I wish I had been able to answer this straight away but I had to get an
"ok" about the open classification of the information and it took some
time...
First of all, there is a freeware tool coded by me that can set &
discover & remove DCO:
http://vidstrom.net/stools/taft/
We have been using it for our research for a few months now but I
haven't published it until now.
Second, we have made some tests with DCO and a few common imaging and
wiping tools. It seems like most tools are *not* capable of handling DCO
at all.
For example we have found that even using the DOS boot floppy of EnCase
Forensic Edition 4.18a, the part of a disk hidden with DCO will not get
aquired.
Another really bad thing is that disk wipe tools do not wipe a disk with
a DCO set on it. For example, the very common tool ExpertEraser 2.0 from
IBAS can be tricked into wiping as little of a disk as wished by setting
a DCO on the disk before the wipe.
I have written a report (which was finished already in January this
year) on this and other issues related to ATA and Computer Forensics but
it has taken time to get it through all the formalities with
classification and such, so it will probably take another couple of
weeks before I can publish it.
Regards /Arne Vidström
Researcher, IT Security
Swedish Defence Research Agency
Nick Puetz wrote:
>
> Does anyone know of any good tools or methods for discovering if and ATA hard drive has a device configuration overlay (DCO) area? I know of tools that are available to detect a host protected area (HPA) such as dmesg, hdparm, and diskstat. But to my knowledge, these do not work with DCOs. Thanks.
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
I wish I had been able to answer this straight away but I had to get an
"ok" about the open classification of the information and it took some
time...
First of all, there is a freeware tool coded by me that can set &
discover & remove DCO:
http://vidstrom.net/stools/taft/
We have been using it for our research for a few months now but I
haven't published it until now.
Second, we have made some tests with DCO and a few common imaging and
wiping tools. It seems like most tools are *not* capable of handling DCO
at all.
For example we have found that even using the DOS boot floppy of EnCase
Forensic Edition 4.18a, the part of a disk hidden with DCO will not get
aquired.
Another really bad thing is that disk wipe tools do not wipe a disk with
a DCO set on it. For example, the very common tool ExpertEraser 2.0 from
IBAS can be tricked into wiping as little of a disk as wished by setting
a DCO on the disk before the wipe.
I have written a report (which was finished already in January this
year) on this and other issues related to ATA and Computer Forensics but
it has taken time to get it through all the formalities with
classification and such, so it will probably take another couple of
weeks before I can publish it.
Regards /Arne Vidström
Researcher, IT Security
Swedish Defence Research Agency
Nick Puetz wrote:
>
> Does anyone know of any good tools or methods for discovering if and ATA hard drive has a device configuration overlay (DCO) area? I know of tools that are available to detect a host protected area (HPA) such as dmesg, hdparm, and diskstat. But to my knowledge, these do not work with DCOs. Thanks.
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]