Forensics: DCO

What is the DCO?

The DCO is the Device Configuration Overlay, which can prevent the whole of the hard drive from being seen. For example, an 120 GB hard drive can be forced to show as a 100 GB hard drive. This allows manufactures to sell that same size hard drives, at different sizes.

The DCO works at a very low level operation, and software forensics tools cannot see past this (at the moment), i.e they cannot image the area protected by the DCO. However, certain cloners like the ICS Solo3 can.

A detailed article on the DCO is available here.

Advertisements

5 Responses to “Forensics: DCO”

  1. Nitin Kushwaha Says:

    Hello,

    Does DCO and HPA’s exists on Solid-state devices, like USB flash drives, and can DCO work in reverse order,

    I mean, instead of Hiding /decreasing the drive size, can one Increase the size from say 512megs/2gig to 32 gigs.

    Not technically but to show up in windows and linux as 32 gb, however it wont work,

    The reason I have asked this is, I purchased a 32gb Flash drive here in India of “Kingston” Brand, and it is 32 gb, now the problem is it doesnt work if i try to copy any data more than 400-490 Mb of data, however the Windows family and RHEL OS reports the size as 32 GB,

    This USB flash drive seems to be originating from china,

    here is a some o/p from my linux machine:-
    [root@ech0 ~]# lsusb
    Bus 001 Device 012: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive
    Bus 001 Device 001: ID 0000:0000
    Bus 002 Device 001: ID 0000:0000
    Bus 003 Device 001: ID 0000:0000
    Bus 004 Device 001: ID 0000:0000
    Bus 005 Device 001: ID 0000:0000

    T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
    D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
    P: Vendor=058f ProdID=6387 Rev= 1.07
    S: Manufacturer=Generic
    S: Product=USB Mass Storage
    S: SerialNumber=71792843
    C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=100mA
    I: If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
    E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms

    http://www.linux-usb.org/usb.ids

    Can you please provide some insight!

    Thanks

  2. Forensics: Maintaining a balance in Computer Forensics « Data – Where is it? Says:

    […] DCO, and hash values are things that often subjects of great debate in the forensics industry and at […]

  3. Forensics: ImageMASSter Solo-3 Forensic Cloner « Data – Where is it? Says:

    […] the Solo-3 does not have  removebale media for storing logs. However it can image the DCO and HPA areas of the hard (according to the […]

  4. Forensics: How can you image the DCO? « Data – Where is it? Says:

    […] How can you image the DCO? Posted on July 26, 2009 by 585 The DCO, Device Configuation Overlay, poses problems for some in computer forensics industry. For most its […]

  5. Forensics: Imaging Tools « Data – Where is it? Says:

    […] of the tools failed to image the DCO, device configuration overlay, as would be […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: