Re: [Trisquel-users] Spying software hidden deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers

Thu, 26 Feb 2015 06:26:31 -0800

Very interesting to say: Todays modern computing software programs that are available or sold are use for forensic tools. Knowing this, I'm assuming they could be re-engineer. 

Example of hard drive forensic tools.

EnCase Portable
The Sleuth Kit Informer http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt 
http://www.sleuthkit.org/informer
http://sleuthkit.sourceforge.net/informer


File System Forensic Analysis


Hiding Data in Hard-Drive’s Service Areas
http://www.recover.co.il/SA-cover/SA-cover.pdf

http://www.vidstrom.net/stools/taft/
TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA controller. It can retrieve various information about a hard disk, as well as look at and change the HPA and DCO settings. 

HDD Guru   http://hddguru.com/

Hidden Disk Areas: HPA and DCO
https://utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf

Device configuration overlay
https://en.wikipedia.org/wiki/Device_configuration_overlay\
Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the Host Protected Area (HPA), which can be temporarily removed for a power cycle 


https://en.wikipedia.org/wiki/Host_protected_area
Host protected area
From Wikipedia, the free encyclopedia
The host protected area (also referred to as hidden protected area[1]) is an area of a hard drive that is not normally visible to an operating system (OS).

Reply via email to