Host-Protected Areas and Disk Configuration Overlay

[jim.halfpenny at gmail.com (Jim Halfpenny)]

Hi,
While I'm not a forensic examiner I've never come across these techniqueis
being used in the wild to hide data. Given the lack of popularity perhaps
there is a good chance that even an experienced examiner is going to miss a
DCO/HPA hidden area. If the hidden area is significantly large then the
discrepancy between the size of the disk and the size of a forensic image
ought to be notable.

If you used HPC/DCO as well as altering or erasing the information written
on the printed label on the disk case you would improve your chances of
slipping under the radar. Take a 80GB disk, hide 20GB and print a label
describing the disk as have 60GB capacity. I'm willing to bet that most
examiners trust what's written on the disk case without verification.

Jim

2009/8/15 Adrian Crenshaw <irongeek at irongeek.com>

> Quick question about Host-Protected Areas and Disk Configuration Overlay.
> How useful is it for anti-forensics in your opinion? Some forensics tools
> can see it as I understand , and I'm not sure how someone can conveniently
> mount the area for copying data to and from. Opinions?
>
> Adrian
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090817/a7f47a2d/attachment.htm