Host Protected Area

from Wikipedia, the free encyclopedia

Host Protected Area (HPA) , also known as Hidden Protected Area or ATA Protected Area , is a reserved area for storing data outside of the normal file system . This area is hidden from the file system and the operating system - and thus also from formatting and partitioning programs - and cannot be reached by them.

Uses

The main uses for HPA are system recovery and backup of configuration data. For example, the original content of a system installation can be stored in a protected area on the hard drive and copied back to the regular area of ​​the hard drive when it is restored.

HPA is an optional hard drive feature defined in the ATA-4 standard and supported by most modern hard drives.

Using HPA, an HPA-capable hard drive can be manipulated in such a way that it appears smaller than it actually is. HPA makes it possible to hide an upper area of ​​the hard drive.

HPA-relevant ATA commands

a) IDENTIFY_DEVICE

The ATA command IDENTIFY_DEVICE , which is usually called during the hardware detection of the operating system, returns the capacity of a hard disk.

b) SET_MAX_ADDRESS

The ATA command SET_MAX_ADDRESS is used to make the hard disk appear smaller than it actually is. The command can be executed in both volatile and non-volatile mode. In the non-volatile mode, the new maximum size is retained permanently - even after the hard drive has been switched off - while in the volatile mode the size is only temporarily, i.e. H. until the next reset is changed. The ATA command SET_MAX_ADDRESS tells the hard disk which capacity it should report with the IDENTIFY_DEVICE command .

c) READ_NATIVE_MAX_ADDRESS

The ATA command READ_NATIVE_MAX_ADDRESS always shows the maximum upper sector address by reading out the highest address according to the factory setting - i.e. the actual size.

By comparing the outputs of the IDENTIFY_DEVICE and READ_NATIVE_MAX_ADDRESS commands, you can determine whether HPA is available or activated. If the two commands show different sizes, then the hard disk has been "reduced" at some point before with the SET_MAX_ADDRESS command.

The hard disk size can be reset to the factory setting by executing the SET_MAX_ADDRESS command again. Then the entire hard disk can be accessed again, i.e. H. the hard disk has its full capacity again.

Computer forensics

The detection and evaluation of Host Protected Areas (HPA) is very interesting for law enforcement authorities, investigators and forensics experts.

On the one hand, the accused can consciously hide areas of the hard drive and hide data using the HPA. On the other hand, usable traces and evidence can be found in the "hidden" areas of the hard disk if the accused was not aware of HPA or if he cannot modify HPA for technical reasons.

Manipulation and erasure of data carriers

The HPA can also be of great importance for the user, especially if he wants to completely erase the data on the hard disk by completely overwriting it.

Current Linux kernels basically reset (deactivate) an HPA detected during booting so that the kernel (and thus the administrator) can access all sectors up to the native maximum address. For example: 

...
hda: Host Protected Area detected.
        current capacity is 109170031 sectors (55895 MB)
        native  capacity is 117210240 sectors (60011 MB)
hda: Host Protected Area disabled.
hda: 117210240 sectors (60011 MB) w/7877KB Cache, CHS=65535/16/63, UDMA(100)
...

When the kernel resets the HPA, tools like the Unix dd command, which is often used to erase volumes by completely overwriting the hard disk with zeros or random numbers, can also overwrite the HPA. When using an older kernel, such as the well-known Live CD DBAN (Version 1.0.4), the HPA is not deleted, only the visible part of the hard disk.

See also

Device Configuration Overlay ( DCO ) ATA Security Feature Set ( ATA Security Mode Feature Set )

Web links

Individual evidence

  1. Does DBAN wipe the Host Protected Area ("HPA")? In: Darik's Boot And Nuke: Documentation. July 18, 2008, accessed October 28, 2011 .