Difference between pages "Fiwalk" and "DCO and HPA"

Revision as of 05:51, 27 July 2012

Device Configuration Overlay (DCO) and Host Protected Area (HPA).

Detection

Linux

Using hdparm

HPA

Command:

# hdparm -N /dev/sda

Disabled HPA:

/dev/sda:
 max sectors   = 1465149168/1465149168, HPA is disabled

Enabled HPA:

/dev/sdc:
 max sectors   = 586070255/586072368, HPA is enabled

DCO

Command:

# hdparm --dco-identify /dev/sda

Example output:

/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
	Transfer modes:
		 mdma0 mdma1 mdma2
		 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
	Real max sectors: 1465149168
	ATA command/feature sets:
		 SMART self_test error_log security HPA 48_bit
		 (?): selective_test conveyance_test write_read_verify
		 (?): WRITE_UNC_EXT
	SATA command/feature sets:
		 (?): NCQ SSP

Removing HPA

Linux

Using hdparm

Command:

# hdparm -N p586072368 /dev/sdc

(permanently (!) set max visible number of sectors, see example above)

Other Tools

TAFT (The ATA Forensics Tool) claims the ability to look at and change the HPA and DCO settings.
SAFE-Block, claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
HDD Capacity Restore, a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
Tableau TD1 can remove the HPA and DCO.
Blancco-Pro 4.5 reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.

External Links

Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4, Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
Hidden Disk Areas: HPA and DCO, Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
REMOVING HOST PROTECTED AREAS (HPA) IN LINUX, Brian Carrier, SleuthKit Informer #20
Wikipedia article on Device Configuration Overlay
Wikipedia article on Host Proteced Area

@@ Line 1: / Line 1: @@
-fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+Device Configuration Overlay (DCO) and Host Protected Area (HPA).
+== Detection ==
+=== Linux ===
+==== Using hdparm ====
+'''HPA'''
+Command:
+<pre># hdparm -N /dev/sda</pre>
+Disabled HPA:
-==XML Example==
 <pre>
-<?xml version='1.0' encoding='ISO-8859-1'?>
+/dev/sda:
-<fiwalk xmloutputversion='0.2'>
+ max sectors   = 1465149168/1465149168, HPA is disabled
-  <metadata
-  xmlns='http://example.org/myapp/'
-  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-  xmlns:dc='http://purl.org/dc/elements/1.1/'>
-    <dc:type>Disk Image</dc:type>
-  </metadata>
-  <creator>
-    <program>fiwalk</program>
-    <version>0.5.7</version>
-    <os>Darwin</os>
-    <library name="tsk" version="3.0.1"></library>
-    <library name="afflib" version="3.5.2"></library>
-    <command_line>fiwalk -x /dev/disk2</command_line>
-  </creator>
-  <source>
-    <imagefile>/dev/disk2</imagefile>
-  </source>
-<!-- fs start: 512 -->
-   <volume offset='512'>
-    <Partition_Offset>512</Partition_Offset>
-    <block_size>512</block_size>
-    <ftype>2</ftype>
-    <ftype_str>fat12</ftype_str>
-    <block_count>5062</block_count>
-    <first_block>0</first_block>
-    <last_block>5061</last_block>
-    <fileobject>
-      <filename>README.txt</filename>
-      <id>2</id>
-      <filesize>43</filesize>
-      <partition>1</partition>
-      <alloc>1</alloc>
-      <used>1</used>
-      <inode>6</inode>
-      <type>1</type>
-      <mode>511</mode>
-      <nlink>1</nlink>
-      <uid>0</uid>
-      <gid>0</gid>
-      <mtime>1258916904</mtime>
-      <atime>1258876800</atime>
-      <crtime>1258916900</crtime>
-      <byte_runs>
-       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
-      </byte_runs>
-      <md5>2bbe5c3b554b14ff710a0a2e77ce8c4d</md5>
-      <sha1>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</sha1>
-    </fileobject>
-  </volume>
-<!-- end of volume -->
-<!-- clock: 0 -->
-  <runstats>
-    <user_seconds>0</user_seconds>
-    <system_seconds>0</system_seconds>
-    <maxrss>1814528</maxrss>
-    <reclaims>546</reclaims>
-    <faults>1</faults>
-    <swaps>0</swaps>
-    <inputs>56</inputs>
-    <outputs>0</outputs>
-    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
-  </runstats>
-</fiwalk>
 </pre>
+Enabled HPA:
+<pre>
+/dev/sdc:
+ max sectors   = 586070255/586072368, HPA is enabled
+</pre>
+'''DCO'''
+Command:
+<pre># hdparm --dco-identify /dev/sda</pre>
+Example output:
+<pre>
+/dev/sda:
+DCO Revision: 0x0001
+The following features can be selectively disabled via DCO:
+	Transfer modes:
+		 mdma0 mdma1 mdma2
+		 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
+	Real max sectors: 1465149168
+	ATA command/feature sets:
+		 SMART self_test error_log security HPA 48_bit
+		 (?): selective_test conveyance_test write_read_verify
+		 (?): WRITE_UNC_EXT
+	SATA command/feature sets:
+		 (?): NCQ SSP
+</pre>
+== Removing HPA ==
+=== Linux ===
+==== Using hdparm ====
+Command:
-==XML Schema==
+<pre># hdparm -N p586072368 /dev/sdc</pre>
-{|
+('''permanently''' (!) set max visible number of sectors, see example above)
-|XML Tag
-|Meaning
-|
-|-
-|<fileobject>
-|Every file is inside a <fileobject>
-|-
-|<orphan>YES</orphan>
-|YES means that the file is an ""orphan,"" with no file name.
-|-
-|<filesize>3210</filesize>
-|The file size in bytes.
-|-
-|<unalloc>1</unalloc>
-|A "1" means that the file was not allocated in the file system. This may mean that the file was deleted.
-|-
-|<used>1</used>
-|Not sure what this means.
-|-
-|<mtime>1114172320</mtime>
-|The file's modification time, as a Unix timestamp (number of seconds since January 1, 1970).
-|-
-|<ctime>1195819392</ctime>
-|The file's inode's creation time, as a Unix timestamp.
-|-
-|<atime>1195794000</atime>
-|The file's access time, as a unix timestamp.
-|-
-|<byte_runs>121130496:3210</byte_runs>
-|The file's fragments. Each fragment is represented as the byte offset from the beginning of the disk image (the first byte is byte #0) and a number of bytes.
-|-
-|<fragments>1</fragments>
-|The number of fragments in the file.
-|-
-|<md5>c27c0730b858bc60c8894300a98bba55</md5>
-|The file's MD5, as a hexadecimal hash.
-|-
-|<sha1>0277680d624e609f23aec9e4265c2d7d24bd3824</sha1>
-|The file's SHA1, as a hexadecimal hash.
-|-
-|<partition>1</partition>
-|The partition number in which the file was found.
-|-
-|<frag1startsector>236583</frag1startsector>
-|The sector number of the first fragment. (Can be computed by taking the byte offset of the first byte run and dividing by the disk's sector size.)
-|}
-==See Also==
+== Other Tools ==
-* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
+* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
+* [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
+* [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
+* [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
+* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
-[[Category:XML Forensics]]
+== External Links ==
+* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
+* [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
+* [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
+* [http://en.wikipedia.org/wiki/Device_configuration_overlay Wikipedia article on Device Configuration Overlay]
+* [http://en.wikipedia.org/wiki/Host_protected_area Wikipedia article on Host Proteced Area]

Difference between pages "Fiwalk" and "DCO and HPA"

Revision as of 05:51, 27 July 2012

Contents

Detection

Linux

Using hdparm

Removing HPA

Linux

Using hdparm

Other Tools

External Links

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox