Forensics: Imaging the HPA

Host Protected Area or Hidden Protected Area

This is an area of the hard drive that can be hidden from the O/S, but can be accessed during BIOS and therefore has value for a variety of reasons.  This is not the same as the DCO which is hardware locked and is not accessed via a computer during normal usage.

Examples of the HPA being used for genuine/commercial reasons include:

Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).

Dell notebooks hide Dell MediaDirec utility in HPA.  IBM and LG notebooks hide system restore software in HPA.

HPA is also used by various theft recovery and monitoring service vendors. For example the laptop security firm ComputTrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. This is a good example of using the HPA because even if a stolen laptop has its hard drive formatted the HPA remains untouched

Can the HPA be imaged?

Yes ,  some  tools allow for this.  Linen for example will allow the HPA to be imaged.  It is the Linux environment, rather than EnCase specifically, that allows the HPA to be imaged.

Certain write blockers such as Tableau, will allow the imaging of the HPA as the hardware handles the issues of the HPA.

Hardware Cloners, by the likes of ICS and LogiCube, can also image the HPA and DCO


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: