Host protected area (HPA) and device configuration overlay (DCO) are special hidden areas. They were developed as a feature by hard drive manufacturers for secure storage of vendor utilities or to make a drive appear to have smaller capacity than the drive actually has. But for a while now, proficient users have known how to create and modify them, store data there, etc., by using open source tools. The ability to detect such areas on a drive and image the whole drive space, including HPA or DCO-protected parts, becomes critical for forensic examiners. Otherwise, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.
Once you plug a drive to TaskForce unit, its software sends a number of commands. In addition to the standard Identify device command, two other commands look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If there are DCO or HPA limitations on the drive, TaskForce will notify about these changes. An indication in red color will appear in the device menu.
To get more details about the restrictions applied to the drive’s firmware, run Diagnostics and see the Firmware section of the Diagnostics report.
The report contains three parameters indicating the drive’s Max Address according to different records in the drive’s firmware.
- The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
- Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
- Max Address from DCO is the line that gives you the actual drive size.
A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.
To disable HPA limitations applied to the drive’s firmware and get access to the hidden area, click on the Unclip HPA/DCO subcategory under Other category of the left-side menu and click on Unclip button.
NB Please note that the drive needs to be in the Target mode. Please disable Source switch on the port. Unclip HPA/DCO function implies making changes to the drive’s firmware, and that is impossible when the drive is in the Source mode and write-protection is on.
In a matter of seconds, Atola TaskForce lifts HPA and DCO, thus enabling access to the data on the whole drive space.
Lift HPA until power cycle
To ensure the forensically sound process, it can be necessary to avoid making any changes to the drive. Therefore it is prohibited to disable HPA and DCO restrictions and access data in the hidden areas. With Atola TaskForce it is possible to lift HPA restriction until the next power cycle. This helps avoid permanent changes to the drive.
- Click Imaging in the left-side Task Menu.
- Select the Source and the Target
- In a pop-up window suggesting you unclip the drive until power cycle, click Yes button.
This will allow temporary access to the data in HPA-protected area, but as soon as you power off or unplug the drive, the HPA will be back again.
NB If a drive freezes in the course of imaging TaskForce forcibly performs power cycles to continue imaging the drive. However, such power cycles will not affect the temporarily disabled HPA. TaskForce will be temporarily removing HPA max address restriction after each power cycle performed during imaging. The HPA-protected area will remain accessible throughout the imaging process.
- 2022 Year in Review - December 28, 2022
- Top digital forensics conferences in 2023 - December 19, 2022
- Q&A about Atola imagers at GPEC and Forensics Europe Expo - June 30, 2022
Director of Marketing Yulia believes that with a product that is exceptionally good at solving tasks of forensic experts, marketing is about explaining its capabilities to the users. Yulia regularly represents Atola at DFIR events, holds free workshops and webinars about Atola imagers functionality and advocates on the users' behalf to ensure that Atola keeps on adding value and raising the bar for the industry.