The Host Protected Area (HPA) as defined is a reserved area on a Hard Disk Drive (HDD). It was designed to store information in such a way that it cannot be easily modified, changed, or accessed by the user, BIOS, or the OS. This area can contain information ranging from HDD utilities, to diagnostic tools, as well as boot sector code. An additional hidden area on many of today’s HDDs is the Device Configuration Overlay (DCO). The DCO allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80 Gigabyte HDD appear as a 60 Gigabyte HDD to both the OS and the BIOS.
Usually when information is stored in either the DCO or HPA area, it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators. An additional issue for forensic investigators is imaging the HDD that has the HPA and or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool.
Due to the secretive nature of most HDD manufacturers, the HPA and DCO may not be familiar to some investigators. In order to rectify this situation, the next sections will describe the characteristics of both the HPA and the DCO in detail.
Host Protected Area (HPA)
The HPA was first introduced in the ATA-4 standard. The SET MAX ADDRESS command compartmentalizes the HDD into the user accessible and protected areas. The starting address of the protected area is the maximum user address +1 sector. For example, if the maximum addressable user area is 2343 sectors in size, then the protected area starts from sector 2344. As mentioned, the HPA commonly contains diagnostic utilities, as well as the boot sector code; the exact content depends upon the manufacturer. For the purposes of this discussion, the description of how the HPA is organized will be restricted to drives using only the Phoenix BIOS. According to the Protected Area Run-Time Interface Extension Services (PARTIES) document, the information about the HPA is contained in the Boot Engineering Extension Record (BEER). The BEER itself is a part of PARTIES and is a record that contains non-volatile configuration information about the HDD and is stored in the native maximum address, which is the last sector on the HDD. The BEER also contains information about the user addressable sectors, start of the reserved area, and the code for the boot area. The BEER has a header that is 128 bytes long and immediately following the header is the directory of services with 64 bytes of information. It is here in the directory of services where the diagnostic utilities are stored.
As mentioned, the primary function of the HPA is to store diagnostic utilities as well as a boot record; this is useful when it is not possible to boot from the primary partition. One can use the SET MAX ADDRESS command to reset the HPA to the maximum user addressable sectors, and then boot from what was the HPA. If the volatile bit is also set then the HDD retains the new values on power up or reboot.
Any HDD that supports the HPA will also support the commands READ NATIVE MAX ADDRESS and SET MAX, as described in the working draft of ATA-6 interface. In addition to the commands mentioned above, if the device supports HPA and 48-bit addressing, then the device will also support the two additional commands READ NATIVE MAX ADDRESS EXT and SET MAX ADDRESS EXT.
According to the ATA-6 working draft by T13 (2001), the device shall set the “10 bit of word 82 to indicate that the host protected feature set is supported” (p. 44). The use of the SET MAX ADDRESS or SET MAX ADDRESS EXT command is prohibited if the removable media feature set is implemented. The removable feature set, as described by Stephens (1997), prevents the loss of data by locking the HDD until completion of a cached write. The SET MAX ADDRESS or the SET MAX ADDRESS EXT command will always be preceded by the READ NATIVE MAX ADDRESS or the READ NATIVE MAX ADDRESS EXT commands. These are the two commands that are used to determine the original HDD capacity. After the SET MAX ADDRESS command has been issued, the HDD will indicate that a HPA has been configured. According to Landis (personal communication, May 27, 2005), “If bit 10 of word 85 is set to one, the Host Protected Area feature set is enabled.” The volatile bit in the sector count register specifies whether the new address set has to be preserved across power-on or hardware reset cycles. If the volatile bit is set to 0 then the drive will revert back to the last address that was set on the non-volatile SET MAX ADDRESS command. Any read or write access attempts to addresses greater than that specified by SET MAX ADDRESS or SET MAX ADDRESS EXT command will result in an ID Not Found Error (IDNF).
If the numbers of sectors on the HDD are greater than 268,435,455, then the HDD will support both 48-bit addressing and HPA (McLean, 2000a). In this case the SET MAX ADDRESS EXT command will be used to set and reset the HPA. The READ NATIVE MAX ADDRESS EXT command will return the HDD capacity. If the READ NATIVE MAX ADDRESS command is used, then the maximum capacity returned is 268,435,454. As mentioned above, HPA can be set and removed using the SET MAX ADDRESS commands. If the HPA was configured using the SET MAX ADDRESS command, then it can be removed only using the SET MAX ADDRESS command and not SET MAX ADDRESS EXT command. The reverse rule also applies for SET MAX ADDRESS EXT command. If the SET MAX ADDRESS EXT command was used to configure the HPA, then SET MAX ADDRESS cannot be used to again change the drive capacity.
The output of the Identify Device command depends upon the prior SET MAX ADDRESS command issued. If only 28-bit addressing is supported, any change that is made by the SET MAX ADDRESS command will be indicated in the words 60-61, and the words 100-103 will contain 0.0. The value reported by the words 60-61 give the actual capacity of the hard disk. The identify device command is issued by the host to receive parameter information about the device (T13, 2001). Examples of information these parameters provide are the total number of sectors on the drive, the ATA standards the device supports, and whether the drive supports HPA / DCO or not. HPA can also be detected by comparing the value in the words 60-61 with the actual specification of the hard disk. It is also important to note that any HDD that supports 48 bit addressing also supports 28 bit addressing. If 48-bit addressing is also supported and the SET MAX ADDRESS EXT command was used with the number of sectors greater than 268,435,455, then the new capacity of the HDD will be indicated by words 100 -103 and the value in the words 60-61 will be 268,435,455. However, if the SET MAX ADDRESS command is used and the number of sectors is less than 268,435,455, then the drive capacity will be indicated in words 60-61 and 100-103. Any attempt to access the sectors beyond the values specified by the identify device command will result in an Identify Device Not Found (IDNF) error.
Resource: International Journal of Digital Evidence
Data recovery Salon welcomes your comments and share with us your ideas, suggestions and experience. Data recovery salon is dedicated in sharing the most useful data recovery information with our users and only if you are good at data recovery or related knowledge, please kindly drop us an email and we will publish your article here. We need to make data recovery Salon to be the most professional and free data recovery E-book online.