When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive’s capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.
However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.
To do that:
- Go to Imaging category of the left-side menu and click Create New Session link
- In Preset line click the Show settings link.
- In Miscellaneous tab tick the box next to Limit target disk size to source size using HPA (SATA target ports only) option.
You can now proceed with the Imaging process by clicking Start Imaging button.
When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.
This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.
Now you can calculate hashes on both disks to make sure they are identical.
Please note that enabling HPA is an option available only for SATA target drives.
- RAID 10 configuration autodetection and imaging - October 20, 2021
- XFS, RAID 10 and new imaging features. TaskForce 2021.8 is here! - September 8, 2021
- Imaging and hot plug of NVMe drives with DiskSense 2 - August 19, 2021