Anti-Malware Software-Host Protected Area(HPA) and Device Configuration Overlay(DCO)

Discussion in 'other anti-malware software' started by TheKid7, Jun 6, 2013.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Anti-Malware Software - Hard Drive Host Protected Area (HPA) and Device Configuration Overlay (DCO)

    Which Anti-Malware Software(s) detect/clean Rootkits/Malware which are in the Host Protected Area (HPA) and/or the Device Configuration Overlay (DCO) of a hard drive?

    Thanks in Advance.
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    As far as i know, there is no official in the wild malware rootkit that install automatically itself in the disk restrictive area such as HPA and DCO.
    The only known "commercial rootkit" is the popular anti theft solution Lojack that resists to a hard drive format because of a part of its code in the BIOS and HPA https://www.wilderssecurity.com/showthread.php?p=1831839#post1831839

    In this case i have seen a special free tool for that purpose called SpyVision and designed for average users that could not investigate for embedded softs
    http://www.bertavision.com/Download.html

    It appeared highly difficult to code a rootkit that will hide itself on HPA or DCO as these areas could not be accessed by the system like Windows or the Bios, but only with special tools,disk manufacturers commands or forensic software and hardware solutions like Encase, Atola insight, DeepSpar/PC3000 and co.
    It is quite easy to expect a hidden area as the hard drive capacity is not what is noticed by the manufacturer http://blog.atola.com/restoring-factory-hard-drive-capacity/

    For ethical reasons, i do not wish to guive more informations about some free tools, as they can be used as anti-forensic method to hide child pornography files on these hidden areas.
    nn some airport countries like USA and Israel, when the disk of a laptop is suspected of hidden data, it is sent for more forensic investigations.

    The rootkit problem is always the same, it needs system ressource, like RAM, driver, service, reg key, protocol, port in order to be evil...and in this case, no need HPA/DCO detector or antimalware...
    The thechnical possibility of Insecurity does not raise the end of Security since this possibility can not be used in a serial or industrial way.

    Edit link to a similar toppic via Google search :)
    http://www.google.fr/search?hl=fr&b...1&sa=X&ei=MwSxUan3BcTo4QSN6YDYDQ&ved=0CCIQvwU


    Rgds
     
    Last edited: Jun 6, 2013
  3. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Thanks for the information.

    The following feature description of a hard drive wiping product called BCWipe Total WipeOut is what made me aware that there are hidden/protected areas on a hard drive.
    When I saw that there are hidden/protected hard drive areas, the first thing that came to mind is that a standard hard drive wiping program will probably miss wiping the hidden/protected areas of the hard drive.

    BCWipe Total WipeOut:

    http://www.jetico.com/products/personal-privacy/bcwipe-total-wipeout
     
  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Exacltly, a popular boot disk wiper like DBAN will not erase HPA/DCO.
    If we exclude some scenario (like an evil PC technicain reparer who hides evidences of crime on theses protected areas), the only thing we can expect to find is often the manufacturer recovery solution.
    In one of my laptop, it is easy, using the powerfull diskpart (http://technet.microsoft.com/en-us/library/cc770877(v=ws.10).aspx ) command, to be aware of of it (see the attached image where Recuperation means Recovery), but manupulating datas requires specific tools of course.

    No need Jetico, Blancco or another paid product for erasing HPA/DCO....
    If the "delete partition" diskpart option is not always recommended, there is free reliable tools like SecureErase that will also warn before doing the job
    http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

    Rgds
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.