Device configuration overlay (DCO) is a hidden area on many of today's hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS (or UEFI), OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the host protected area (HPA), which can be temporarily removed for a power cycle.[1]
The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, "allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS.... Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators. An additional issue for forensic investigators is imaging the HDD that has the HPA and/or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool."[2]
DCO Software tools
Detection tools
HDAT2 a free software program for MS-DOS. It can be used to create/remove Host Protected Area (HPA) (using command SET MAX) and create/remove DCO hidden area (using command DCO MODIFY). It also can do other functions on the DCO.
Data Synergy's freeware ATATool utility can be used to detect a DCO from a Windows environment. Recent versions allow a DCO to be created, removed or frozen.[3]
Victoria 5.xx freeware HDD/SSD test, repair and benchmark utility allows you to work with DCO from the Windows environment. There is a full range of options for working with DCO: getting the structure, editing it and applying changes.
Software imaging tools
Guidance Software's EnCase comes with a Linux-based tool that images hard drives called LinEn. LinEn 6.01 was validated by the National Institute of Justice (NIJ) in October 2008, and they found that "The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA. The tool did not acquire sectors hidden by a DCO."[4]
AccessData's FTK Imager 2.5.3.14 was validated by the National Institute of Justice (NIJ) in June 2008. Their findings indicated that "If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay, the tool does not remove either an HPA or a DCO. The tool did not acquire sectors hidden by an HPA."[5]
Hardware imaging tools
A variety of hardware imaging tools have been found to successfully detect and remove DCOs. The NIJ routinely tests digital forensics tools and these publications can be found at www.ojp.gov (Link needs checking by other Wikipedians! For this particular European reader using locked-down non-JavaScript Firefox on 2021-11-30 this link unhelpfully shows: "Access Denied. You are not authorized to access this page") or from NIST at https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt
^Brian Carrier (2005). File System Forensic Analysis. Addison Wesley. p. 38. ISBN0321268172.
^Mark K. Rogers; Mayank R. Gupta; Michael D. Hoeschele (September 2006). "Hidden Disk Areas: HPA and DCO" (PDF).
^Data Synergy UK (July 2015). "ATATool - Data Synergy Windows HPA/DCO Utility".
^National Institute of Justice (October 2008). "NIJ Test Results for Digital Data Acquisition Tool: EnCase LinEn 6.01" (PDF). p. 5.
^National Institute of Justice (June 2008). "NIJ Test Results for Digital Data Acquisition Tool: FTK Imager 2.5.3.14" (PDF). p. 6.
February 10, 2023
device, configuration, overlay, hidden, area, many, today, hard, disk, drives, hdds, usually, when, information, stored, either, host, protected, area, accessible, bios, uefi, user, however, certain, tools, used, modify, system, uses, identify, device, command. Device configuration overlay DCO is a hidden area on many of today s hard disk drives HDDs Usually when information is stored in either the DCO or host protected area HPA it is not accessible by the BIOS or UEFI OS or the user However certain tools can be used to modify the HPA or DCO The system uses the IDENTIFY DEVICE command to determine the supported features of a given hard drive but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is To determine the actual size and features of a disk the DEVICE CONFIGURATION IDENTIFY command is used and the output of this command can be compared to the output of IDENTIFY DEVICE to see if a DCO is present on a given hard drive Most major tools will remove the DCO in order to fully image a hard drive using the DEVICE CONFIGURATION RESET command This permanently alters the disk unlike with the host protected area HPA which can be temporarily removed for a power cycle 1 Contents 1 Uses 2 DCO Software tools 2 1 Detection tools 2 2 Software imaging tools 2 3 Hardware imaging tools 3 See also 4 ReferencesUses EditThe Device Configuration Overlay DCO which was first introduced in the ATA 6 standard allows system vendors to purchase HDDs from different manufacturers with potentially different sizes and then configure all HDDs to have the same number of sectors An example of this would be using DCO to make an 80 gigabyte HDD appear as a 60 gigabyte HDD to both the OS and the BIOS Given the potential to place data in these hidden areas this is an area of concern for computer forensics investigators An additional issue for forensic investigators is imaging the HDD that has the HPA and or DCO on it While certain vendors claim that their tools are able to both properly detect and image the HPA they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool 2 DCO Software tools EditDetection tools Edit HDAT2 a free software program for MS DOS It can be used to create remove Host Protected Area HPA using command SET MAX and create remove DCO hidden area using command DCO MODIFY It also can do other functions on the DCO Data Synergy s freeware ATATool utility can be used to detect a DCO from a Windows environment Recent versions allow a DCO to be created removed or frozen 3 Victoria 5 xx freeware HDD SSD test repair and benchmark utility allows you to work with DCO from the Windows environment There is a full range of options for working with DCO getting the structure editing it and applying changes Software imaging tools Edit Guidance Software s EnCase comes with a Linux based tool that images hard drives called LinEn LinEn 6 01 was validated by the National Institute of Justice NIJ in October 2008 and they found that The tool does not remove either Host Protected Areas HPAs or DCOs However the Linux test environment automatically removed the HPA on the test drive allowing the tool to image sectors hidden by an HPA The tool did not acquire sectors hidden by a DCO 4 AccessData s FTK Imager 2 5 3 14 was validated by the National Institute of Justice NIJ in June 2008 Their findings indicated that If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay the tool does not remove either an HPA or a DCO The tool did not acquire sectors hidden by an HPA 5 Hardware imaging tools Edit A variety of hardware imaging tools have been found to successfully detect and remove DCOs The NIJ routinely tests digital forensics tools and these publications can be found at www ojp gov Link needs checking by other Wikipedians For this particular European reader using locked down non JavaScript Firefox on 2021 11 30 this link unhelpfully shows Access Denied You are not authorized to access this page or from NIST at https www nist gov itl ssd software quality group computer forensics tool testing program cfttSee also EditHost protected area HPA Master Boot Record MBR GUID Partition Table GPT References Edit Brian Carrier 2005 File System Forensic Analysis Addison Wesley p 38 ISBN 0321268172 Mark K Rogers Mayank R Gupta Michael D Hoeschele September 2006 Hidden Disk Areas HPA and DCO PDF Data Synergy UK July 2015 ATATool Data Synergy Windows HPA DCO Utility National Institute of Justice October 2008 NIJ Test Results for Digital Data Acquisition Tool EnCase LinEn 6 01 PDF p 5 National Institute of Justice June 2008 NIJ Test Results for Digital Data Acquisition Tool FTK Imager 2 5 3 14 PDF p 6 Retrieved from https en wikipedia org w index php title Device configuration overlay amp oldid 1098566598, wikipedia, wiki, book, books, library,
