Farmerdude, Greg,
Yes, all versions of ProDiscover include a device driver that allows
investigators to dynamically access and image the HPA from within
Windows. The network version can even do this on remote systems. One of
the key features of this capability is that unlike many int13 approaches
we no not permanently remove the HPA leaving only disk slack for an
investigator to analyze. We volatilly reset the max user accessible
sectors and scan for the file system contained in the HPA, which
coincidently can begin anywhere within the HPA.
On Tue, 2004-12-21 at 14:45, Greg Freemyer wrote:
I can't speak for Encase, nor do I know the specifics of this case,
but it is my belief that Win32 based imaging tools cannot
access the
HPA of any drive.
I believe this depends on how the tool operates. For
example, I thought TechPathways product can acquire the HPA?
(I don't remember for certain nor do I have Internet access
at the moment I type this so I cannot verify, but check into
this if you like.)
Regards,
Christopher L. T. Brown, CISSP
Technology Pathways LLC
Founder & CTO
clbrown@TechPathways.com
Phone: 619-435-0906 / 888-894-5500
http://www.TechPathways.com
This email message is for the sole use of the intended recipient[s] and
may contain privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by phone or reply email and destroy
all copies of the original message.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
