When you image data from an evidence drive, but the target drive is larger than that of the source, the hash values for the source and for the target drives will not be identical. This will happen even if there is no data in the remaining space of the target.
To avoid it, you can limit your SATA target drive’s capacity using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools or the end user. In TaskForce, it only takes one quick adjustment to the imaging settings:
- Click Image in the left-side task menu and select the source and the target;
- In the Settings page click Change button;
- In Miscellaneous tab activate the Limit target disk size to source size using HPA (SATA target ports only) option.
You can now proceed with the Imaging process by clicking Start button.
Before the imaging starts, TaskForce looks up the size of the evidence drive and limits the space of the target using HPA to make its capacity identical to that of the evidence drive.
When Imaging is complete, the report will contain information about the time when HPA was enabled.
The target disk’s port in Devices menu now contains an HPA indicator, thus informing you that HPA has been enabled on this drive.
There will also be a report created in the case management system, which indicates the old (native) and the new (as set by HPA) max address.
Now you can calculate hash on both drives to make sure the hash values are identical.
NB Enabling HPA is an option available only for SATA target drives.
To learn how to unclip HPA, read this article in our manual.
Director of Marketing Yulia believes that with a product that is exceptionally good at solving tasks of forensic experts, marketing is about explaining its capabilities to the users. Yulia regularly represents Atola at DFIR events, holds free workshops and webinars about Atola imagers functionality and advocates on the users' behalf to ensure that Atola keeps on adding value and raising the bar for the industry.