ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
DCO and HPA
Device Configuration Overlay (DCO) and Host Protected Area (HPA).
# hdparm -N /dev/sda
/dev/sda: max sectors = 1465149168/1465149168, HPA is disabled
/dev/sdc: max sectors = 586070255/586072368, HPA is enabled
# hdparm --dco-identify /dev/sda
/dev/sda: DCO Revision: 0x0001 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?) Real max sectors: 1465149168 ATA command/feature sets: SMART self_test error_log security HPA 48_bit (?): selective_test conveyance_test write_read_verify (?): WRITE_UNC_EXT SATA command/feature sets: (?): NCQ SSP
# hdparm -N p586072368 /dev/sdc
(permanently (!) set max visible number of sectors, see example above)
- TAFT (The ATA Forensics Tool) claims the ability to look at and change the HPA and DCO settings.
- SAFE-Block, claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
- HDD Capacity Restore, a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
- Tableau TD1 can remove the HPA and DCO.
- Blancco-Pro 4.5 reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
- Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4, Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
- Hidden Disk Areas: HPA and DCO, Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
- REMOVING HOST PROTECTED AREAS (HPA) IN LINUX, Brian Carrier, SleuthKit Informer #20
- Wikipedia article on Device Configuration Overlay
- Wikipedia article on Host Proteced Area
- Hiding Data in Hard-Drive’s Service Areas, by Ariel Berkman, February 14, 2013