Forensics: How can you image the DCO?

The DCO, Device Configuation Overlay, poses problems for some in computer forensics industry. For most its not relevant, as they are not concerned with this probability of this occuring, e.g .those in electronic discovery.

But, for those who are concered about the DCO it poses a problem. EnCase, FTK, or Linen, cannot image sectors hidden by the DCO.  No, purely software based imaging tool (currently available) can.

So, how can you image the DCO?

The best method to access the DCO simply and without specialist knowledge of hard drives, is using a cloner. The Logicube Talon or Quest, as well as the ICS Solo3 are all capable of accessing the HPA and DCO, automatically.

Advertisements

2 Responses to “Forensics: How can you image the DCO?”

  1. Forensics: Imaging the HPA « Data – Where is it? Says:

    […] during BIOS and therefore has value for a variety of reasons.  This is not the same as the DCO which is hardware locked and is not accessed via a computer during normal […]

  2. Forensics: Tableau Cloner « Data – Where is it? Says:

    […] can handle S-ATA or IDE,  and can clone or produce an image file and it can deal with HPA or DCO on hard drives, and has a transfer rate of up to 6 GB/minute. Its basics operation its comparable to […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: