended in the tree-view to clearly identify their origin. See Using ProDiscover for specific steps and tasks involving the HPA.

Technology Pathways also provides a DOS utility application "PARemove.exe" that allows forensics examiners to remove the Hardware Protected Area permanently thereby enabling any other imaging tool to image all sectors of the disk. If the examiner suspects that the Hardware Protected Area has been utilized on the disk, they only need run PARemove.exe from a DOS boot disk to remove the HPA.

Ok this is really bothering me now. I have to find out how to do this. The closest i came to is a file called mhd3.exe

I seem to be getting a timeout error but some claim they used this software to unlock their locked drives.

If you want it i can send it to you but i got it from doing a search on GOOGLE.

If anyone can get this software to work i really want o know how to get around the timeout error. Not sure what it means 🙁 maybe i shoould be using a slower computer??? who knows?

I also have the source code for this program. if there are any programmers maybe they can take a look at it???

I can remove ATA passwords. email or PM me.

Kalidomra

OK, PM sent….

Andy

Kalidomra, I wasn’t expecting you to PM a reply with an advert for your services

Andy 😕

Does anyone on this forum, know how to disable the superviser password on a tecra S1 laptop?

spaazm@hotmail.com

I believe that there is a (parallel port) dongle available that will do just that. I haven't seen one in awhile, at one time they were sold on Ebay.

These laptops are not going to work with any of the old methods I.E parallel port,usb port,or the key disk.
This is the new generation and it requires an upto date method.

ATA Password can be remowed without knowing the password itself, please have a look here

http//www.hdd.profesjonalnie.pl/to.php

ATA Password can be remowed without knowing the password itself, please have a look here

http//www.hdd.profesjonalnie.pl/eng.html

Can you remove a passsword off a hard drive that was locked on an IBM T40?

Will the data be saved?

Hitachi Travelstar

roll