Device configuration overlay
Encyclopedia
Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area
(HPA), it is not accessible by the BIOS
, OS
, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the Host Protected Area
(HPA), which can be temporarily removed for a power cycle.
investigators. An additional issue for forensic investigators is imaging
the HDD that has the HPA and or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool."
's EnCase
comes with a Linux-based tool that images hard drives called LinEn. LinEn 6.01 was validated by the National Institute of Justice
(NIJ) in October 2008, and they found that "The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA. The tool did not acquire sectors hidden by a DCO."
AccessData's FTK Imager 2.5.3.14 was validated by the National Institute of Justice
(NIJ) in June 2008. Their findings indicated that "If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay, the tool does not remove either an HPA or a DCO. The tool did not acquire sectors hidden by an HPA."
Host Protected Area
The host protected area, sometimes referred to as hidden protected area, is an area of a hard drive that is not normally visible to an operating system .- History :HPA was first introduced in the ATA-4 standard cxv .-How it works:...
(HPA), it is not accessible by the BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
, OS
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the Host Protected Area
Host Protected Area
The host protected area, sometimes referred to as hidden protected area, is an area of a hard drive that is not normally visible to an operating system .- History :HPA was first introduced in the ATA-4 standard cxv .-How it works:...
(HPA), which can be temporarily removed for a power cycle.
Uses
The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, "allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS.... Given the potential to place data in these hidden areas, this is an area of concern for computer forensicsComputer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
investigators. An additional issue for forensic investigators is imaging
Disk image
A disk image is a single file or storage device containing the complete contents and structure representing a data storage medium or device, such as a hard drive, tape drive, floppy disk, CD/DVD/BD, or USB flash drive, although an image of an optical disc may be referred to as an optical disc image...
the HDD that has the HPA and or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool."
Software Imaging Tools
Guidance SoftwareGuidance Software
Guidance Software, Inc. is a public company founded in 1997. Headquartered in Pasadena, Calif., the company develops and provides software solutions for digital investigations primarily in the United States, Europe, the Middle East, Africa, and the Asia/Pacific Rim...
's EnCase
EnCase
EnCase is a computer forensics product produced by Guidance Software used to analyze digital media . The software is available to law enforcement agencies and corporations.EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing...
comes with a Linux-based tool that images hard drives called LinEn. LinEn 6.01 was validated by the National Institute of Justice
National Institute of Justice
The National Institute of Justice is the research, development and evaluation agency of the United States Department of Justice. NIJ, along with the Bureau of Justice Statistics , Bureau of Justice Assistance , Office of Juvenile Justice and Delinquency Prevention , Office for Victims of Crime ,...
(NIJ) in October 2008, and they found that "The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA. The tool did not acquire sectors hidden by a DCO."
AccessData's FTK Imager 2.5.3.14 was validated by the National Institute of Justice
National Institute of Justice
The National Institute of Justice is the research, development and evaluation agency of the United States Department of Justice. NIJ, along with the Bureau of Justice Statistics , Bureau of Justice Assistance , Office of Juvenile Justice and Delinquency Prevention , Office for Victims of Crime ,...
(NIJ) in June 2008. Their findings indicated that "If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay, the tool does not remove either an HPA or a DCO. The tool did not acquire sectors hidden by an HPA."