Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: forensic imaging and the host protected area on ATA drives (was Two

from [George M. Garner Jr.] Network Security [Permanent Link]
Subject: RE: forensic imaging and the host protected area on ATA drives (was Two hash)
Date: Wed, 29 Dec 2004 16:25:08 -0500 
Brian,

I am starting a new thread because this, while a very interesting topic
clearly is not related to the original poster's problem.


On the other hand, maybe the SETMAX command with the temporary flag has
never been used on the disk.  Maybe it was executed only with the
permanent flag and the temporary flag causes some sort of corruption that
makes it difficult to see even the non-HPA data without recovery
specialists. <


You lost me here.  Otherwise I agree whole-heartedly with your last post.  I
am more concerned about the following line from the ATA-7 spec:

"These commands are intended for use only by system BIOS or other low-level
boot time process. Using these commands outside BIOS controlled boot or
shutdown may result in damage to file systems on the device."

I assume that any "damage to file systems" would occur as a result of the
user addressable space occupied by the file systems being abruptly curtailed
but the spec doesn't exactly say that.

The prudent course of action is to image the drive as it comes to you and
then image the HPA.  But I don't see any need to re-image the entire drive
since the HPA is logically distinct from the user addressable bytes.

For the reason stated above it would be very poor design for a general use
operating system to ignore the HPA.

Regards,

George.   


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SV: Two hash, Greg Freemyer
Next by Date:  Re: forensic imaging and the host protected area on ATA drives (was Two hash), Brian Carrier
Previous by Thread:  Re: Two hash, Brian Carrier
Next by Thread:  Re: forensic imaging and the host protected area on ATA drives (was Two hash), Brian Carrier
Indexes:  [Date] [Thread] [Top] [All Lists]