PaulDotCom mailing list archives
Host-Protected Areas and Disk Configuration Overlay
From: dphull at trustedsignal.com (Dave Hull)
Date: Mon, 17 Aug 2009 07:36:33 -0500
I've never seen it used. Most examiners I know will image include the HPA (one way or another) during their imaging process. There are tools that will "reset" the HPA, thus getting rid of it, making the entire drive visible to imaging tools until the disk resets at the next reboot. On Sun, Aug 16, 2009 at 2:11 PM, iamnowonmai<iamnowonmai at gmail.com> wrote:
Hey Irongeek - I always thought it made sense to use it for such as you speculate, but I have never seen it used in the wild, and I don't know of anyone who has. Maybe someone else will chime in on it? On Sat, Aug 15, 2009 at 2:46 PM, Adrian Crenshaw <irongeek at irongeek.com> wrote:Quick question about Host-Protected Areas and Disk Configuration Overlay. How useful is it for anti-forensics in your opinion? Some forensics tools can see it as I understand , and I'm not sure how someone can conveniently mount the area for copying data to and from. Opinions? Adrian
Current thread:
- Host-Protected Areas and Disk Configuration Overlay Adrian Crenshaw (Aug 15)
- Host-Protected Areas and Disk Configuration Overlay iamnowonmai (Aug 16)
- Host-Protected Areas and Disk Configuration Overlay Dave Hull (Aug 17)
- Host-Protected Areas and Disk Configuration Overlay Jim Halfpenny (Aug 17)
- Host-Protected Areas and Disk Configuration Overlay iamnowonmai (Aug 16)