Hi, While I'm not a forensic examiner I've never come across these techniqueis being used in the wild to hide data. Given the lack of popularity perhaps there is a good chance that even an experienced examiner is going to miss a DCO/HPA hidden area. If the hidden area is significantly large then the discrepancy between the size of the disk and the size of a forensic image ought to be notable.
If you used HPC/DCO as well as altering or erasing the information written on the printed label on the disk case you would improve your chances of slipping under the radar. Take a 80GB disk, hide 20GB and print a label describing the disk as have 60GB capacity. I'm willing to bet that most examiners trust what's written on the disk case without verification. Jim 2009/8/15 Adrian Crenshaw <[email protected]> > Quick question about Host-Protected Areas and Disk Configuration Overlay. > How useful is it for anti-forensics in your opinion? Some forensics tools > can see it as I understand , and I'm not sure how someone can conveniently > mount the area for copying data to and from. Opinions? > > Adrian > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
