Device configuration overlay

Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the Host Protected Area (HPA), which can be temporarily removed for a power cycle.[1]

Uses

The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, "allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS.... Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators. An additional issue for forensic investigators is imaging the HDD that has the HPA and or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool."[2]

How various forensics tools handle the DCO

Software Imaging Tools

Guidance Software's EnCase comes with a Linux-based tool that images hard drives called LinEn. LinEn 6.01 was validated by the National Institute of Justice (NIJ) in October 2008, and they found that "The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA. The tool did not acquire sectors hidden by a DCO."[3]

AccessData's FTK Imager 2.5.3.14 was validated by the National Institute of Justice (NIJ) in June 2008. Their findings indicated that "If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay, the tool does not remove either an HPA or a DCO. The tool did not acquire sectors hidden by an HPA."[4]

Hardware Imaging Tools

A variety of hardware imaging tools have been found to successfully detect and remove DCOs. The NIJ routinely tests digital forensics tools and these publications can be found at http://nij.ncjrs.gov/App/publications/Pub_search.aspx?searchtype=basic&category=99&location=top&PSID=55 or from NIST at http://www.nist.gov/itl/ssd/cs/cftt/cftt-disk-imaging.cfm

See also

References

  1. Brian Carrier (2005). File System Forensic Analysis. Addison Wesley. p. 38.
  2. Mark K. Rogers; Mayank R. Gupta; Michael D. Hoeschele (September 2006). "Hidden Disk Areas: HPA and DCO". Retrieved August 2010.
  3. National Institute of Justice (October 2008). "NIJ Test Results for Digital Data Acquisition Tool: EnCase LinEn 6.01". p. 5. Retrieved September 2010.
  4. National Institute of Justice (June 2008). "NIJ Test Results for Digital Data Acquisition Tool: FTK Imager 2.5.3.14". p. 6. Retrieved September 2010.