Difference between pages "DCO and HPA" and "Checkpoint Full Disk Encryption"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Created page with 'Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current informatio…')
 
Line 1: Line 1:
== Detection ==
+
Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks.  See the Checkpoint site for all current information.
  
=== Linux ===
+
== Items of interest to Forensics people ==
 +
- It comes in two flavors, boot password protect and Windows Pass-through.  Boot protect means you're going to need the key.  Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course).  Once you have an OS key, you can use a fresh copy to assemble evidence.
  
==== Using hdparm ====
+
- Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment.  Very useful.  Drivers are available from Checkpoint.
  
'''HPA'''
+
--[[User:Digitaltrustllc|Digitaltrustllc]] 19:42, 2 November 2009 (UTC)
 
+
Command:
+
 
+
<pre># hdparm -N /dev/sda</pre>
+
 
+
Disabled HPA:
+
 
+
<pre>
+
/dev/sda:
+
max sectors  = 1465149168/1465149168, HPA is disabled
+
</pre>
+
 
+
Enabled HPA:
+
<pre>
+
/dev/sdc:
+
max sectors  = 586070255/586072368, HPA is enabled
+
</pre>
+
 
+
'''DCO'''
+
 
+
Command:
+
 
+
<pre># hdparm --dco-identify /dev/sda</pre>
+
 
+
Example output:
+
<pre>
+
/dev/sda:
+
DCO Revision: 0x0001
+
The following features can be selectively disabled via DCO:
+
Transfer modes:
+
mdma0 mdma1 mdma2
+
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
+
Real max sectors: 1465149168
+
ATA command/feature sets:
+
SMART self_test error_log security HPA 48_bit
+
(?): selective_test conveyance_test write_read_verify
+
(?): WRITE_UNC_EXT
+
SATA command/feature sets:
+
(?): NCQ SSP
+
</pre>
+
 
+
== Removing HPA ==
+
 
+
=== Linux ===
+
 
+
==== Using hdparm ====
+
Command:
+
 
+
<pre># hdparm -N p586072368 /dev/sdc</pre>
+
 
+
('''permanently''' (!) set max visible number of sectors, see example above)
+
 
+
 
+
 
+
== Other Tools ==
+
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
+
 
+
* [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
+
 
+
* [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
+
 
+
* [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
+
 
+
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
+
 
+
== References ==
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
+
 
+
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
+
 
+
* [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
+

Latest revision as of 14:42, 2 November 2009

Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current information.

Items of interest to Forensics people

- It comes in two flavors, boot password protect and Windows Pass-through. Boot protect means you're going to need the key. Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course). Once you have an OS key, you can use a fresh copy to assemble evidence.

- Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment. Very useful. Drivers are available from Checkpoint.

--Digitaltrustllc 19:42, 2 November 2009 (UTC)