|
|
| Line 1: |
Line 1: |
| − | Device Configuration Overlay (DCO) and Host Protected Area (HPA).
| + | Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current information. |
| | | | |
| − | == Detection == | + | == Items of interest to Forensics people == |
| | + | - It comes in two flavors, boot password protect and Windows Pass-through. Boot protect means you're going to need the key. Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course). Once you have an OS key, you can use a fresh copy to assemble evidence. |
| | | | |
| − | === Linux ===
| + | - Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment. Very useful. Drivers are available from Checkpoint. |
| | | | |
| − | ==== Using hdparm ====
| + | --[[User:Digitaltrustllc|Digitaltrustllc]] 19:42, 2 November 2009 (UTC) |
| − | | + | |
| − | '''HPA'''
| + | |
| − | | + | |
| − | Command:
| + | |
| − | | + | |
| − | <pre># hdparm -N /dev/sda</pre>
| + | |
| − | | + | |
| − | Disabled HPA:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | /dev/sda:
| + | |
| − | max sectors = 1465149168/1465149168, HPA is disabled
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Enabled HPA:
| + | |
| − | <pre>
| + | |
| − | /dev/sdc:
| + | |
| − | max sectors = 586070255/586072368, HPA is enabled
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | '''DCO'''
| + | |
| − | | + | |
| − | Command:
| + | |
| − | | + | |
| − | <pre># hdparm --dco-identify /dev/sda</pre>
| + | |
| − | | + | |
| − | Example output:
| + | |
| − | <pre>
| + | |
| − | /dev/sda:
| + | |
| − | DCO Revision: 0x0001
| + | |
| − | The following features can be selectively disabled via DCO:
| + | |
| − | Transfer modes:
| + | |
| − | mdma0 mdma1 mdma2
| + | |
| − | udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
| + | |
| − | Real max sectors: 1465149168
| + | |
| − | ATA command/feature sets:
| + | |
| − | SMART self_test error_log security HPA 48_bit
| + | |
| − | (?): selective_test conveyance_test write_read_verify
| + | |
| − | (?): WRITE_UNC_EXT
| + | |
| − | SATA command/feature sets:
| + | |
| − | (?): NCQ SSP
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | == Removing HPA ==
| + | |
| − | | + | |
| − | === Linux ===
| + | |
| − | | + | |
| − | ==== Using hdparm ====
| + | |
| − | Command:
| + | |
| − | | + | |
| − | <pre># hdparm -N p586072368 /dev/sdc</pre>
| + | |
| − | | + | |
| − | ('''permanently''' (!) set max visible number of sectors, see example above)
| + | |
| − | | + | |
| − | == Other Tools ==
| + | |
| − | * [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
| + | |
| − | * [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
| + | |
| − | * [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
| + | |
| − | * [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
| + | |
| − | * [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
| + | |
| − | | + | |
| − | == External Links ==
| + | |
| − | * [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
| + | |
| − | * [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
| + | |
| − | * [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
| + | |
| − | * [http://en.wikipedia.org/wiki/Device_configuration_overlay Wikipedia article on Device Configuration Overlay]
| + | |
| − | * [http://en.wikipedia.org/wiki/Host_protected_area Wikipedia article on Host Proteced Area]
| + | |
| − | * [http://www.recover.co.il/SA-cover/SA-cover.pdf Hiding Data in Hard-Drive’s Service Areas], by [[Ariel Berkman]], February 14, 2013
| + | |
Checkpoint Disk Encryption, formerly known as Pointsec, aka End Point Encryption is a package for encrypting Windows PC disks. See the Checkpoint site for all current information.
- It comes in two flavors, boot password protect and Windows Pass-through. Boot protect means you're going to need the key. Windows pass-through means you can attack the OS to get to the underlying data (on a working copy, of course). Once you have an OS key, you can use a fresh copy to assemble evidence.
- Checkpoint(sec) does supply boot drivers that allow you to mount a pass-through volume inside a BartPE environment. Very useful. Drivers are available from Checkpoint.
