World Library  
Flag as Inappropriate
Email this Article

Host protected area

Article Id: WHEBN0007450714
Reproduction Date:

Title: Host protected area  
Author: World Heritage Encyclopedia
Language: English
Subject: Beer (disambiguation), Information technology audit, AT Attachment, The Sleuth Kit, Blancco
Collection: At Attachment, Computer Forensics, Computer Security Procedures, Information Technology Audit
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Host protected area

The host protected area (also referred to as hidden protected area[1]) is an area of a hard drive that is not normally visible to an operating system (OS).

Contents

  • History 1
  • How it works 2
  • Use 3
  • Identification and manipulation 4
    • Identification tools 4.1
    • Identification methods 4.2
    • Manipulation tools 4.3
    • Manipulation methods 4.4
  • See also 5
  • References 6
  • External links 7

History

HPA was first introduced in the ATA-4 standard cxv (T13, 2001).[2]

How it works

Creation of an HPA. The diagram shows how a host protected area (HPA) is created.
1. IDENTIFY DEVICE returns the true size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive.
2. SET MAX ADDRESS reduces the reported size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive. An HPA has been created.
3. IDENTIFY DEVICE returns the now fake size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive, the HPA is in existence.

The IDE controller has registers that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a hidden protected area. The commands are:

  • IDENTIFY DEVICE
  • SET MAX ADDRESS
  • READ NATIVE MAX ADDRESS

Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.

This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.

The HPA is useful only if other software or firmware (e.g. BIOS) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.

Use

  • At the time HPA was first implemented on Hard Disk firmware, some BIOS had difficulty booting with large Hard Disks. An initial HPA could then be set (by some jumpers on the Hard Disk) to limit the number of cylinder to 4095 or 4096 so that older BIOS would start. It was then the job of the bootloader to reset the HPA so that the operating system would see the full Hard Disk storage space.
  • HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS. An example of this implementation is the Phoenix FirstBIOS, which uses BEER (Boot Engineering Extension Record) and PARTIES (Protected Area Run Time Interface Extension Services).[3] Another example is the Gujin installer which can install the bootloader in BEER, naming that pseudo-partition /dev/hda0 or /dev/sdb0; then only cold boots (from power-down) will succeed because warm boots (from Control-Alt-Delete) will not be able to read the HPA.
  • Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).
  • Dell notebooks hide Dell MediaDirect utility in HPA. IBM and LG notebooks hide system restore software in HPA.
  • HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop security firm Computrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched.
  • HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensics teams.[4]
  • Some vendor-specific external drive enclosures (Maxtor) are known to use HPA to limit the capacity of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may appear to be limited in size (e.g. 128 GB), which can look like a BIOS or dynamic drive overlay (DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and avoid using the external enclosure again with the affected drive.
  • Some rootkits hide in the HPA to avoid being detected by anti-rootkit and antivirus software.[3]
  • Some NSA exploits uses HPA[5] for application persistence.

Identification and manipulation

Identification of HPA on a hard drive can be achieved by a number of tools and methods.

Note that the HPA feature can be hidden by DCO commands (documentation states only if the HPA is not in use), and can be "frozen" (until next power-down of the hard disk) or be password protected.

Identification tools

  • The Sleuth Kit (free, open software) by Brian Carrier. (HPA identification is currently Linux-only.)
  • ATATool, by Data Synegy is a free Windows-based HPA tool
  • The ATA Forensics Tool (TAFT)[6] by Arne Vidstrom.
  • EnCase by Guidance Software
  • Access Data's Forensic Toolkit
  • X-Ways Forensics, by X-Ways Software Technology AG

Identification methods

Using Linux, there are various ways to detect the existence of an HPA. Recent versions of Linux will print a message when the system is booting if an HPA is detected. For example:

dmesg | less
[...]
hdb: Host Protected Area detected.
    current capacity is 12000 sectors (6 MB)
    native  capacity is 120103200 sectors (61492 MB)

The program hdparm (versions 8.0 and above) will detect an HPA on drive sdX when invoked with these parameters:

hdparm -N /dev/sdX

For versions of hdparm below 8, one can compare the number of sectors output from 'hdparm -I' with the number of sectors reported for the hard drive model's published statistics.

Manipulation tools

Creating and manipulating HPA on a hard drive can be achieved by a number of tools.

  • ATATool, by Data Synegy is a Windows-based HPA tool
  • HPARemove[7] by Aron Molnar.
  • HDAT2[8] by Lubomir Cabla.
  • setmax[9] by Andries E. Brouwer
  • Feature Tool[10] by Hitachi Global Storage Technologies.
  • MHDD (created by Dmitry Postrigan) is a freeware tool for hard drives that among other low-level functionalities provides information about the HPA state of a disk and can manipulate it.
  • hdparm is a Linux program for reading and writing ATA and SATA hard drive parameters.
  • FreeBSD has the hw.ata.setmax sysctl which can be set to 1.
  • The Gujin bootloader [11] will remove the HPA if some disk partition cross the HPA limit, and freeze HPA & DCO before running the operating system.

Manipulation methods

The Linux program hdparm (version >= 8.0) will create an HPA when invoked with these parameters: (sdX: target drive, #: number of non-HPA visible sectors)

hdparm -N p# /dev/sdX

See also

References

  1. ^ Hidden Protected Area - ThinkWiki
  2. ^ Host Protected Areas
  3. ^ a b Blunden, Bill. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. 1st ed. Jones & Bartlett Publishers, 2009 p.538
  4. ^ Nelson, Bill; Phillips, Amelia; Steuart, Christopher (2010). Guide to computer forensics and investigations (4th ed.). Boston: Course Technology, Cengage Learning. p. 334.  
  5. ^ https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html
  6. ^ vidstrom.net - security tools
  7. ^ http://www.itsecure.at/hparemove-v0-1/
  8. ^ HDAT2/CBL Hard Disk Repair Utility
  9. ^ http://www.win.tue.nl/~aeb/linux/setmax.c
  10. ^ Support - Downloads and Utilities
  11. ^ http://sourceforge.net/projects/gujin/

External links

  • The Sleuth Kit
  • International Journal of Digital Evidence
  • Dublin City University Security & Forensics wiki
  • Wiki Web For ThinkPad Users
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.