Presentation on theme: "91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems."— Presentation transcript:
Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems
2 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
3 Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12
4 Understanding the Boot Sequence (Cont.) Who provides this setup screen for you?
5 BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and features of your system Select and configure hard drives, floppy drives, and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and special features Support advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play) Many others
6 BIOS on the Motherboard BIOS Battery
7 Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non- Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit Battery Power CMOS to keep its settings
8 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
9 Floppy Disks Yes these still exist! Originally single sided Then became double sided
10 Original floppies were single-sided Side View of Floppy in Disk Drive 0 Side 0 Single-sided Disk Disk Drive
12 Hard Disk Structure Hard disk drives are organized as a concentric stack of disks or platters Each platter has 2 surfaces How a hard disk works? The platters rotate on the spindle The heads move along the radius of the platters This allows the head to access all parts of the surfaces
13 Disassembling a Hard Drive
14 HD Elements 16 heads 8 Platters
15 HD Head Each platter has a planar magnetic surface on which digital data may be stored Information is written to the disk by transmitting an electromagnetic flux through read- write head (an antenna) that is very close to the magnetic material
16 HD Head Clearance
17 How Data is Organized on HD - Tracks The data is stored on concentric circles on the surfaces known as tracks Numbering starts with 0 at the outermost cylinder
18 How Data is Organized on HD Sectors/Blocks A sector is a continuous linear stream of magnetized bits occupying a curved section of a track Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data Numbering physical sectors within a track starts with 1 Sector 1 Track 0 Sector 2 Track 0
19 How Data is Organized on HD - Cylinders CYLINDERCYLINDER Head Stack Assembly Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 Track Sector Corresponding tracks on all platter surfaces make up a cylinder On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
20 Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can place into data The bytes in a cluster varies according to the size of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (2 16 ) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2
21 FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB MB logical hard drive partition - 32 sectors 1024MB MB logical hard drive partition - 64 sectors 2048MB MB logical hard drive partition sectors
22 What is this disk? Disk Size DensitySectors/TrackCapacity 5.25Low9360K 5.25High151200K 3.5Low9720K 3.5High181,440K If you cannot see Properties, click View-> Properties
23 Hard Disk Addressing Older BIOSes in PCs used 24 bit addressing which could only access up to 8.4 GB (2 24 * 512 bytes). Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
24 C H S Each storage unit on a disk can be identified by a 3-coordinate system identifying the Cylinder Head/Side Sector One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB
25 Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE disk The BIOS will read the disks cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.
26 Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB
27 File Slack The area between the end of the file and the end of the last cluster allocated for that file
28 File Slack Illustration
29 NTFS Clusters and Cluster Sizes Partition Size Range (GiB) Default Number of Sectors Per Cluster Default Cluster Size (kiB) <= > 0.5 to > 1.0 to > 2.0 to > 4.0 to > 8.0 to > 16.0 to >
30 A Computer test.csv Two questions: 1. What is the cluster size of the partition? 2. What is the partition size range?
31 Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces make up a cylinder Data is stored in sectors and usually read in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB
32 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
33 Key things The function of the FDISK program Primary partition, extended partition, active partition, and logical drive How logical partitions can be hidden The necessity of understanding the suspects partitioning scheme
34 This represents all the available surface area on a hard drive that can be used for storage Initializing a Hard Drive The first thing to do is magnetically create a system of unique storage areas
35 Step 1: Use a low-level format program to create a magnetic structure of sectors Low-level (Factory) Format One 512-byte sector Low-level formatting is usually done at the factory. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.
36 The sectors are organized by tracks All the sectors on one track Results of Low-level Format
37 MBR Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record at Cylinder-0, Head-0, Sector-1 Master Boot Record 1.Master Boot Code 2.Master Partition Table Reserved The remainder of that track is Reserved
38 Master Partition Table Maximum of 4 entries Valid entries contain essential information about the partition Partition type/code Active (yes or no) Partition start and end information Unused entries are blank
39 Types of Entries in Master Partition Table Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as Active Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries) Partition logical drive Total number of entries may not exceed four!
40 Partition Type Codes File systems are assigned characteristic type codes that are listed in partition table entries DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported DOS/Windows systems will not assign a drive letter to partition types not supported
41 Common Partition Type Codes
42 Reserved MBR Single Primary Partition
43 Hard drive with one active primary partition (single logical drive) Single Primary Partition (Cont.) Hub Logical Drive
44 Master Partition Table - DiskEdit View Single Primary Partition (Cont.) Yes indicates Active
45 One Primary with Extended Partition Reserved MBR Reserved Partition Table Primary Partition Extended Partition
46 Each partition table points to the next Partition Tables Reserved MBR Reserved Partition Table
47 Master Partition Table – DiskEdit View One Primary & One Extended Primary Partition Entry
48 Extended Partition Table – DiskEdit View One Primary & One Extended The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive. Extended Partition Entry
49 Partitions and More Than One Logical Drives Extended partition may contain more than one logical partitions Primary, Extended and Logical Partitions partition containing three logical DOS volumes. Graphical depiction of the partitioning Graphical depiction of the partitioning P r imary Partition Extended Partition with Three Logical Drives c:d:e:f:
50 Why Care about Partitioning? Important Point: When examining a suspects hard drive, why is it necessary to know how it's partitioned?
51 Partitioning Reasons to examine the partition tables: To make sure all space on the drive is accounted for To look for multiple operating systems To look for hidden partitions
52 Hidden Partitions View of a hidden partition using the PART utility DOS/Windows partitions can be hidden by changing the partition-type code
53 Hidden Partitions This partition disappears!
54 Partition Table Doctor Link: The only limitation is that DEMO version can not write to disk. Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP). Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition before recovery. Backup MBR (Master Boot Record), Partition Table, Boot Sectors. Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged. Support IDE / ATA / SATA / SCSI drives.