When you image data from an evidence drive, but the target drive is larger than that of the source, the hash values for the source and for the target drives will not be identical. This will happen even if there is no data in the remaining space of the target.

To avoid it, you can limit your SATA target drive’s capacity using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools or the end user. In TaskForce, it only takes one quick adjustment to the imaging settings:

  1. Click Image in the left-side task menu and select the source and the target
  2. In the Settings page click Change button.
  3. In Miscellaneous tab activate the Limit target disk size to source size using HPA (SATA target ports only) option.
Enabling HPA restriction for target

You can now proceed with the Imaging process by clicking Start button.

Before the imaging starts, TaskForce looks up the size of the evidence drive and limits the space of the target using HPA to make its capacity identical to that of the evidence drive.

When Imaging is complete, the report will contain information about the time when HPA was enabled.

Imaging report indicates the change to the target drive capacity

The target disk’s port in Devices menu now contains an HPA indicator, thus informing you that HPA has been enabled on this drive.

HPA indicator in the port of the Device menu

There will also be a report created in the case management system, which indicates the old (native) and the new (as set by HPA) max address.

Report about HPA activation

Now you can calculate hash on both drives to make sure the hash values are identical.

NB Enabling HPA is an option available only for SATA target drives.

To learn how to unclip HPA, read this article in our manual.