Forensic Analysis of Host Protected Areas (HPAs): A Detailed Report

Verified

Added on 2023/06/07

AI Summary

This report provides an overview of Host Protected Areas (HPAs) in digital forensics, explaining how HPAs function as hidden spaces on hard drives, concealing data from normal operating system commands. It highlights the challenges faced by forensic investigators in accessing and analyzing HPAs, including the limitations of forensic tools and the importance of specialized commands like IDENTIFY DEVICE, SET MAX ADDRESS, and READ NATIVE MAX ADDRESS. The report discusses the implications of HPAs for data security and criminal investigations, emphasizing the need for forensic experts to understand and overcome these challenges to recover hidden data and ensure thorough investigations. The document also references key research and publications in the field of digital forensics and anti-forensics, providing a comprehensive understanding of HPAs.

Running Head: HOST PROTECTED AREA, FORENSICS 1
HOST PROTECTED AREA, FORENSICS
Student Name
Institution Affiliation
Facilitator
Course
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

HOST PROTECTED AREA, FORENSICS 2
Host protected area s (HPAs) and which are also known as hidden protected areas are the
hidden spaces of hard drive memory which cannot be easily accessed, seen or manipulated
through the normal operating system commands. To be accessed, special commands must be
executed and which are not familiar to most of forensic investigators (Berghel, 2017). Also, most
of forensic applications are not able to recognize HPAs and therefore this hard disk space can
easily be used by the suspects to conceal important data that would help investigators have
evidence on them. Under this scenario, even after the forensic experts gain access to the hard
disk, they are only able to interact with the open disk space but not the protected area and for that
case if relevant data was contained in the HPA won’t be accessible for them.
This happens due to various reasons; for instance, a report by US forensic experts in 2011
indicated that most forensic tools would recognize HPAs when run on DOS platform but when
run on windows platform would not detect these concealed spaces of the hard disks (Garfinkel,
2017). This was a serious security issue not only for administrators who were using the tools to
verify whether hard disks had been erased but also to the investigative teams and forensic
department because sensitive and criminal information could be hidden on HPA making it hard
for it to be detected.
Also, most of security products currently on the market don’t support Host Protected
Areas (HPA) when wiping the disk or for forensic purposes. HPAs make the real disk space to
appear smaller than its real size and hence enabling data to be hidden from the real operating
system (Gupta, Hoeschele & Rogers, 2016). Since most of the ATA disks on market today
support HPA, this has become a great threat to forensic experts.

HOST PROTECTED AREA, FORENSICS 3
Accessing the HPA using the normal commands of the operating system is not possible
since the operating system is not in a position to see the HPA space on the HDD. However,
because all the HDDs supporting the HPA functionality also supports the three ATA commands
which are IDENTITY DEVICE, SET MAX ADDRESS and READ NATIVE MAX ADDRESS,
as outlined by the working draft of ATA-6 interface, these ATA commands that can be used by
forensic experts to accomplish this task in cases where the data under investigation is suspected
to have been hidden in these spaces of the hard disk. Those ATA commands are (Kent,
Chevalier, Grance & Dang, 2016):
IDENTIFY DEVICE
Which is an Operating system command applied to reveal the total space of the hard
drive that can is used for data storage.
SET MAX ADDRESS
It is a command that is used to craft a HPA. For instance, if a hard drive has a maximum
size of 1000GB, if the SET MAX ADDRESS command is used to set max address space at
950GB, an HPA is said to have been created; and the 50GB left on the disk will be invisible on
the OS since max address as per what the OS sees is 950GB.
READ NATIVE MAX ADDRESS
A piece of firmware and hardware like the BIOS uses the READ NATIVE ADDRESS
ATA command to reveal the ideal hard drive size. Such devices are also known as “HPA aware”

HOST PROTECTED AREA, FORENSICS 4
References
Berghel, H. (2017). Hiding data, forensics, and anti-forensics. Communications of the
ACM, 50(4), 15-20.
Garfinkel, S. (2017, March). Anti-forensics: Techniques, detection and countermeasures. In 2nd
International Conference on i-Warfare and Security (Vol. 20087, pp. 77-84).
Gupta, M. R., Hoeschele, M. D., & Rogers, M. K. (2016). Hidden disk areas: HPA and
DCO. International Journal of Digital Evidence, 5(1), 1-8.
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2016). Guide to integrating forensic techniques
into incident response. NIST Special Publication, 10, 800-86.