ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "DCO and HPA" and "Checkpoint Full Disk Encryption"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Created page with 'Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current informatio…')
 
Line 1: Line 1:
== Detection ==
+
Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks.  See the Checkpoint site for all current information.
  
=== Linux ===
+
== Items of interest to Forensics people ==
 +
- It comes in two flavors, boot password protect and Windows Pass-through.  Boot protect means you're going to need the key.  Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course).  Once you have an OS key, you can use a fresh copy to assemble evidence.
  
==== Using hdparm ====
+
- Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment.  Very useful.  Drivers are available from Checkpoint.
  
'''HPA'''
+
--[[User:Digitaltrustllc|Digitaltrustllc]] 19:42, 2 November 2009 (UTC)
 
+
Command:
+
 
+
<pre># hdparm -N /dev/sda</pre>
+
 
+
Disabled HPA:
+
 
+
<pre>
+
/dev/sda:
+
max sectors  = 1465149168/1465149168, HPA is disabled
+
</pre>
+
 
+
Enabled HPA:
+
<pre>
+
/dev/sdc:
+
max sectors  = 586070255/586072368, HPA is enabled
+
</pre>
+
 
+
'''DCO'''
+
 
+
Command:
+
 
+
<pre># hdparm --dco-identify /dev/sda</pre>
+
 
+
Example output:
+
<pre>
+
/dev/sda:
+
DCO Revision: 0x0001
+
The following features can be selectively disabled via DCO:
+
Transfer modes:
+
mdma0 mdma1 mdma2
+
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
+
Real max sectors: 1465149168
+
ATA command/feature sets:
+
SMART self_test error_log security HPA 48_bit
+
(?): selective_test conveyance_test write_read_verify
+
(?): WRITE_UNC_EXT
+
SATA command/feature sets:
+
(?): NCQ SSP
+
</pre>
+
 
+
== Removing HPA ==
+
 
+
=== Linux ===
+
 
+
==== Using hdparm ====
+
Command:
+
 
+
<pre># hdparm -N p586072368 /dev/sdc</pre>
+
 
+
('''permanently''' (!) set max visible number of sectors, see example above)
+
 
+
 
+
 
+
== Other Tools ==
+
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
+
 
+
* [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
+
 
+
* [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
+
 
+
* [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
+
 
+
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
+
 
+
== References ==
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
+
 
+
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
+
 
+
* [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
+

Latest revision as of 19:42, 2 November 2009

Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current information.

Items of interest to Forensics people

- It comes in two flavors, boot password protect and Windows Pass-through. Boot protect means you're going to need the key. Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course). Once you have an OS key, you can use a fresh copy to assemble evidence.

- Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment. Very useful. Drivers are available from Checkpoint.

--Digitaltrustllc 19:42, 2 November 2009 (UTC)