Presentation on theme: "Computer & Network Forensics"— Presentation transcript:
191.580.203 Computer & Network Forensics Xinwen FuChapter 7Working with Windows and DOS Systems
2Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
3Understanding the Boot Sequence Avoid data contamination or modificationMake sure computer boots from a floppy diskDelete keyCtrl+Alt+InsertCtrl+ACtrl+F1F2F12
4Understanding the Boot Sequence (Cont.) Who provides this setup screen for you?
5BIOS - Basic Input/Output System A piece of firmware ("software on a chip")Support for the following devices and features of your systemSelect and configure hard drives, floppy drives, and CD-ROM drivesConfigure main and cache memorySupport different CPU types, speeds, and special featuresSupport advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play)Many othersConfiguration of built-in ports, such as IDE hard disk, floppy disk, serial, parallel, PS/2 mouse, and USBSelection and configuration of special motherboard features, such as memory error correction, antivirus protection, and fast memory access
7Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non-Volatile RAM)Store settingContain the system's Real-Time-Clock circuitBatteryPower CMOS to keep its settings
8Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
9Floppy Disks Yes these still exist! 5.25 3.5 Originally single sided Then became double sided5.253.5
10Side View of Floppy in Disk Drive Single-sided DiskSide 0Original floppies were only formatted on one side, the bottom. They could store 160K of data.The sides of the disk are numbered starting with the number zero.On a floppy, side 0 is on the bottom. This is the standard configuration so that a floppy disk could be used in drives from different manufacturers.Disk DriveOriginal floppies were single-sided
11FD Densities & Capacity Disk SizeDensitySectors/TrackCapacity5.25Low9360KHigh151200K3.5720K181,440K
12Hard Disk StructureHard disk drives are organized as a concentric stack of disks or ‘platters’Each platter has 2 surfacesHow a hard disk works?The platters rotate on the spindleThe heads move along the radius of the plattersThis allows the head to access all parts of the surfaces
13Disassembling a Hard Drive This exploded view shows the various components inside a typical hard drive.A hard drive may have more than one platter.The drive may have more than 2 sides (heads).All the read/write heads move together.Sides (heads) start numbering at zero (0).PCB (parallel component bus),
15HD HeadEach platter has a planar magnetic surface on which digital data may be storedInformation is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material
16HD Head ClearanceThe distance between the read/write head and the surface of the hard drive(head fly/floating height) is so small that a strand of human hair will not pass between them.•Hard drives rotation speed depends on the specific model. Typical speeds are 5,400 RPM, 7,200 RPM, and 10,000 RPM.•Hard drives were originally coated with ferrous oxide (rust), similar to the coating on audio tapes. Modern drives have some form of “thin film magnetic media”, which allows for closer placement of the read/write heads and allowing more data to be written to the disk (areal density).
17How Data is Organized on HD - Tracks The data is stored on concentric circles on the surfaces known as tracksNumbering starts with 0 at the outermost cylinder
18How Data is Organized on HD Sectors/Blocks A sector is a continuous linear stream of magnetized bits occupying a curved section of a trackSectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of dataNumbering physical sectors within a track starts with 1Sector 2Track 0Sector 1Track 0
19How Data is Organized on HD - Cylinders Head Stack AssemblyHead 0Head 1Head 2Head 3Head 4Head 5TrackSectorThe same organizational structure of sectors, tracks, cylinders and heads that exists on floppy disks also exists on a hard disk. A hard disk will have multiple platters and thus more heads or sides which comprise a cylinder. Track 0 on side 0, 1, 2, 3, 4, and 5 together make up cylinder 0 since they are vertically aligned.The slide displays a simplified representation of the hard disk structure, but things are considerably more complicated than this.Corresponding tracks on all platter surfaces make up a cylinderOn a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
20Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can place into dataThe bytes in a cluster varies according to the size of the drive and the version of the OS65,536 sector limit in DOS FAT16 (216)Using clusters allows for grouping multiple sectorsTotal number of sectors per cluster is always a power of 2Blocks in the UNIX worldAllocation Units as wellInformation on Byte /sector and Sectors/cluster are stored in the MBR.
21FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectorsHigh density 5.25 inch floppy diskette - 2 sectorsLow density 3.5 inch floppy diskette - 2 sectorsHigh density 3.5 inch floppy diskette - 1 sectorZero - 15MB logical hard drive partition - 8 sectors16MB -127MB logical hard drive partition - 4 sectors128MB - 255MB logical hard drive partition - 8 sectors256MB - 512MB logical hard drive partition - 16 sectors512MB MB logical hard drive partition - 32 sectors1024MB MB logical hard drive partition - 64 sectors2048MB MB logical hard drive partition sectors
22What is this disk? 5.25 Low 9 360K High 15 1200K 3.5 720K 18 1,440K Disk SizeDensitySectors/TrackCapacity5.25Low9360KHigh151200K3.5720K181,440KIf you cannot see Properties, clickView-> Properties
23Hard Disk AddressingOlder BIOSes in PC’s used 24 bit addressing which could only access up to 8.4 GB (224 * 512 bytes).Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
24C H SEach storage unit on a disk can be identified by a 3-coordinate system identifying theCylinderHead/SideSectorOne method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes:Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GBIDE (Integrated Disk Electronics)Extended IDE (EIDE).
25Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE diskThe BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.IDE (Integrated Disk Electronics)Extended IDE (EIDE).
26Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacityAs such the BIOS must know to use the LBA capacityThe total number of accessible sectorsEg. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB
27File SlackThe area between the end of the file and the end of the last cluster allocated for that file
29NTFS Clusters and Cluster Sizes Partition Size Range (GiB)Default Number of Sectors Per ClusterDefault Cluster Size (kiB)<= 0.510.5> 0.5 to 1.02> 1.0 to 2.04> 2.0 to 4.08> 4.0 to 8.016> 8.0 to 16.032> 16.0 to 32.064> 32.0128
30A Computer test.csv Two questions: What is the cluster size of the partition?What is the partition size range?
31Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces make up a cylinderData is stored in sectors and usually read in blocks or clustersA storage unit can be identified by CHSLBA is used for drives in excess of 7.8 GB
32Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
33Key things The function of the FDISK program Primary partition, extended partition, active partition, and logical drive How logical partitions can be hiddenThe necessity of understanding the suspect’s partitioning scheme
34Initializing a Hard Drive This represents all the available surface area on a hard drive that can be used for storageThe first thing to do is magnetically create a system of unique storage areasThink of a new hard drive as a large piece of blank paper. Rather than just put information all over the paper at random, we want to develop a logical system to manage the information.Continuing advances in hard disk drive technology have resulted in lower cost drives with very high capacities. The trouble with some of these drives is that they may not be recognized, in their full capacity, by earlier versions of DOS, or some of the system BIOSes in existence.Generally speaking, Intel 486-based machines may not recognize drives larger than 504MB, because of BIOS limitations at that time. The next generation of BIOS supported drives up to 2.1GB, then 8.4 GB. The next drive limit is 136GB, imposed by the ATA drive interface.The FAT32 file system supported by Windows versions starting with 95B can support drives up to two terabytes (2TB).
35Low-level (Factory) Format Step 1: Use a low-level format program to create a magnetic structure of sectorsOne 512-byte sectorThe first step in initializing a drive is a low-level format. Drives are normally low-level formatted at the factory and cannot be low-level formatted by the local dealer or the consumer without special software.Older model drives (MFM, ST-506, etc.) could be low-level formatted by the local dealer or knowledgeable user. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.The most commonly used low-level format creates sectors that contain 512 bytes of data storage area.Low-level formatting is usually done at the factory.Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.
36Results of Low-level Format The sectors are organized by tracksAll the sectors on one trackThe low-level formatting process works cylinder by cylinder. This minimizes the amount of head movement required during the format process.
37Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record at Cylinder-0, Head-0, Sector-1MBRReservedThe remainder of that track is “Reserved”Master Boot RecordMaster Boot CodeMaster Partition TableUsing FDISK, we first create a primary partition which contains logical drive C. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. The entire remainder of that track is reserved, by DOS. Normally, no other information is written there.The partition table data is stored in the Master Boot Record, which is contained in the 1st sector of cylinder zero, head zero.The remaining sectors on that track are reserved.Data may only be written to this space by using a disk editor program that will access the space. Some software programs, such as disk encryption or password protection software, may also read and write to the reserved area, but these applications were specifically designed to bypass the operating system. DOS does not utilize this space.Some special software packages, such as disk encryption or password protection software, may use some of that reserved area for special purposes. However, to date, DOS has not utilized that space.Master Boot CodeThis is a very small program that transfers control to whatever boot program is in the active (i.e. startable) partition. In many systems this would be the OS/2 Boot Manager.
38Master Partition Table Maximum of 4 entriesValid entries contain essential information about the partitionPartition type/codeActive (yes or no)Partition start and end informationUnused entries are blankA partition table is 64 bytes long. An entry in the partition table is 16 bytes long. There is room for 4 entries in a partition table, but not all entries have to be used. Normally, if an entry is not being used, that entry will contain all 0’s. In order for the BIOS or an operating system to recognize a partition, it’s entry must contain recognizable, valid information.The term “Active partition” refers to the primary partition that is designated as such in the Master Partition Table. During the boot process, the partition table is examined to identify the active, primary partition, and code redirects the boot process to the first sector of that partition. To be actually used to boot the system, it must also contain the necessary system files.There can only be one active partition, and only a primary partition may be marked active.
39Types of Entries in Master Partition Table Primary Partition(s) - up to 4 allowedContains one logical driveOnly one may be marked as “Active”Extended Partition (only 1 allowed)Contains one or more logical drivesEach logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries)Partition ‡ logical driveTotal number of entries may not exceed four!
40Partition Type CodesFile systems are assigned characteristic type codes that are listed in partition table entriesDOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supportedDOS/Windows systems will not assign a drive letter to partition types not supportedOther operating systems, such as Linux, Macintosh, and Unix do not use drive letters to designate logical or physical drives.
41Common Partition Type Codes has a rather comprehensive list of partition types and links to other sources of informationType FAT Size DOSMb 2.0Mb 3.005 (Ext) Gb 3.3Mb – 2 Gb 4.00B Mb – 2 Tb OSR20C 32x 512 Mb – 2 Tb OSR20E 16x 32 Mb – 2 Gb W950F (Extx) 0 – 2 Tb W95
42Single Primary Partition MBRReservedReservedReservedReservedUsing FDISK, we first create a primary partition. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here.ReservedReservedReserved
43Single Primary Partition (Cont.) Hard drive with one active primary partition(single logical drive)Logical DriveHubMany disk drives are partitioned in this basic manner. One Active, Primary DOS partition is created, using the entire drive.Many newer systems, with large hard drives, use multiple partitions.
44Single Primary Partition (Cont.) Master Partition Table - DiskEdit View“Yes” indicates “Active”Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit.
45One Primary with Extended Partition Primary PartitionExtended PartitionReservedMBRPartition TableIn this case, a smaller primary partition is made, using only a portion of the hard drive. FDISK may then be used to set up an Extended partition with the remaining sectors. Within that partition, one or more logical drives may be defined. This example shows the entire extended partition being used for one logical drive.When the system reboots, DOS recognizes the existence of two logical drives (the primary partition, and the single logical drive defined in the extended partition) and assigns drive letters to each. We now have two partitions on our physical drive — a Primary Partition and an Extended Partition containing the second logical drive.
46Each partition table points to the next Partition TablesEach partition table points to the nextReservedMBRPartition TableThe Master Partition Table (found in the Master Boot Record) will define any primary or extended partition on the drive.Within an Extended Partition, each logical drive will have its own partition table. Each table willDefine the limits of the logical volume it precedesPoint to the location of the next Partition Table.In this way a partition table may be described as being “linked”. In other words, one table points to another.Once all the desired partitions are set up, the system must be rebooted (from floppy) so that the partitioning information is read and the logical drive letters are assigned.
47One Primary & One Extended Master Partition Table – DiskEdit ViewPrimary Partition EntryCyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit.The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive.The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location.
48One Primary & One Extended Extended Partition Table – DiskEdit ViewExtended Partition EntryCyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit.The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive.The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location.The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.
49Partitions and More Than One Logical Drives partition containing three logical DOS volumes.Graphical depiction of the partitioningPartitions and More Than One Logical DrivesExtended partition may contain more than one logical partitionsPrimary PartitionExtended Partition with Three Logical DrivesPrimary, Extended and Logical PartitionsPrimary, Extended and Logical Partitionsc:d:e:f:
50Why Care about Partitioning? Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's partitioned?Reasons to examine the partition tables:To look for multiple operating systemsTo look for hidden partitionsTo make sure all space on the drive is accounted for.
51Partitioning Reasons to examine the partition tables: To make sure all space on the drive is accounted forTo look for multiple operating systemsTo look for hidden partitions
52View of a hidden partition using the PART utility Hidden PartitionsView of a hidden partition using the PART utilityPartitions can be hidden.Using a program like DiskEdit, a suspect could change the partition table pointers and hide vast amounts of data. To access the data, he would simply reset the pointers back to the original settings.While this method is technically difficult, software such as Partition Magic, GDISK and PART make hiding partitions simple. The user simply has to issue a command and the utility does the work by employing a different method. These utilities change the code in the partition table which identifies the partition type to a value which is not recognized by DOS and thus doesn’t receive a drive letter assignment.DOS/Windows partitions can be “hidden” by changing the partition-type code
54Partition Table Doctor Link:The only limitation is that DEMO version can not write to disk.Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).Displays complete physical and logical drive information.Fix the Boot Sector of FAT and NTFS partition.Preview boot files and boot directories of each partition before recovery.Backup MBR (Master Boot Record), Partition Table, Boot Sectors.Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged.Support IDE / ATA / SATA / SCSI drives.