Host Protected Area
Encyclopedia
The host protected area, sometimes referred to as hidden protected area, is an area of a hard drive that is not normally visible to an operating system
(OS).
The IDE controller has registers
that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a hidden protected area. The commands are:
Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.
This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.
The HPA is useful only if other software or firmware (e.g. BIOS
) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.
, there are a couple of ways to detect the existence of an HPA. The latest Linux versions will print a message when the system is booting. For example:
dmesg
| less
[...]
hdb: Host Protected Area detected.
current capacity is 12000 sectors (6 MB)
native capacity is 120103200 sectors (61492 MB)
With program hdparm
, version >= 8.0, where X is your drive letter:
For versions of hdparm < 8, one can compare the number of sectors output from 'hdparm
-I' with the number of sectors reported for the hard drive model's published statistics.
with version >=8.0 you can modify the HPA directly. Where ABC is the number of visible sectors and X is the drive letter:
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
(OS).
History
HPA was first introduced in the ATA-4 standard cxv (T13, 2001).How it works
The IDE controller has registers
Hardware register
In digital electronics, especially computing, a hardware register stores bits of information, in a way that all the bits can be written to or read out simultaneously.The hardware registers inside a central processing unit are called processor registers....
that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a hidden protected area. The commands are:
- IDENTIFY DEVICE
- SET MAX ADDRESS
- READ NATIVE MAX ADDRESS
Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.
This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.
The HPA is useful only if other software or firmware (e.g. BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.
Use
- HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOSBIOSIn IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
. An example of this implementation is the PhoenixPhoenix TechnologiesPhoenix Technologies Ltd designs, develops and supports core system software for personal computers and other computing devices. Phoenix's products — commonly referred to as BIOS or firmware — support and enable the compatibility, connectivity, security and management of the various components and...
FirstBIOS, which uses BEER (boot engineering extension record) and PARTIES (protected area run-time interface extension services). - Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).
- DellDellDell, Inc. is an American multinational information technology corporation based in 1 Dell Way, Round Rock, Texas, United States, that develops, sells and supports computers and related products and services. Bearing the name of its founder, Michael Dell, the company is one of the largest...
notebooks hide Dell MediaDirectDell MediaDirectDell MediaDirect is a software application that is published by Dell, Inc. and is pre-installed on the computers they sell. It attempts to provide DVD and CD playback and recent editions include features such as an address book and calendar. It is a custom version of CyberLink PowerCinema...
utility in HPA. IBMIBMInternational Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
and LGLGLG may refer to:*LG Corp., a South Korean electronics and petrochemicals conglomerate*LG Electronics, an affiliate of the South Korean LG Group which produces electronic products* Lawrence Graham, a London headquartered firm of business lawyers...
notebooks hide system restore software in HPA. - HPA is also used by various theft recovery and monitoring service vendors. For example the laptop security firm Computrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched.
- HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensicsComputer forensicsComputer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
teams. - Some vendor-specific external drive enclosures (Maxtor) are known to use HPA to limit the capacity of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may appear to be limited in size (e.g. 128 GB), which can look like a BIOS or dynamic drive overlayDynamic Drive OverlayDynamic drive overlay is a software technique to extend a system BIOS that does not support logical block addressing to access drives larger than 504 MiB...
(DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and avoid using the external enclosure again with the affected drive. - Some rootkitRootkitA rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s hide in the HPA to avoid being detected by anti-rootkit and antivirus software.
Identification and manipulation
Identification of HPA on a hard drive can be achieved by a number of tools and methods.Identification tools
- The Sleuth KitThe Sleuth KitThe Sleuth Kit is a library and collection of Unix- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. It was written and maintained by digital investigator Brian Carrier. TSK can be used to perform investigations and data extraction from images of...
(free, open software) by Brian Carrier. (HPA identification is currently Linux-only.) - The ATA Forensics Tool (TAFT) by Arne Vidstrom.
- EnCaseEnCaseEnCase is a computer forensics product produced by Guidance Software used to analyze digital media . The software is available to law enforcement agencies and corporations.EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing...
by Guidance Software - Access Data's Forensic ToolkitForensic ToolkitForensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.The toolkit also includes a...
Identification methods
Using LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, there are a couple of ways to detect the existence of an HPA. The latest Linux versions will print a message when the system is booting. For example:
dmesg
Dmesg
dmesg is a command on most Linux and Unix based operating systems that prints the message buffer of the kernel.-Booting:...
| less
Less (Unix)
less is a terminal pager program on Unix, Windows, and Unix-like systems used to view the contents of a text file one screen at a time. It is similar to more, but has the extended capability of allowing both forward and backward navigation through the file...
[...]
hdb: Host Protected Area detected.
current capacity is 12000 sectors (6 MB)
native capacity is 120103200 sectors (61492 MB)
With program hdparm
Hdparm
hdparm is a command line utility for the Linux and Windows operating systems to set and view ATA hard disk hardware parameters. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings....
, version >= 8.0, where X is your drive letter:
hdparmHdparmhdparm is a command line utility for the Linux and Windows operating systems to set and view ATA hard disk hardware parameters. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings....
-N /dev/sdXFor versions of hdparm < 8, one can compare the number of sectors output from 'hdparm
Hdparm
hdparm is a command line utility for the Linux and Windows operating systems to set and view ATA hard disk hardware parameters. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings....
-I' with the number of sectors reported for the hard drive model's published statistics.
Manipulation tools
Creating and manipulating HPA on a hard drive can be achieved by a number of tools.- HDAT2 by Lubomir Cabla.
- setmax by Andries E. Brouwer
- Feature Tool by Hitachi Global Storage Technologies.
- MHDD (created by Dmitry Postrigan) is a freewareFreewareFreeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...
tool for hard drives that among other low-level functionalities provides information about the HPA state of a disk and can manipulate it. - hdparmHdparmhdparm is a command line utility for the Linux and Windows operating systems to set and view ATA hard disk hardware parameters. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings....
is a Linux program for reading and writing ATA and SATA hard drive parameters. - FreeBSD has the hw.ata.setmax sysctl which can be set to 1.
Manipulation methods
Using the Linux program hdparmHdparm
hdparm is a command line utility for the Linux and Windows operating systems to set and view ATA hard disk hardware parameters. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings....
with version >=8.0 you can modify the HPA directly. Where ABC is the number of visible sectors and X is the drive letter:
hdparm -NpABC /dev/sdX