Difference between revisions of "DCO and HPA"

From ForensicsWiki
Jump to: navigation, search
m (Tools)
(expanded)
Line 1: Line 1:
==Tools==
+
== Detection ==
 +
 
 +
=== Linux ===
 +
 
 +
==== Using hdparm ====
 +
 
 +
'''HPA'''
 +
 
 +
Command:
 +
 
 +
<pre># hdparm -N /dev/sda</pre>
 +
 
 +
Disabled HPA:
 +
 
 +
<pre>
 +
/dev/sda:
 +
max sectors  = 1465149168/1465149168, HPA is disabled
 +
</pre>
 +
 
 +
Enabled HPA:
 +
<pre>
 +
/dev/sdc:
 +
max sectors  = 586070255/586072368, HPA is enabled
 +
</pre>
 +
 
 +
'''DCO'''
 +
 
 +
Command:
 +
 
 +
<pre># hdparm --dco-identify /dev/sda</pre>
 +
 
 +
Example output:
 +
<pre>
 +
/dev/sda:
 +
DCO Revision: 0x0001
 +
The following features can be selectively disabled via DCO:
 +
Transfer modes:
 +
mdma0 mdma1 mdma2
 +
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
 +
Real max sectors: 1465149168
 +
ATA command/feature sets:
 +
SMART self_test error_log security HPA 48_bit
 +
(?): selective_test conveyance_test write_read_verify
 +
(?): WRITE_UNC_EXT
 +
SATA command/feature sets:
 +
(?): NCQ SSP
 +
</pre>
 +
 
 +
== Removing HPA ==
 +
 
 +
=== Linux ===
 +
 
 +
==== Using hdparm ====
 +
Command:
 +
 
 +
<pre># hdparm -N p586072368 /dev/sdc</pre>
 +
 
 +
(set max visible number of sectors, see example above)
 +
 
 +
== Other Tools ==
 
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
 
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
  
Line 10: Line 69:
 
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
 
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
  
==References==
+
== References ==
 
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275  
 
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275  
  

Revision as of 16:07, 26 December 2008

Detection

Linux

Using hdparm

HPA

Command:

# hdparm -N /dev/sda

Disabled HPA:

/dev/sda:
 max sectors   = 1465149168/1465149168, HPA is disabled

Enabled HPA:

/dev/sdc:
 max sectors   = 586070255/586072368, HPA is enabled

DCO

Command:

# hdparm --dco-identify /dev/sda

Example output:

/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
	Transfer modes:
		 mdma0 mdma1 mdma2
		 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
	Real max sectors: 1465149168
	ATA command/feature sets:
		 SMART self_test error_log security HPA 48_bit
		 (?): selective_test conveyance_test write_read_verify
		 (?): WRITE_UNC_EXT
	SATA command/feature sets:
		 (?): NCQ SSP

Removing HPA

Linux

Using hdparm

Command:

# hdparm -N p586072368 /dev/sdc

(set max visible number of sectors, see example above)

Other Tools

  • SAFE-Block, claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
  • HDD Capacity Restore, a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
  • Blancco-Pro 4.5 reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.

References

  • Hidden Disk Areas: HPA and DCO, Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1