Expert's Corner

Some utilities that perform backup, security or crash recovery operations will sometimes create a Host Protected Area on a hard drive.  The Host Protected Area, or HPA is designed to store data that cannot be accessed by the Operating System.  It is literally a “locked off” portion of the drive that cannot be seen by the Operating System, BIOS or even the hard drive itself.  Most HPA’s are less than 100MB in size.

Most hardware and software based data capturing systems are not able to detect a Host Protected Area and will ignore it.   Because of this, a savvy user could potentially hide suspect data inside the HPA.  Forensic SF-5000, MD-5 and Talon products are now capable of detecting a Host Protected Area, unlocking it and capturing the data within.  They do this automatically if an HPA is detected.  The final capture report will also state that a HPA was found and unlocked.

This means that when an SF-5000, MD-5 or Talon is used, the examiner knows for sure that their computer forensic analysis software can investigate all the data on the suspect drive. Because most data capturing protocols do not open the HPA, actionable evidence may go undetected. The method of capture is then of vital importance to computer forensic examiners. The hardware-based computer data capturing systems from Logicube ensure the most comprehensive investigation of potentially critical digital evidence.

Frank Vessels @ 16:29 | comments(7650) | Permanent link