Advanced Technology Attachment Interface

Disks Interfaces

Protected areas

Host Protected Area (HPA).

• added with ATA-4.

• special area to store vendor data.

  • size can be zero bytes.

  • guaranteed persistence – it won’t be erased with a format.

• it is located at the end of the disk.

• requires reconfiguration of the disk to be accessible.

• it can be used to:

  • reduce the disk size for the old BIOS to recognize the drive.

  • to store diagnostic applications.

  • pre-loaded OS (e. g. dedicated buttons to web OS).

  • system recovery (e. g. IBM, LG, . . . ).

  • anti-theft tools.

  • but, it can also be used to hide illegal files.

  • some rootkits can hide themselves to avoid detection by anti-virus.

  • some NSA exploits are known to use HPA to guarantee persistence.

Create and check for HPA

Identify HPA

On Linux command line:

• at boot time -> dmesg | less

• by comparing size values -> hdparm -N /dev/sdX

• to create an HPA -> hdparm -N pZZZZZ /dev/sdX