What is the DCO?
The DCO is the Device Configuration Overlay, which can prevent the whole of the hard drive from being seen. For example, an 120 GB hard drive can be forced to show as a 100 GB hard drive. This allows manufactures to sell that same size hard drives, at different sizes.
The DCO works at a very low level operation, and software forensics tools cannot see past this (at the moment), i.e they cannot image the area protected by the DCO. However, certain cloners like the ICS Solo3 can.
A detailed article on the DCO is available here.
June 1, 2009 at 12:26 am
Hello,
Does DCO and HPA’s exists on Solid-state devices, like USB flash drives, and can DCO work in reverse order,
I mean, instead of Hiding /decreasing the drive size, can one Increase the size from say 512megs/2gig to 32 gigs.
Not technically but to show up in windows and linux as 32 gb, however it wont work,
The reason I have asked this is, I purchased a 32gb Flash drive here in India of “Kingston” Brand, and it is 32 gb, now the problem is it doesnt work if i try to copy any data more than 400-490 Mb of data, however the Windows family and RHEL OS reports the size as 32 GB,
This USB flash drive seems to be originating from china,
here is a some o/p from my linux machine:-
[root@ech0 ~]# lsusb
Bus 001 Device 012: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive
Bus 001 Device 001: ID 0000:0000
Bus 002 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 005 Device 001: ID 0000:0000
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=058f ProdID=6387 Rev= 1.07
S: Manufacturer=Generic
S: Product=USB Mass Storage
S: SerialNumber=71792843
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
http://www.linux-usb.org/usb.ids
Can you please provide some insight!
Thanks
June 10, 2009 at 1:52 pm
[...] DCO, and hash values are things that often subjects of great debate in the forensics industry and at [...]
July 26, 2009 at 10:55 am
[...] the Solo-3 does not haveĀ removebale media for storing logs. However it can image the DCO and HPA areas of the hard (according to the [...]
July 26, 2009 at 12:43 pm
[...] How can you image the DCO? Posted on July 26, 2009 by 585 The DCO, Device Configuation Overlay, poses problems for some in computer forensics industry. For most its [...]
August 14, 2009 at 7:51 am
[...] of the tools failed to image the DCO, device configuration overlay, as would be [...]