PaulDotCom mailing list archives
Host-Protected Areas and Disk Configuration Overlay
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Mon, 17 Aug 2009 13:17:49 +0100
Hi, While I'm not a forensic examiner I've never come across these techniqueis being used in the wild to hide data. Given the lack of popularity perhaps there is a good chance that even an experienced examiner is going to miss a DCO/HPA hidden area. If the hidden area is significantly large then the discrepancy between the size of the disk and the size of a forensic image ought to be notable. If you used HPC/DCO as well as altering or erasing the information written on the printed label on the disk case you would improve your chances of slipping under the radar. Take a 80GB disk, hide 20GB and print a label describing the disk as have 60GB capacity. I'm willing to bet that most examiners trust what's written on the disk case without verification. Jim 2009/8/15 Adrian Crenshaw <irongeek at irongeek.com>
Quick question about Host-Protected Areas and Disk Configuration Overlay. How useful is it for anti-forensics in your opinion? Some forensics tools can see it as I understand , and I'm not sure how someone can conveniently mount the area for copying data to and from. Opinions? Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090817/a7f47a2d/attachment.htm
Current thread:
- Host-Protected Areas and Disk Configuration Overlay Adrian Crenshaw (Aug 15)
- Host-Protected Areas and Disk Configuration Overlay iamnowonmai (Aug 16)
- Host-Protected Areas and Disk Configuration Overlay Dave Hull (Aug 17)
- Host-Protected Areas and Disk Configuration Overlay Jim Halfpenny (Aug 17)
- Host-Protected Areas and Disk Configuration Overlay iamnowonmai (Aug 16)