New
#61
Must agree to disagree with you on most of your post. Page 7 'top';
The ability to obfuscate evidence makes the HPA and DCO a concern for investigators. When imaging an HDD, the investigator must be aware that any HDD that supports ATA-6 and above can contain HPA and or DCO. However, if the HDD supports ATA-4 or 5, it only has the potential to contain HPA. Given that the majority of current HDDs support ATA-6 and above, it is extremely important for current forensics practitioners to be aware of the HPA and DCO and use appropriate tools.
'So', with that said, SATA drives are only different inasmuch as they are accessed with a serial interface (ATA-6 standard and above, I believe). I am still trying to learn some about AF SATA drives but so far it seems to me they are still ATA drives accessed serially but with much higher cluster sizes allowing much larger capacities. Drives with platters only differ in transfer speed, and the mechanism by which the data is transferred/processed from the computer bus to the platter through the drive interface. In this short research I find ( What is ATA-6? (with picture) ). I am fully aware platter HDD's will, and are, still available (and will be for years to come). I foresee (with MS and others going to remote locations for 'user' data) the slow conversion from user only storage, to this (sic) 'cloud' based storage. As of now, MS doesn't even recognize you owning the MS software, your only licensed to 'use' it. Gone long ago is the OS disk in your hands.
Why you chose to include a comment on "incriminating" (underlined, as if to imply nefarious intent or other) is beyond me. I stated MS and HDD manufacturers can, and probably do, access these hidden locations. What is stored there (remember access of IS possible, and was possible 10 years ago when the article was written) is any ones guess. I agree generally JQP cannot access this UNLESS they have the tools/access to read such 'information' either gathered, or stored. Just because I cannot demonstrate what is there, does not mean nothing IS being put there. I am sure this (minimum) 10 year old information, has been 'e x p a n d e d' in capability. I for one destroy any HDD that I have used before. One note comparable to this topic, people who are conned into 'donating' used cellphone/flipphones usually have no idea they are giving away a huge amount of their information/data to the 'totally unknown' people they are giving their phones to. I say be aware and err on a side of extreme caution! Especially on a piece of hardware that was in use for as long as it was wherever you visited/did with it.