Hello,
Device Configuration Overlays (DCO) is a not so well known optional
feature set in the ATA-6 standard and forwards. It is supported by a lot
of, but not all, modern disks. Using DCO it is possible to tell a disk
that it should appear smaller than it really is, thus hiding an
arbitrarily large part of the disk from the operating system.
We have made some tests with DCO and a few common imaging and wiping
tools. It seems that most tools are *not* capable of handling DCO at all.
For example we have found that even using the DOS boot floppy of EnCase
Forensic Edition 4.18a, the part of a disk hidden with DCO will not get
aquired.
Another really bad thing is that disk wipe tools do not wipe a disk with
a DCO set on it. For example, the very common tool ExpertEraser 2.0 from
IBAS can be tricked into wiping as little of a disk as wished by setting
a DCO on the disk before the wipe.
I would like to emphasize that these are only examples of tools that
cannot handle DCO, so simply switching to another manufacturers tool
will *not* solve the problem. Because the issue affects so many tools we
have chosen not to try to contact all manufacturers before releasing
this information.
There is a freeware tool coded by me that can set & discover & remove DCO:
http://vidstrom.net/stools/taft/
We have been using it for our research for a few months now but I
haven't published it until now.
Also, I have written a report (which was finished already in January
this year) on this and other issues related to ATA and Computer
Forensics but it has taken time to get it through all the formalities
with classification and such, so it will probably take another couple of
weeks before I can publish it.
Regards /Arne Vidström
Researcher, IT Security
Swedish Defence Research Agency
http://www.foi.se
