Hello - this isn't to do with forensic analysis!
Was having a play with prodiscover to see how it works with an HPA on my laptop. Previously i had always thought that the HPA on my laptop worked with the recovery cd or contained software to allow the playing of cds without booting.
As windows and dos programs see it the hard drive is made up of 1 partition.
Anyway - did the capture, and HPA scan - eveything went fine no problems. Only thing is i couldn't find anything of worth in the HPA?
Here's some screen shots of the scanning HPA process
http//
http//
http//
http//
i tried adding most of what the HPA scan showed including the
ntfs found at sector……………
But once they've been added there's nothing there!! Cluster view just shows the clusters as unallocated.
Also from the report
Total Drive Information
Hard disk make TOSHIBA MK8025GAS
Total Sectors 156301486
Total Size 78150743 KB
Hard Disk C
Volume Name NO NAME
Volume Serial Number 50AC-646E
File System FAT32
Bytes Per Sector 512
Total Clusters 2346363
Sectors per cluster 64
Total Sectors 150205440
Hidden Sectors 63
Total Capacity 75102720 KB
Start Sector 63
End Sector 150205502
Hard Disk D
Volume Name
File System INVALID
Bytes Per Sector 512
Total Clusters -150205505
Sectors per cluster 1
Total Sectors -150205505
Hidden Sectors 0
Total Capacity 2072380895 KB
Start Sector 150205504
End Sector -1
So can i presume there is nothing of value in the HPA on my machine?
Couple of questions….
1. What did you expect to find?
2. Have you contacted the folks over at the TechPathways forums?
Before trying this i had assumed that there was going to be something along the lines of a disk image a la ghost or True image, which the recovery cd would relaod to return the pc to it's factory settings.
Also the laptop has the feature where it can play cds without booting in to windows. It's not a Dell, but Dell have the same feature and they actually have the software for this in an HPA, so i thought this pc might have similar.
The Dell works by having a non standard MBR extended to 2 sectors which controls if the HPA is 'revealed' and it's partition entered in to the part table, depending on key presses at startup.
My pc works differently in that it has a standard mbr so it looks like my HPA is set up differently.
Just a bit confused about the HPA scan info - the hard drive is an 80GB, and the non HPA user section is one fat32 partition, so it seems odd that there are loads of instances in the HPA scan that don't identify a file system but then at the end it identifies an NTFS one! This ntfs file system that it claims to identify is described as 1962933652 sectors and 1138688.38mb in size i.e 1112GB!!!! Doesn't sound right to me on an 80 gig drive.
Thing is a partition has an identifier code that describes the file system. These can be edited in lots of apps e.g std fat32 0c and ntfs 07 i think - Dell uses DB for it's HPA which i can't find in any list.
Maybe the HPA scan has done it's job, there's stuff there but because it doesn't have a standard partition identifier it can't find a file system?
I post in the Techpathways forum - i just wondered if there people here who had experience of viewing the HPA, and might notice something in my results.
Interesting…every Dell that I've used or examined so far has had a separate FAT partition for the utilities (on my personal systems, I get rid of that before re-installing the OS); I'm not aware that its in HPA…it always appears as a separate partition.
Sorry not saying every Dell! Just an example of some that i know about.
http//
http//
this is the first time i've had a a pc with an HPA, same as yourself previously the recovery areas i've experienced are on a separate 'normal' partition or hidden in the normal way via progs like part magic.
I'm not making it up!!!!
Interesting…the first link has no mention of "HPA" at all…
Just the cover page, not bogged down in details but near the bottom where it says
"Appendix Understanding the Dell MediaDirect Partition " and then goes on to say
"MediaDirect is installed in a special partition on the hard disk, but is hidden so you cannot see it when XP is booted normally." - is refering to an HPA which when you click the link explains further.
p.s. not my site and i have no connection with it, found it after a bit of research.
I think its just a symantec / norton ghost image in a partition which is similar to what HP / Toshiba is doing on some systems or similar to what ghost will do with a cd backup of a partition. If its a ghost partition, it usually requires an OEM password, which can often be found inside the .ini file on that partition or on another partition that is usually hidden.
Just out of curiosity, could you use a linux live cd to mount the partition read only and see any files on it?
If you don't know how to mount the partition read-only in linux, what about just running this command (also from a linux live cd) and posting the results
fdisk -l /dev/hda
the above is a lower case L and not a one 1 and the hda assumes it is the first eide drive on the first eide controller, if it is the second drive, it is hdb, if its the first drive on the second controller it is hdc and if its the second drive on the second controller it is hdd - all of this assumes it is eide and not a scsi drive or sata. The command will only identify the type of partitions on the hard drive but may offer some additional info I could use to help you.
By the way, if the partition contains a ghost image, it will usually just be one very large file and an ini file sometimes. However, you could make a copy of the individual ghost image file to usb media and open it in symantec ghost to extract or view the files….once you find the password. I have a list of default OEM ghost passwords somewhere….
If you made a forensic copy of the partition, you would get the entire partition including slack space and you would need to know the ghost image start and end to carve it out.