Harddrive - wipe out "hidden areas" like HPA and DCO after malware infection

So, wiped drive with DBAN foolishly (PRNG, 8 pass). Later came to know that DBAN does not kill HPA (host protected area) and DCO (Drive configuration overlay)

So we have a basic admission here the drive was wiped so therefore there is no partition table, file system or data on the drive. So, there can be no data corruption or file system corruption as neither exist, DBAN having ensured this and so the following HDPARM warning is not applicable.

hdparm has a more serious drawback: it can crash a computer and make data on its disk inaccessible if certain parameters are misused. Out of approximately sixty-seven parameters, several are dangerous and could result in "massive filesystem corruption" when used indiscriminately.

Fire up your Linux boot disk and run hdparm

---

To use HDPARM to clear the HPA

For x = device you're targeting, use the following HDPARM command to show if you have an HPA enabled.

# hdparm -N /dev/sdx

It will spit back something like the following if you have an HPA defined:

/dev/sdx:
max sectors   = 78125000/78165360, HPA is enabled

To remove the HPA and expand the visible area out to the full size of the drive use the denominator in the above report (visible area/max sectors):

# hdparm -N p78165360 /dev/sdx

It will spit back a report that the visible area is equal to the max sectors and that the HPA is disabled.

/dev/sdx:
setting max visible sectors to 78165360 (permanent)
max sectors   = 78165360/78165360, HPA is disabled

---

To use HDPARM to check if a DCO is in place and set it back to factory defaults

Since the DCO is set up by the manufacturer, you must accept that messing with it will possibly brick the drive. But then that's the least of your problems if you think you got some sophisticated malware that could actually mess with it. To see the DCO, use the following HDPARM command.

# hdparm --dco-identify /dev/sdx

In your example, it gave you:

/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
    Transfer modes:
         mdma0 mdma1 mdma2
         udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
    Real max sectors: 625142448
    ATA command/feature sets:
         SMART self_test error_log security HPA 48_bit
         (?): selective_test conveyance_test write_read_verify
         (?): WRITE_UNC_EXT
    SATA command/feature sets:
         (?): NCQ interface_power_management SSP

So, your drive manufacturer uses DCO to define the allowable data transfer modes (MDMA, UDMA), the real size of the drive (max sectors), and ATA/SATA commands that can be disabled.

If you want to attempt reverting the DCO back to factory defaults, you can use the followning HDPARM command:

# hdparm --dco-restore /dev/sdx

It will spit back at you the following warning that changing the DCO will cause total data loss. Think of it as changing the partition size or wiping out the partition table and restoring it with incorrect parameters. On a wiped disk, you already have lost the data, eh? Basically a Sorry you didn't back up your data before proceeding, you're SOL if the DCO doesn't match after the command's run and you think anything will be recoverable from the drive because of size reassignment.

/dev/sdx:
Use of --dco-restore is VERY DANGEROUS.
You are trying to deliberately reset your drive configuration back to
the factory defaults.
This may change the apparent capacity and feature set of the drive,
making all data on it inaccessible.
You could lose *everything*.
Please supply the --yes-i-know-what-i-am-doing flag if you really want this.
Program aborted.

Per the instructions, you add the following "I accept the consequences" switch:

# hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdx

And it tells you:

/dev/sdx:
issuing DCO restore command

I have had a recent problem with a 1TB drive reported as 1KB and Disk Manager reported no media. I used a free programme called DiskCheckup from Passmark.com.

After running the programme and selecting the affected disk I clicked the 'hidden' tab to find 3 input boxes. The first 'Max User LBA' showed only 1: the second and third (Native and Disk) showed the correct number. I ticked the checkbox to allow alteration and typed in the correct number to the first box so that all 3 showed the same number of LBA. Then, click the 'Apply' button: all done.

Back in Disk Manager, I clicked 'rescan' in the Actions menu and my full partition information was back with full access to the drive. It may be that you will have to replace the MBR if it is a bootable drive using something like EasyRE.

Sorry, was browsing for an answer earlier and had not realised this was a Linux site and my answer only applies to Windows.