The host protected area (HPA) is an area of a

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...

solid-state drive A solid-state drive (SSD) is a solid-state storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory, and functioning as secondary storage in the hierarchy of computer storage. It is a ...

that is not normally visible to an

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

. It was first introduced in the ATA-4 standard CXV (T13) in 2001.

How it works

The IDE controller has registers that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a host protected area. The commands are: * IDENTIFY DEVICE * SET MAX ADDRESS * READ NATIVE MAX ADDRESS Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive. This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA. The HPA is useful only if other software or firmware (e.g. BIOS or

UEFI UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples of ...

) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.

Use

* At the time HPA was first implemented on hard-disk firmware, some BIOS had difficulty booting with large hard disks. An initial HPA could then be set (by some jumpers on the hard disk) to limit the number of cylinders to 4095 or 4096 so that the older BIOS would start. It was then the job of the bootloader to reset the HPA so that the operating system would see the full hard-disk storage space. * HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS. An example of this implementation is the

Phoenix Phoenix most often refers to: * Phoenix (mythology), a legendary bird from ancient Greek folklore * Phoenix, Arizona, a city in the United States Phoenix may also refer to: Mythology Greek mythological figures * Phoenix (son of Amyntor), a ...

FirstBIOS, which uses Boot Engineering Extension Record (BEER) and Protected Area Run Time Interface Extension Services (PARTIES). Another example is the Gujin installer which can install the bootloader in BEER, naming that pseudo-partition /dev/hda0 or /dev/sdb0; then only cold boots (from power-down) will succeed because warm boots (from Control-Alt-Delete) will not be able to read the HPA. * Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media). * Dell notebooks hide

Dell MediaDirect Dell MediaDirect is a software application that is published by Dell, Inc. and is pre-installed on the computers they sell. It attempts to provide DVD and CD playback and recent editions include features such as an address book and calendar. It ...

utility in HPA. IBM ThinkPad and LG notebooks hide system restore software in HPA. * HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop security firm CompuTrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched. * HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensics teams. * Some vendor-specific external drive enclosures (e.g. Maxtor, owned by Seagate since 2006) are known to use HPA to limit the capacity of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may appear to be limited in size (e.g. 128 GB), which can look like a BIOS or dynamic drive overlay (DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and avoid using the external enclosure again with the affected drive. * Some

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

s hide in the HPA to avoid being detected by anti-rootkit and

antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

software. * Some

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

exploits use the HPA for application persistence.

Identification and manipulation

Identification of HPA on a hard drive can be achieved by a number of tools and methods. Note that the HPA feature can be hidden by DCO commands (documentation states only if the HPA is not in use), and can be "frozen" (until next power-down of the hard disk) or be password protected.

Identification tools

ATATool ATATool is freeware software that is used to display and modify ATA disk information from a Microsoft Windows environment. The software is typically used to manage host protected area (HPA) and device configuration overlay (DCO) features and is b ...

by Data Synergy * The Sleuth Kit (free, open software) by Brian Carrier (HPA identification is currently Linux-only.) * EnCase by Guidance Software *

Forensic Toolkit Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a passwo ...

by Access Data

Identification methods

The

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ser ...

program

can detect an HPA. For instance, to see if the first disk has an HPA use the command: ATATOOL /INFO \\.\PhysicalDrive0 Using

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...

, there are various ways to detect the existence of an HPA. Recent versions of Linux will print a message when the system is booting if an HPA is detected. For example:

dmesg dmesg (''diagnostic messages'') is a command on most Unix-like operating systems that prints the message buffer of the kernel. The output includes messages produced by the device drivers. Command On many Unix-like systems, the boot process g ...

less Less or LESS may refer to: fewer than,: not as much. Computing * less (Unix), a Unix utility program * Less (stylesheet language), a dynamic stylesheet language * Large-Scale Scrum (LeSS), a product development framework that extends Scrum Othe ...

.. hdb: Host Protected Area detected. current capacity is 12000 sectors (6 MB) native capacity is 120103200 sectors (61492 MB) The program

hdparm hdparm is a command line program for Linux to set and view ATA hard disk drive hardware parameters and test performance. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings. GParted ...

(versions 8.0 and above) will detect an HPA on drive sdX when invoked with these parameters: hdparm -N /dev/sdX For versions of hdparm below 8, one can compare the number of sectors output from 'hdparm -I' with the number of sectors reported for the hard drive model's published statistics.

Manipulation methods

The

program

can be used to create a HPA. For instance, to create a 10GB HPA: ATATOOL /NONVOLATILEHPA /SETHPA:10GB \\.\PhysicalDrive1 The Linux program

(version >= 8.0) will create an HPA when invoked with these parameters: (sdX: target drive, #: number of non-HPA visible sectors) hdparm -N p# /dev/sdX

References

{{Reflist, 30em

External links

The Sleuth Kit

International Journal of Digital Evidence

Dublin City University Security & Forensics wiki

Wiki Web For ThinkPad Users
AT Attachment Computer forensics Computer security procedures Information technology audit