Host Protected Area

Host Protected Area (HPA ), also known as the Hidden Protected Area or ATA - protected area is a reserved area for data storage outside the normal file system. This area is in front of the file system and the operating system - and therefore before formatting and partitioning programs - hidden and is not accessible for this.


Uses for HPA is mainly the system recovery and backup of configuration data. For example, the original content of a system installation are stored in a protected area on the hard drive and copied back at a recovery in the regular area of ​​the hard disk.

HPA is an optional hard disk feature, which is defined in the ATA -4 standard and is supported by most modern hard disks.

Using HPA can be a HPA -swappable disk manipulated so that it appears smaller than it actually is. HPA makes it possible to hide an upper area of ​​the disk.

HPA - relevant ATA commands

A) IDENTIFY_DEVICE The ATA command IDENTIFY_DEVICE, which is usually called when the hardware detection of the operating system returns the capacity of a hard disk.

B ) SET_MAX_ADDRESS The ATA command SET_MAX_ADDRESS is used to make the disk appears smaller than it actually is. The command can be executed both in the volatile (volatile ) and the non - volatile (non- volatile) mode. In the non- volatile (non- volatile) mode, the new maximum size remains permanently - so even after turning off the hard drive - get while in the volatile (volatile ) mode, the size is only temporary, ie until the next reset, changed. About the ATA command SET_MAX_ADDRESS the hard drive is so informed which capacity they should report to the IDENTIFY_DEVICE command.

C ) READ_NATIVE_MAX_ADDRESS The ATA command READ_NATIVE_MAX_ADDRESS always shows the maximum upper sector address by the highest address according to the factory settings - reads - so the actual size.

By comparing the outputs of the commands IDENTIFY_DEVICE and READ_NATIVE_MAX_ADDRESS possible to determine whether HPA is present or enabled. If the two commands display different sizes, then the hard drive has been sometime before " reduced " with the SET_MAX_ADDRESS command.

By rerunning the command SET_MAX_ADDRESS the disk size can be reset to the factory setting. Then you can switch back to accessing the entire hard disk, ie the hard drive has its full capacity again.

Computer forensics

For law enforcement officers, investigators and forensic experts, the detection and evaluation of Host Protected Areas ( HPA) is very interesting.

On the one hand by the accused by means of HPA deliberately hidden areas of the disk and have been hidden data. On the other usable traces and evidence can be found in the "hidden" areas of the disk, if the defendant HPA has not been known or he, for technical reasons can not modify HPA.

Manipulation and deletion of data

Also for the user, the HPA be of great importance, especially if he wants to delete the data on your hard disk by completely overwriting completely.

Recent Linux kernel as a rule require a detected at boot HPA temporarily back ( disable this ) so that the kernel (and thus the administrator) can access all sectors up to the native maximum address. For example:

... hda: Host Protected Area detected.          current capacity is 109170031 sectors ( 55895 MB)          native capacity is 117210240 sectors ( 60011 MB) hda: Host Protected Area disabled. hda: 117210240 sectors ( 60011 MB) w/7877KB Cache, CHS = 65535/16/63, UDMA (100 ) ... When the kernel, the HPA resets tools can like the Unix command dd which is often used to delete data carriers by means of complete overwrite the hard drive with zeros or random numbers, even override the HPA. If you are using an older kernel, such as in the known live CD DBAN (Version 1.0.4), the HPA is not deleted, but only the visible part of the disk.