November 26th, 2008 by ahoogThe Host Protected Area is a section of a hard drive that is hidden from the operating system and thus the user. The HPA is often used by manufacturers to hide a maintenance and recovery system for the computer.
However, the HPA can also be used by people to hide data. If, for example, you make a forensic copy of a hard drive and do not check for an HPA, you might miss important data hidden by the user. Also, forgetting to check for the existence of an HPA could be used to call into question you status as an expect.
In order to remove the HPA, an examiner must issue a command to the hard drive and reset the visible sectors on the hard drive. Because this process is changing fundamental settings on a hard drive, the recommended approach is to first image the visible section of the hard drive. Then, reset the drive and image the HPA. That way, should the drive fail after the reset, you still captured the user data.
To check the the existence of a HPA, you can use the disk_stat utility which is part of Brian Carrier’s The Sleuth Kit (Informer Issue #20). The command on a Linux forensic workstation for a secondary hard drive would be:
# disk_stat /dev/hdb Maximum Disk Sector: 120103199 Maximum User Sector: 118006047 ** HPA Detected (Sectors 118006048 - 120103199) **
To reset the disk, you would issue disk_sreset command:
# disk_sreset /dev/hdb Removing HPA from 118006048 to 120103199 until next reset
Then using the skip parameter on your dd flavor of choice (dd, dcfldd, dc3dd), you can skip over the non-HPA sectors and image only the HPA section.
