Happy Dance!

Preparation
Well, I'm actually getting somewhere with the HPA project now. I had to do a fresh Debian 5.0.3 install, as recovery wasn't working from my latest error. Although, this was inevitable as I didn't have the drive partitioned correctly. Or, as the HPA project needed. So, here is a look at the drive.


#>sfdisk -luS

Disk /dev/hda: 3648 cylinders, 255 heads, 63 sectors/track
Units = sectors of 512 bytes, counting from 0

Device Boot Start End #sectors Id System
/dev/hda1 63 16064 16002 83 Linux
/dev/hda2 16065 1975994 1959930 82 Linux swap / Solaris
/dev/hda3 * 1975995 52757459 50781465 83 Linux
/dev/hda4 52757460 58605119 5847660 83 Linux

The /dev/hda4 partition needs to be mounted manually. Which, is probably the way it would be if I were actually hiding data. A red flag would be raised instantly if /etc/fstab contained a partition that was inaccessible. So, I created a partition at the end of the disk, placed a couple images in it, now it's time to hide the partition.

HPA designation!
I have found a great new way to bomb your machine! Just run

#> ./setmax --delta 52757460 /dev/hda

Then try to do something simple like, oh, I don't know, browse the web. Slowly but surely the load on your machine will rise and lock everything up. It's kind of like a slow fork bomb, a la :(){:|:&};:. (Possible suggestion for a red team member at CDC?) It was actually kind of fun to watch the load slowly rise until it halted. Anyway, here's what went wrong. The instructions I have been following to hide data with HPA has an error. (http://niiconsulting.com/checkmate/2006/09/15/hiding-data-with-hpahost-protected-area-in-linux/) The instructions inform you to run, ./setmax --delta D /dev/hda, where D is the starting sector number you want to hide data. (or just designate HPA) I was running ./setmax --delta 52757460 /dev/hda and bombing my system. Thankfully a hard reboot and a restart fixed everything. The D does not indicate the sector number to start HPA space, it is the number of sectors *minus* the end-of-disk. Thank you code comments! So, essentially, I was trying to hide 27GB worth of space on a 30GB drive, when I wanted to hide 3GB.

Here is the command that worked to hide the data:

#>./setmax --delta 5847660 /dev/hda

And to unhide:

#>./setmax --delta 0 /dev/hda

SleuthKit has a handy tool that will detect HPA protected areas called disk_stat. When the partition was hidden disk_stat gave the following output:

#> disk_stat /dev/hda
Maximum Disk Sector: 58605119
Maximum User Sector: 52757459

** HPA Detected (Sectors 52757460 - 58605119) **

And when the data was visible:

#> disk_stat /dev/hda
Maximum Disk Sector: 58605119
Maximum User Sector: 58605119

I also tried to mount /dev/hda4 while hidden and received an error. Very cool!

Well now that the hide/unhide is possible I need to take it up a notch. I'm thinking. Delete the 2 pictures, rehide the partition, and see what I can find with magicrescue. That's on the agenda for today!