روشها کشف و بهره برداری از مناطق حفاظت شده هاست بر روی دستگاه های ذخیره که با IDE ATAPI-4 مطابقت دارند

This paper explains some of the issues that prevent the easy detection of Host Protected Areas on IDE drives and discusses a variety of methods which may enable examiners to reveal what may be overlooked evidence. We consider some exploitation methods and include a brief examination of EnCase 5.01 image capture as an example.

This paper will show that the examiner in the above scenario should have taken additional steps to check for hidden data on the hard disk drive. This paper explains possible potential causes of discrepancies between forensically sound images from the same drive by using hidden areas to store data in. Causes examined include BIOS limitations, enhanced BIOS limitations, ATA/ATAPI version limitations, Host Protected Areas (HPA) and Device Configuration Overlays (DCO). In an experiment using EnCase (version 5.01) to capture forensic images, the paper demonstrates how it is possible to use an HPA outside the manufacturers intended use and hide files in it.

This paper provides evidence that it is possible to use an HPA as a storage area. However, some effort is required to accomplish this. If investigators are to identify the presence of an HPA on a device they may need to use multiple tools to confirm its existence rather than rely on a single tool. EnCase is a venerable tool used in the computer forensic industry, and continues to perform well. Now that commercial applications such as Phoenix Technologies' FirstWare Recover Pro have brought HPA into the spotlight, it is surely a matter of time before more tools are produced that detect the existence of HPA and take advantage of the hidden storage features offered.