Hi all,
I've been lately reading about file systems, hard drives and stuff… and I've found these interesting two concepts Host Protected Area and Device Configuration Overlay. If existing, these areas could be quite interesting to analize. So… the question is does anyone know if the typical analysis tools detect these areas? My favourite tool so far (though I'm beginning to "believe" in Helix and FTK too D) is EnCase, but I've found any technical documentation to confirm/deny wheter this tools detect HPAs and DCOs or not. Relating to Helix, if found that you can detect a HPA by using disk_stat, but I haven't been able to find information on how to detect/eliminate a DCO for the acquisition.
Any suggestions will be welcome!!
Very good article
_http//
also you can download free HPA detection/remove tool
For linux you can read
_http//
(about usage disk_stat etc.)
link to other software
_http//
and try in google search "mhdd" now home site of this good software down,but you can find link for download floppy or cd version.
Regards.
Taken from The EnCase Study Guide book.
"You may also encounter a Host Protected Area (HPA) or a Device Configuration Overlay. HPA was introduced with the ATA-4 standard. Its purpose is to create a place at the end of the drive for vendors to store information (recovery, security, registration, etc). DCO was introduced with ATA-6 and was initially intended as a means of limiting the apparent capacity of a drive. DCO space will also appear at the end of the drive and is also not seen by the BIOS.
As neither can be seen by the BIOS and both can contain hidden data, the way to access this data is via Direct ATA access instead of BIOS access. This method is available using EnCase for DOS on a forensic boot disk. Using the DIrect ATA mode, EnCase communicates directly with the ATA controller and is able to access all sectors, including HPA and DCO sectors weren't seen or accessed by the BIOS"
Refers to EnCase Version 5
DCO was introduced with ATA-6 and was initially intended as a means of limiting the apparent capacity of a drive.
Not quite correct the DCO was introduced to specify (limit) the selectable commands, capacity, modes and feature sets that a drive will support.
Put simply it was introduced to allow a newer drive to emulate an older one.
You can for instance use the DCO to tell a drive
* not to support DMA2
* not to support HPA
* disable 48 bit addressing
* not to support the security featrure set
There are more than a few incorrect statements in the EnCase study guide. Thanks for correcting that one.
It's not particularly clear on their website but I believe feedback (e.g. errata) can be given through the following URL
Kind regards,
Jamie
Hi,
ProDiscover too can analyze HPA. In the default installation the driver to do this is not installed, but following notes you can add it whenewer you want.
"Features and Benefits
* Create Bit-Stream copy of disk to be analyzed, including hidden HPA section " taken from http//
)
Encase softbloc will also detect HPAs and DCOs.
The advantage (for some of us who use Encase as their primary tool) is that this can be done in Windows.
Regards Richard