Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.
When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.
To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.
There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:
- The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
- Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
- Max Address from DCO is the line that gives you the actual drive size.
A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.
To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.
Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive’s firmware, and Write Protection won’t let perform such changes.
Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.
Lift HPA until power cycle
Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.
To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.
This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.
NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.
For more information about imaging of freezing drives, please follow this link.