In January, I wrote about Slack Space on a hard drive/thumb drive/mobile device, and today I am writing about other areas where data is hiding on a hard drive. I intentionally left Device Configuration Overlay (DCO), Disk Firmware Area (DFA) and Host Protected Area (HPA) out of my January post, because these areas are different than slack space.
The unstructured files that we are accustomed to, like MS Office documents and other files that we see on a data storage device, are stored in the User Addressable Data area. This is where the Slack Space exists that I wrote about. A hard drive manufacturer sometimes adds additional areas that can store information and programs of their own. Some of these areas are manufacturer specific, and others are more common across multiple hard drive manufacturers, but they all require special methods and software to access.
The Disk Firmware Area (DFA) can be added at the start of the User Addressable Data area. This area is often referred to as the Service Area, and stores components used by the firmware to provide remapping of bad sectors, advanced security, etc.. Typically firmware is executable code that is stored on the hard drive controller board, and these additional components get loaded into temporary memory on the controller when the computer starts up. While this area is proprietary to the manufacturer of the hard drive, and requires their own special methods and tools, a virus may have the ability to infect it.
At the end of the User Addressable Data area, you may find a Device Configuration Overlay (DCO). Like the DFA, this area on the disk is typically hidden, this time by lying to the computer’s operating system (OS) and the BIOS on the motherboard. There is a way to execute two different commands (IDENTIFY_DEVICE & DEVICE_CONFIGURATION_IDENTIFY) and compare the returned values to determine the existence and size of a DCO. In order to copy/image the entire hard drive, the DCO would need to be removed, which results in disabling the lie and allowing access to the data stored in the DCO area. Computer systems vendors may switch to a different hard drive model or manufacturer, and start shipping hard drives with different amounts of data storage. In order to not complicate their computer assembly plant(s), that typically copy the same disk image onto every hard drive, they use the DCO to reduce the useable data storage area of a hard drive. For example, if they need to ship an 80 GB hard drive, but now are receiving 100GB hard drives to integrate, then they will use the DCO to hide the extra 20GB of User Addressable Data area.
Another hidden area, the Host Protected Area (HPA), was created to do the same thing as DCO, but is seen and managed by the computer’s BIOS. This area was created to help hard drive controllers and computer BIOS deal with new larger hard drives that were out pacing the controller boards in supported sizes and sector/cluster organization. With the computer’s BIOS being aware of this hidden area, it could then be used to store things for use by the BIOS. When you boot a computer, holding down a specific key sequence presents a menu of programs that can be used to diagnose issues and perform configuration changes. Some computer systems vendors even put a backup copy of the OS in this HPA area. If the OS in the User Addressable Data area gets corrupted, then the user can reboot and use the BIOS to repair or replace the OS, without any external storage media. Malicious and illegal data can easily be stored in this area. It is easy to detect and temporarily disable (the hidden aspect) for each read and write of data in this area.
While our products do not provide disk imaging tools, we want you to have a well rounded understanding of how data is stored on computers and devices. Mobile devices typically mimic the same disk management methods as computers. The provided links (on the terms and images) provide advice for tools that you may use to detect and access the hidden areas discussed here.