Sep 152006
 

By Kush Wadhwa, NII Consulting

Have you ever thought of hiding data in such a manner that it cannot be deleted even after the hard disk is formatted? Well, in this this article , we’ll look at just that; we will see how you can hide and unhide crucial data on your hard disk. The technique which is used to hide the data is known as HPA which stands for Host Protected Area. Let us first discuss HPA…

HPA – The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.

Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.

Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.

1 Sector=512 bytes

Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.

hpdarm command

From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.

http://www.win.tue.nl/~aeb/linux/setmax.c

To compile this program I will use gcc

[root@hack3rs root]#gcc -o setmax setmax.c

To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c

Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax –delta 64776751 /dev/hdc (depending on your device name).

–delta option will make temporary HPA. If you want to make permanent HPA then use –max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)

When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.

Maximum Disk Sector: This gives the total number of sectors present in hard disk.

Maximum User Sector: This gives the total number of sectors which user can access.

As per example above I got the followin result

Maximum Disk Sector: 78165359
Maximum User Sector: 64776751

** HPA Detected (Sectors 64776751 – 78165359) **

This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.

[root@hack3rs root]#./setmax –delta 78165359 /dev/hdc

This will make all your hard disk accessible. I hope you all enjoyed reading the article.

Happy Experimenting!

Kush

 Posted by at 10:49 am

  14 Responses to “Hiding data with Host Protected Area (HPA) in Linux”

  1. kush its really nice article. keep it up :)

  2. Its a very Good work.U r always doing something iteresting.Thanks.

  3. Hi

    It’s really interesting article and i’ll try it on my SATA drive.
    Meanwhile Symantec Ghost has a utility for disk partition “GDisk” which can detect and wipe HPA.

    http://eibr.sgsi.ucl.ac.be/sym/g8/v83/gh83_refer_guide.pdf
    http://www.forensicexams.org/content/view/678/128/

  4. A very nice site where you can read various articles on forensic.
    Held on August 8 – 10, 2006.

    http://www.certconf.org/presentations/2006/

    Read Tim Vidas articles….

  5. Hi Monica

    Thanks for your feedback. Looking for continued interaction with you.

  6. Hi Rahul

    Thanks for your feedback. Looking for continued interaction with you.

  7. Hello Vikas

    I was looking for more utilities which could wipe out HPA. You added 1 more utility in my list. Thanks for giving good links & feedback. Looking forward for continued interaction with you.

  8. Kush

    Nice article. Keep up the good work.

  9. What a great article. I’ve examined a number of hard drives with free as well as commercial utilities and none of them seems to have a HPA. I’m not sure if my technique is correct. I suppose one way to check would be to put a text file into a HPA and then retrieve it. I see the article mentions creating a HPA using setmax but what about writing a file to the area? This is so fascinating and yet frustrating!

  10. Hello Iain

    Thanks for your feedback. I mentioned in my article that HPA can only be set at the end of the hard disk i.e on the last partition or the free space which is at the end of the hard disk. Now coming to your point, you want to write some text files or we can say you want to put some files in HPA area. In that case what you can do is, you can remove HPA first using setmax utility and once you have put the desired files at the end of the hard disk, you can again create the HPA on the area where file is kept . You can create the HPA using setmax tool

  11. Hello Kush

    I guessed that may be the case. I’m not sure about a utility to place the file(s) exactly where I need on the hard disk. I suspect that something like EnCase or WinHex could be used to write the data byte by byte te exactly where was required but that seems a bit tedious. Is there something else which could be used to write (say) MyInfo.txt to start at sector 673425 (hypothetical name and number, but I hope you get the drift!)?

    Thank you for your time.

  12. Hello Iain

    Its a bit complicated question. And as far as my knowledge goes you can use dd command in linux or dd.exe in windows to achieve this task.

  13. Hi Kush

    Thank you for the comment and apologies for not responding earlier. I check here on most days and the first time that I saw your reply was today, 4 July 2007.

    I’ve been looking at this further and have “stumbled” upon dd. What a marvellous piece of software. I can write zeros or random data to a HD, copy the MBR from a FD to a file, write to specific areas of a disk, write the content of memory to a file … and much more. I’m going to have fun playing around with this and seeing just what it can do!

  14. Hi Kush,
    Thanks for such a great program. It’s 2011 now and your program says that it’s only for IDE programs. I tried it with a 1.5TB sata drive and it only recognized 137GB’s. Any chance you might update the program to support more recent drives? Thanks

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>