EasyManua.ls Logo

OPENTEXT Tableau Forensic TX1 - Disabling Drive Capacity Limiting Configurations; Volatile HPA Removal

OPENTEXT Tableau Forensic TX1
210 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
3.3.6 Disabling drive capacity limiting configurations
In the past, the most common method of intentionally limiting the reported capacity
of a drive was by using the ATA HPA (host protected area) or DCO (device
configuration overlay) feature sets. Starting with the ACS-3 (ATA/ATAPI Command
Set 3) specification update, the concept of Addressable Maximum Address (AMA)
was introduced. Newer drives may support this method of limiting the reported
drive capacity. TX1 supports all these methods with automated detection,
identification, and notification that will make dealing with them seamless and easy.
From a forensic point of view, it is valuable to know if HPA, DCO, or AMA are in
use. With that knowledge, the forensic practitioner can make an informed decision
about whether or not to acquire data in the hidden regions of the drive.
Note that these methods (HPA/DCO and AMA) are mutually exclusive. A drive that
supports HPA/DCO will not support AMA, and a drive that supports AMA will not
support HPA/DCO. Also, while HPA and DCO are related features for a given
drive, HPA has a unique attribute (volatile, or temporary, removal) that
distinguishes it from DCO and AMA. For that reason, this section will cover volatile
HPA removal as a separate topic before addressing non-volatile (permanent)
removal of HPA/DCO or AMA.
3.3.6.1 Volatile HPA removal
HPA can be disabled without making a permanent modification to the drive. This is
known as volatile, or temporary, removal of the HPA configuration. When a drive
that has had its HPA removed in this manner is removed from TX1 (or is otherwise
powered down) and then re-powered, it will always come back in its original state
(with the original HPA configured and enabled). Since this is a temporary drive
configuration change only (not a change to the data stored on the drive), TX1
automatically disables HPA on any drive connected to one of its source ports. Since
DCO and AMA settings can only be disabled on a permanent basis, TX1 does not
automatically disable them on connected source drives.
In the case of an automatic, volatile HPA removal from a connected source drive, the
TX1 user interface makes it obvious what has occurred, as shown in the following
screenshots.
Chapter 3 Configuring TX1
60
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1

Table of Contents

Related product manuals