Device Configuration Overlay

Device configuration overlay (DCO) is a hidden area on many of today's hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS (or UEFI), OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the command is used, and the output of this command can be compared to the output of to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the command. This permanently alters the disk, unlike with the host protected area (HPA), which can be temporarily removed for a power cycle.

Uses

The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, "allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS.... Given the potential to place data in these hidden areas, this is an area of concern for computer forensics investigators. An additional issue for forensic investigators is imaging the HDD that has the HPA and/or DCO on it. While certain vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on the handling of the DCO or indicate that this is beyond the capabilities of their tool."

DCO Software tools

Detection tools

HDAT2
a free software program for MS-DOS. It can be used to create/remove Host Protected Area (HPA) (using command SET MAX) and create/remove DCO hidden area (using command DCO MODIFY). It also can do other functions on the DCO.

Data Synergy's freeware ATATool utility can be used to detect a DCO from a Windows environment. Recent versions allow a DCO to be created, removed or frozen.
Victoria 5.xx
freeware HDD/SSD test, repair and benchmark utility allows you to work with DCO from the Windows environment. There is a full range of options for working with DCO: getting the structure, editing it and applying changes.

Software imaging tools

Guidance Software's EnCase comes with a Linux-based tool that images hard drives called LinEn. LinEn 6.01 was validated by the National Institute of Justice (NIJ) in October 2008, and they found that "The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA. The tool did not acquire sectors hidden by a DCO."

AccessData's FTK Imager 2.5.3.14 was validated by the National Institute of Justice (NIJ) in June 2008. Their findings indicated that "If a physical acquisition is made of a drive with hidden sectors in either a Host Protected Area or a Device Configuration Overlay, the tool does not remove either an HPA or a DCO. The tool did not acquire sectors hidden by an HPA."

Hardware imaging tools

A variety of hardware imaging tools have been found to successfully detect and remove DCOs. The NIJ routinely tests digital forensics tools and these publications can be found at
www.ojp.gov
(Link needs checking by other Wikipedians! For this particular European reader using locked-down non-JavaScript Firefox on 2021-11-30 this link unhelpfully shows: "Access Denied. You are not authorized to access this page")
or from NIST at
https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt

See also

* Host protected area (HPA)
* Master Boot Record (MBR)
* GUID Partition Table (GPT)

References

{{DEFAULTSORT:Device Configuration Overlay
AT Attachment
Computer forensics