Host Protected Area

Host Protected Area

Host Protected Area, sometimes referred to as Hidden Protected Area [ [http://www.thinkwiki.org/wiki/Hidden_Protected_Area Hidden Protected Area - ThinkWiki ] ] , is an area of a hard drive that is not normally visible to an operating system(OS).

History

HPA was first introduced in the ATA-4 standard (T13, 2001). [ [https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Host Protected Areas ] ]

How It Works

thumb|right|500px|Creation of an HPA.">

The diagram shows how a Host Protected Area (HPA) is created.

1. IDENTIFY DEVICE returns the true size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive.
2. SET MAX ADDRESS reduces the reported size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive. An HPA has been created.
3. IDENTIFY DEVICE returns the now fake size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive, the HPA is in existence.

The IDE controller has registers that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and utilizing a Hidden Protected Area. The commands are:

*IDENTIFY DEVICE
*SET MAX ADDRESS
*READ NATIVE MAX ADDRESS

Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.

This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a Host Protected Area is created. It is protected because the OS will only work with the value in the register that is returned by the IDENTIFY DEVICE command and thus will never be able to address the parts of the drive that lie within the HPA.

The HPA is only useful if other software and or firmware (e.g. BIOS) is able to utilize it. Software and or firmware that are able to utilize the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area the controlling HPA aware program changes the value of the register read by IDENTIFY DEVICE with that found in the register read by READ NATIVE MAX ADDRESS, when its operations are complete the register read by IDENTIFY DEVICE is returned to its original fake value.

Use

*HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS. An example of this implementation is the Phoenix FirstBIOS, which utilizes BEER (Boot Engineering Extension Record) and PARTIES (Protected Area Run-Time Interface Extension Services).

*Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).

*Dell notebooks hide Dell Media Direct utility in HPA. IBM and LG notebooks hide system restore software in HPA.

*HPA is also used by various theft recovery and monitoring service vendors. For example the laptop security firm Computrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched.

*HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensics teams.

*Some vendor-specific external drive enclosures (Maxtor) are known to use HPA to limit the capacity of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may appear to be limited in size (e.g. 128GB), which can look like a BIOS or Dynamic Drive Overlay (DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and avoid using the external enclosure again with the affected drive.

*Some rootkits hide in the HPA to avoid being detected by anti-rootkit and antivirus software.Fact|date=March 2008

Identification and manipulation

Identification of HPA on a hard drive can be achieved by a number of tools and methods.

Identification tools

*The Sleuth Kit by Brian Carrier.
*The ATA Forensics Tool (TAFT) [ [http://vidstrom.net/stools/taft/ vidstrom.net - security tools ] ] by Arne Vidstrom.
*EnCase by Guidance Software

Identification methods

Using Linux, there are a couple of ways to detect the existence of an HPA. The latest Linux versions will print a message when the system is booting. For example:

dmesg | less [...] hdb: Host Protected Area detected. current capacity is 12000 sectors (6 MB) native capacity is 120103200 sectors (61492 MB)

Another method involves comparing the number of sectors output from 'hdparm -I' with the number of sectors reported for the hard drive model's published statistics.

Manipulation tools

Creating and manipulating HPA on a hard drive can be achieved by a number of tools.
*HDAT2 [ [http://www.hdat2.com/ HDAT2/CBL Hard Disk Repair Utility ] ] by Lubomir Cabla.
*setmax [http://www.win.tue.nl/~aeb/linux/setmax.c] by Andries E. Brouwer
*DiscWizard Starter Edition [ [http://www.seagate.com/www/en-us/support/downloads/discwizard Seagate Technology - DiscWizard ] ] by Seagate Technologies.
*Feature Tool [ [http://www.hitachigst.com/hdd/support/download.htm Support - Downloads and Utilities ] ] by Hitachi Global Storage Technologies.
* [http://hddguru.com/content/en/software/2005.10.02-MHDD/ MHDD (created by Dmitry Postrigan)] is a free software tool for hard drives that among another low level utilities provides information about HPA state of a disk and can manipulate it.

ee also

*Device configuration overlay (DCO)

References

External links

* [http://www.sleuthkit.org/informer/sleuthkit-informer-17.html#hpa The Sleuth Kit]
* [https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf International Journal of Digital Evidence]
* [http://polya.computing.dcu.ie/wiki/index.php/Using_ATA_commands_on_hard_disks_..._why_bother%3F Dublin City University Security & Forensics wiki]
* [http://www.thinkwiki.org/wiki/Hidden_Protected_Area Wiki Web For ThinkPad Users]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Host Protected Area — (HPA), auch bekannt als Hidden Protected Area oder ATA geschützter Bereich, ist ein reservierter Bereich für die Speicherung von Daten außerhalb des normalen Dateisystems. Dieser Bereich wird vor dem Dateisystem und dem Betriebssystem und somit… …   Deutsch Wikipedia

  • Host protected area — (HPA), иногда расшифровывают как hidden protected area[1] это область жесткого диска, которая не видна в операционной системе (ОС). Может быть выделена средствами BIOS некоторых материнских плат или специального программного обеспечения. В этой… …   Википедия

  • Protected areas of West Bengal — cover 4% of the state area.cite web url = http://www.indiainbusiness.nic.in/indian states/westbengal/General.htm title = West Bengal: General Information accessdate = 2006 08 25 work = India in Business publisher = Federation of Indian Chambers… …   Wikipedia

  • Protected areas of Tamil Nadu — Location map+|Tamil Nadu|width=300|float=right|caption=Protected areas of Tamil Nadu class= infobox bordered style= width: ; text align: center; font size: 40%; border:; places= Location map |Tamil Nadu|lat deg=13|lat min=.9|lon deg=80|lon min=14 …   Wikipedia

  • Area 51 — This article is about the U.S. Air Force installation in Nevada. For other uses, see Area 51 (disambiguation). Area 51 …   Wikipedia

  • Duxbury Reef State Marine Conservation Area — (SMCA) is a marine protected area located about 1 mile (2 km) west of Bolinas in Marin County on California’s north central coast. This marine protected area covers 0.66 square miles (1.7 km2). Duxbury Reef SMCA prohibits the take of all… …   Wikipedia

  • Driftless Area — Relief map showing primarily the Minnesota part of the Driftless Area. The wide diagonal river is the Upper Mississippi River. In this area, it forms the boundary between Minnesota and Wisconsin. The rivers entering the Mississippi from the west… …   Wikipedia

  • Red Rock Canyon National Conservation Area — This article is about the National Conservation Area in Nevada. For other uses, see Red Rock Canyon. Red Rock Canyon National Conservation Area in Nevada is a 198,000 acre (801 km²) area managed by the Bureau of Land Management as part of its… …   Wikipedia

  • Mockhorn Island Wildlife Management Area — is a protected area located in Northampton County, Virginia. Its two tracts, totaling over 7,000 acres (28 km2) in size, cover tidal marshland on two barrier islands along the Atlantic coast of the Eastern Shore of Virginia. Much of the… …   Wikipedia

  • Metamora-Hadley Recreation Area — Metamora Hadley State Recreation Area …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”