Presentation on theme: "91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems."— Presentation transcript:
91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems
BIS@DSU 2 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU 3 Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12
BIS@DSU 4 Understanding the Boot Sequence (Cont.) Who provides this setup screen for you?
BIS@DSU 5 BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and features of your system Select and configure hard drives, floppy drives, and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and special features Support advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play) Many others
BIS@DSU 6 BIOS on the Motherboard BIOS Battery http://www.informit.com/articles/article.asp?p=130913&seqNum=4&rl=1
BIS@DSU 7 Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non- Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit Battery Power CMOS to keep its settings
BIS@DSU 8 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU 9 Floppy Disks Yes these still exist! 5.253.5 Originally single sided Then became double sided
BIS@DSU 10 Original floppies were single-sided Side View of Floppy in Disk Drive 0 Side 0 Single-sided Disk Disk Drive
BIS@DSU 12 Hard Disk Structure Hard disk drives are organized as a concentric stack of disks or platters Each platter has 2 surfaces How a hard disk works? The platters rotate on the spindle The heads move along the radius of the platters This allows the head to access all parts of the surfaces
BIS@DSU 13 Disassembling a Hard Drive
BIS@DSU 14 HD Elements 16 heads 8 Platters
BIS@DSU 15 HD Head Each platter has a planar magnetic surface on which digital data may be stored Information is written to the disk by transmitting an electromagnetic flux through read- write head (an antenna) that is very close to the magnetic material
BIS@DSU 16 HD Head Clearance
BIS@DSU 17 How Data is Organized on HD - Tracks The data is stored on concentric circles on the surfaces known as tracks Numbering starts with 0 at the outermost cylinder
BIS@DSU 18 How Data is Organized on HD Sectors/Blocks A sector is a continuous linear stream of magnetized bits occupying a curved section of a track Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data Numbering physical sectors within a track starts with 1 Sector 1 Track 0 Sector 2 Track 0
BIS@DSU 19 How Data is Organized on HD - Cylinders CYLINDERCYLINDER Head Stack Assembly Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 Track Sector Corresponding tracks on all platter surfaces make up a cylinder On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
BIS@DSU 20 Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can place into data The bytes in a cluster varies according to the size of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (2 16 ) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2
BIS@DSU 21 FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB - 1024MB logical hard drive partition - 32 sectors 1024MB - 2048MB logical hard drive partition - 64 sectors 2048MB - 4095MB logical hard drive partition - 128 sectors
BIS@DSU 22 What is this disk? Disk Size DensitySectors/TrackCapacity 5.25Low9360K 5.25High151200K 3.5Low9720K 3.5High181,440K If you cannot see Properties, click View-> Properties
BIS@DSU 23 Hard Disk Addressing Older BIOSes in PCs used 24 bit addressing which could only access up to 8.4 GB (2 24 * 512 bytes). Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
BIS@DSU 24 C H S Each storage unit on a disk can be identified by a 3-coordinate system identifying the Cylinder Head/Side Sector One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB
BIS@DSU 25 Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE disk The BIOS will read the disks cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.
BIS@DSU 26 Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB
BIS@DSU 27 File Slack The area between the end of the file and the end of the last cluster allocated for that file
BIS@DSU 28 File Slack Illustration
BIS@DSU 29 NTFS Clusters and Cluster Sizes Partition Size Range (GiB) Default Number of Sectors Per Cluster Default Cluster Size (kiB) <= 0.510.5 > 0.5 to 1.021 > 1.0 to 2.042 > 2.0 to 4.084 > 4.0 to 8.0168 > 8.0 to 16.03216 > 16.0 to 32.06432 > 32.012864 http://www.pcguide.com/ref/hdd/file/ntfs/archCluster-c.html
BIS@DSU 30 A Computer test.csv Two questions: 1. What is the cluster size of the partition? 2. What is the partition size range?
BIS@DSU 31 Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces make up a cylinder Data is stored in sectors and usually read in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB
BIS@DSU 32 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU 33 Key things The function of the FDISK program Primary partition, extended partition, active partition, and logical drive How logical partitions can be hidden The necessity of understanding the suspects partitioning scheme
BIS@DSU 34 This represents all the available surface area on a hard drive that can be used for storage Initializing a Hard Drive The first thing to do is magnetically create a system of unique storage areas
BIS@DSU 35 Step 1: Use a low-level format program to create a magnetic structure of sectors Low-level (Factory) Format One 512-byte sector Low-level formatting is usually done at the factory. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.
BIS@DSU 36 The sectors are organized by tracks All the sectors on one track Results of Low-level Format
BIS@DSU 37 MBR Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record at Cylinder-0, Head-0, Sector-1 Master Boot Record 1.Master Boot Code 2.Master Partition Table Reserved The remainder of that track is Reserved
BIS@DSU 38 Master Partition Table Maximum of 4 entries Valid entries contain essential information about the partition Partition type/code Active (yes or no) Partition start and end information Unused entries are blank
BIS@DSU 39 Types of Entries in Master Partition Table Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as Active Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries) Partition logical drive Total number of entries may not exceed four!
BIS@DSU 40 Partition Type Codes File systems are assigned characteristic type codes that are listed in partition table entries DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported DOS/Windows systems will not assign a drive letter to partition types not supported
BIS@DSU 41 Common Partition Type Codes
BIS@DSU 42 Reserved MBR Single Primary Partition
BIS@DSU 43 Hard drive with one active primary partition (single logical drive) Single Primary Partition (Cont.) Hub Logical Drive
BIS@DSU 44 Master Partition Table - DiskEdit View Single Primary Partition (Cont.) Yes indicates Active
BIS@DSU 45 One Primary with Extended Partition Reserved MBR Reserved Partition Table Primary Partition Extended Partition
BIS@DSU 46 Each partition table points to the next Partition Tables Reserved MBR Reserved Partition Table
BIS@DSU 47 Master Partition Table – DiskEdit View One Primary & One Extended Primary Partition Entry
BIS@DSU 48 Extended Partition Table – DiskEdit View One Primary & One Extended The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive. Extended Partition Entry
BIS@DSU 49 Partitions and More Than One Logical Drives Extended partition may contain more than one logical partitions Primary, Extended and Logical Partitions partition containing three logical DOS volumes. Graphical depiction of the partitioning Graphical depiction of the partitioning P r imary Partition Extended Partition with Three Logical Drives c:d:e:f:
BIS@DSU 50 Why Care about Partitioning? Important Point: When examining a suspects hard drive, why is it necessary to know how it's partitioned?
BIS@DSU 51 Partitioning Reasons to examine the partition tables: To make sure all space on the drive is accounted for To look for multiple operating systems To look for hidden partitions
BIS@DSU 52 Hidden Partitions View of a hidden partition using the PART utility DOS/Windows partitions can be hidden by changing the partition-type code
BIS@DSU 53 Hidden Partitions This partition disappears!
BIS@DSU 54 Partition Table Doctor Link: http://www.ptdd.com/http://www.ptdd.com/ The only limitation is that DEMO version can not write to disk. Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP). Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition before recovery. Backup MBR (Master Boot Record), Partition Table, Boot Sectors. Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged. Support IDE / ATA / SATA / SCSI drives.