Computer Systems Forensic Analysis

Advanced Technology Attachment Interface

Disks Interfaces

Protected areas

Host Protected Area (HPA).

  • added with ATA-4.

  • special area to store vendor data.

    • size can be zero bytes.

    • guaranteed persistence – it won’t be erased with a format.

  • it is located at the end of the disk.

  • requires reconfiguration of the disk to be accessible.

  • it can be used to:

    • reduce the disk size for the old BIOS to recognize the drive.

    • to store diagnostic applications.

    • pre-loaded OS (e. g. dedicated buttons to web OS).

    • system recovery (e. g. IBM, LG, . . . ).

    • anti-theft tools.

    • but, it can also be used to hide illegal files.

    • some rootkits can hide themselves to avoid detection by anti-virus.

    • some NSA exploits are known to use HPA to guarantee persistence.

Create and check for HPA

Identify HPA

On Linux command line:

  • at boot time -> dmesg | less

  • by comparing size values -> hdparm -N /dev/sdX

  • to create an HPA -> hdparm -N pZZZZZ /dev/sdX

PreviousHard Disk GeometryNextDevice Configuration Overlay

Last updated