Do you know what a Host Protected Area (HPA) is?

June 17, 2008

It is sometimes also called Hidden Protected Area and it is an area of your hard disk which is normally not visible for the operating system and therefore the applications. It was first introduced in the ATA-4 standard and is defined in ATA-5 as optional feature which is supported by most modern hard disks. The normal use case of this is for system recovery and the backup of important configuration data.

So why is this security relevant? For law enforcement agencies and forensic experts it is important to detect HPAs and recovery data from it. For one someone could hide some sensitive data in it or there could be evidence or traces if the owner does not know about the HPA.

But it is also important for any business and home user, e.g. if you want to fully override your hard disk you need to make sure you also override the HPA. If you’re a user of a current Linux kernel you’re lucky – the kernel will deactivate (temporary) the HPA during booting and so can override everything without problems.

Here are some links which will help you do detect / remove the HPA from your hard disk:

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. HPA and DCO have been discuss for a number of years regarding HDs.
    What is the current status of implimentation and recovery when appied to SD cards of thumb drives

    Comment by Robert Wallace — September 23, 2012 #

  2. […] From http://robert.penz.name/68/do-you-know-what-a-host-protected-area-hpa-is/ […]

    Pingback by Host Protected Area forensics | Question and Answer — June 26, 2015 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 74 queries. 0.220 seconds.