HPA - The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.
Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.
Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.
1 Sector=512 bytes
Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.
From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.
http://www.win.tue.nl/~aeb/linux/setmax.c
To compile this program I will use gcc
[root@hack3rs root]#gcc -o setmax setmax.c
To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c
Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax -delta 64776751 /dev/hdc (depending on your device name).
-delta option will make temporary HPA. If you want to make permanent HPA then use -max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)
When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.
Maximum Disk Sector: This gives the total number of sectors present in hard disk.
Maximum User Sector: This gives the total number of sectors which user can access.
As per example above I got the followin result
Maximum Disk Sector: 78165359
Maximum User Sector: 64776751
** HPA Detected (Sectors 64776751 - 78165359) **
This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.
[root@hack3rs root]#./setmax -delta 78165359 /dev/hdc
This will make all your hard disk accessible. I hope you all enjoyed reading the article.
Happy Experimenting!