beautypg.com

Using the forensic software utility – CRU Forensic UltraDock v4 User Manual

Page 7

background image

WiebeTech

F o r e n s i c U l t r a D o c k v 4 U s e r M a n u a l ( A 9 - 0 0 0 - 0 0 1 4 ) R E V 1 . 6

- 7 -

4. Using the Forensic Software Utility


Forensic Software Utility is a free software application designed for optional usage with your Forensic
UltraDock. The Forensic Software Utility allows you to configure the way Forensic UltraDock handles any
hidden areas found on attached drives (i.e. HPA and/or DCO), update the unit’s firmware, and capture
real-time info about both the write-blocker and the attached drive which can be saved to a log file.
Forensic Software Utility and its user’s manual are available for download from the WiebeTech website
(

http://www.wiebetech.com/software/Forensic_Software_Utility.php

).


4.1 HPA/DCO Mode Configuration
(Requires FireWire connection)


A Host Protected Area (HPA) and Device Configuration
Overlay (DCO) are reserved areas on a hard drive that
are not accessible by the BIOS or OS. Data can be
hidden behind an HPA or DCO, like a stage hidden
behind a curtain.

Your Forensic UltraDock will alert you to the presence of
any HPA or DCO by blinking an LED indicator. By
default, Forensic UltraDock will not remove HPAs or
DCOs. If you would like Forensic UltraDock to remove
HPAs or DCOs so you can view the data hidden behind
them, you may use the Forensic Software Utility select
your preferred mode of operation. There are four modes
from which to choose:

4.1.1 MODE #1: Leave them in place

This is Forensic UltraDock’s default setting. The HPA
and DCO areas will be left “as is” on the hard drive. This
is an “indication only” mode. Forensic UltraDock’s LED
indicator will blink to indicate the presence of hidden
areas, but no other action is taken.

4.1.2 MODE #2: Remove HPA temporarily but ignore DCO

This mode temporarily allows you to view information hidden by an HPA (to “see behind the curtain”)
without removing it. No permanent changes are made to the hard drive. When the hard drive is
disconnected from the write-blocker, the HPA remains in place. Any DCO is left untouched.

4.1.3 MODE #3: Remove HPA permanently but ignore DCO

This mode permanently removes any HPA, making the data behind it visible. When the hard drive is
disconnected from the write-blocker, the HPA is not reinstated. Any DCO is left untouched.

4.1.4 MODE #4: Permanently remove them both

Any HPA and/or DCO are permanently removed, making all of the data behind them visible. When the
drive is disconnected from the write-blocker, the HPA and DCO are not reinstated.

See also other documents in the category CRU Computer Accessories: