On Dec 29, 2004, at 4:25 PM, George M. Garner Jr. wrote:
On the other hand, maybe the SETMAX command with the temporary flag
has
never been used on the disk. Maybe it was executed only with the
permanent flag and the temporary flag causes some sort of corruption
that
makes it difficult to see even the non-HPA data without recovery
specialists. <
You lost me here.
Oops, I had a typo in there and meant to say "the temporary flag may
have never been used on the disk" and not "has never been used". My
point was that the acquisition process relies on the code in the
acquisition tool, the code in the OS, and the code in the hard disk
(and other hardware). An investigator can test his/her own acquisition
OS and tools but he/she can't easily test the code in the suspect's
hard disk before each acquisition. I trust that the read code in a
hard disk works because the user had to use the code to read his data.
I don't have the same trust in the HPA code because it currently isn't
used much. Who knows if it has ever been used in the same way that the
acquisition tool uses it? Therefore, I consider it safer to image the
disk first and then remove the HPA in case the removal corrupts the
disk.
The prudent course of action is to image the drive as it comes to you
and
then image the HPA. But I don't see any need to re-image the entire
drive
since the HPA is logically distinct from the user addressable bytes.
Good point.
Does anyone know what the acquisition tools that support HPA do? Do
they remove the HPA and give one big image file or do they give a
separate image file for the HPA?
For the reason stated above it would be very poor design for a general
use
operating system to ignore the HPA.
I agree.
brian
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
