DCO and HPA
From Forensics Wiki
Revision as of 16:28, 25 February 2013 by Joachim Metz
Device Configuration Overlay (DCO) and Host Protected Area (HPA).
# hdparm -N /dev/sda
/dev/sda: max sectors = 1465149168/1465149168, HPA is disabled
/dev/sdc: max sectors = 586070255/586072368, HPA is enabled
# hdparm --dco-identify /dev/sda
/dev/sda: DCO Revision: 0x0001 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?) Real max sectors: 1465149168 ATA command/feature sets: SMART self_test error_log security HPA 48_bit (?): selective_test conveyance_test write_read_verify (?): WRITE_UNC_EXT SATA command/feature sets: (?): NCQ SSP
# hdparm -N p586072368 /dev/sdc
(permanently (!) set max visible number of sectors, see example above)
- TAFT (The ATA Forensics Tool) claims the ability to look at and change the HPA and DCO settings.
- SAFE-Block, claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
- HDD Capacity Restore, a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
- Tableau TD1 can remove the HPA and DCO.
- Blancco-Pro 4.5 reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
- Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4, Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
- Hidden Disk Areas: HPA and DCO, Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
- REMOVING HOST PROTECTED AREAS (HPA) IN LINUX, Brian Carrier, SleuthKit Informer #20
- Wikipedia article on Device Configuration Overlay
- Wikipedia article on Host Proteced Area
- Hiding Data in Hard-Drive’s Service Areas, by Ariel Berkman, February 14, 2013