November 26th, 2008 by ahoogDevice Configuration Overlay is an hidden area on modern hard drives. While the challenges for a forensic analyst are similar between the HPA and DCO, the DCO is a different beast. It allows the configuration of a hard drives (regardless of size) to present the same number of sectors to the BIOS and operating system.
Unlink HPA which is fairly simple to reset, there a very few tested tools which consistently detect and overcome DCO. Recently, a number of acquisition vendors are claiming they detect and thwart DCO however I will continue to research. Ideally NIST would publish a testing and certification paper for DCO acquisition.
For a technical overview of DCO, take a look at the International Journal of Digital Evidence article entitled “Hidden Disk Areas: HPA and DCO”.
