Very interesting to say: Todays modern computing software programs that are
available or sold are use for forensic tools. Knowing this, I'm assuming they
could be re-engineer.
Example of hard drive forensic tools.
EnCase Portable
The Sleuth Kit Informer
http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt
http://www.sleuthkit.org/informer
http://sleuthkit.sourceforge.net/informer
File System Forensic Analysis
Hiding Data in Hard-Drive’s Service Areas
http://www.recover.co.il/SA-cover/SA-cover.pdf
http://www.vidstrom.net/stools/taft/
TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA
controller. It can retrieve various information about a hard disk, as well as
look at and change the HPA and DCO settings.
HDD Guru http://hddguru.com/
Hidden Disk Areas: HPA and DCO
https://utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf
Device configuration overlay
https://en.wikipedia.org/wiki/Device_configuration_overlay\
Device configuration overlay (DCO) is a hidden area on many of today’s hard
disk drives (HDDs). Usually when information is stored in either the DCO or
host protected area (HPA), it is not accessible by the BIOS, OS, or the user.
However, certain tools can be used to modify the HPA or DCO. The system uses
the IDENTIFY_DEVICE command to determine the supported features of a given
hard drive, but the DCO can report to this command that supported features
are nonexistent or that the drive is smaller than it actually is. To
determine the actual size and features of a disk, the
DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command
can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present
on a given hard drive. Most major tools will remove the DCO in order to fully
image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This
permanently alters the disk, unlike with the Host Protected Area (HPA), which
can be temporarily removed for a power cycle
https://en.wikipedia.org/wiki/Host_protected_area
Host protected area
From Wikipedia, the free encyclopedia
The host protected area (also referred to as hidden protected area[1]) is an
area of a hard drive that is not normally visible to an operating system
(OS).