Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer & Network Forensics

Similar presentations


Presentation on theme: "Computer & Network Forensics"— Presentation transcript:

1 91.580.203 Computer & Network Forensics
Xinwen Fu Chapter 7 Working with Windows and DOS Systems

2 Outline Understanding the boot sequence Understanding disk drives
Understanding partitioning and formatting

3 Understanding the Boot Sequence
Avoid data contamination or modification Make sure computer boots from a floppy disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12

4 Understanding the Boot Sequence (Cont.)
Who provides this setup screen for you?

5 BIOS - Basic Input/Output System
A piece of firmware ("software on a chip") Support for the following devices and features of your system Select and configure hard drives, floppy drives, and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and special features Support advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play) Many others Configuration of built-in ports, such as IDE hard disk, floppy disk, serial, parallel, PS/2 mouse, and USB Selection and configuration of special motherboard features, such as memory error correction, antivirus protection, and fast memory access

6 BIOS on the Motherboard
Battery BIOS

7 Two Components Supporting BIOS
CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non-Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit Battery Power CMOS to keep its settings

8 Outline Understanding the boot sequence Understanding disk drives
Understanding partitioning and formatting

9 Floppy Disks Yes these still exist! 5.25 3.5 Originally single sided
Then became double sided 5.25 3.5

10 Side View of Floppy in Disk Drive
Single-sided Disk Side 0 Original floppies were only formatted on one side, the bottom. They could store 160K of data. The sides of the disk are numbered starting with the number zero. On a floppy, side 0 is on the bottom. This is the standard configuration so that a floppy disk could be used in drives from different manufacturers. Disk Drive Original floppies were single-sided

11 FD Densities & Capacity
Disk Size Density Sectors/Track Capacity 5.25 Low 9 360K High 15 1200K 3.5 720K 18 1,440K

12 Hard Disk Structure Hard disk drives are organized as a concentric stack of disks or ‘platters’ Each platter has 2 surfaces How a hard disk works? The platters rotate on the spindle The heads move along the radius of the platters This allows the head to access all parts of the surfaces

13 Disassembling a Hard Drive
This exploded view shows the various components inside a typical hard drive. A hard drive may have more than one platter. The drive may have more than 2 sides (heads). All the read/write heads move together. Sides (heads) start numbering at zero (0). PCB (parallel component bus),

14 HD Elements 16 heads 8 Platters

15 HD Head Each platter has a planar magnetic surface on which digital data may be stored Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material

16 HD Head Clearance The distance between the read/write head and the surface of the hard drive(head fly/floating height) is so small that a strand of human hair will not pass between them. •Hard drives rotation speed depends on the specific model. Typical speeds are 5,400 RPM, 7,200 RPM, and 10,000 RPM. •Hard drives were originally coated with ferrous oxide (rust), similar to the coating on audio tapes.  Modern drives have some form of “thin film magnetic media”, which allows for closer placement of the read/write heads and allowing more data to be written to the disk (areal density).

17 How Data is Organized on HD - Tracks
The data is stored on concentric circles on the surfaces known as tracks Numbering starts with 0 at the outermost cylinder

18 How Data is Organized on HD Sectors/Blocks
A sector is a continuous linear stream of magnetized bits occupying a curved section of a track Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data Numbering physical sectors within a track starts with 1 Sector 2 Track 0 Sector 1 Track 0

19 How Data is Organized on HD - Cylinders
Head Stack Assembly Head 0 Head 1 Head 2 Head 3 Head 4 Head 5 Track Sector The same organizational structure of sectors, tracks, cylinders and heads that exists on floppy disks also exists on a hard disk. A hard disk will have multiple platters and thus more heads or sides which comprise a cylinder. Track 0 on side 0, 1, 2, 3, 4, and 5 together make up cylinder 0 since they are vertically aligned. The slide displays a simplified representation of the hard disk structure, but things are considerably more complicated than this. Corresponding tracks on all platter surfaces make up a cylinder On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder

20 Cluster (Blocks) 1 or more contiguous sectors
The smallest pieces of storage that an OS can place into data The bytes in a cluster varies according to the size of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (216) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2 Blocks in the UNIX world Allocation Units as well Information on Byte /sector and Sectors/cluster are stored in the MBR.

21 FAT16/FAT12 Number of Sectors/Cluster
Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB MB logical hard drive partition - 32 sectors 1024MB MB logical hard drive partition - 64 sectors 2048MB MB logical hard drive partition sectors

22 What is this disk? 5.25 Low 9 360K High 15 1200K 3.5 720K 18 1,440K
Disk Size Density Sectors/Track Capacity 5.25 Low 9 360K High 15 1200K 3.5 720K 18 1,440K If you cannot see Properties, click View-> Properties

23 Hard Disk Addressing Older BIOSes in PC’s used 24 bit addressing which could only access up to 8.4 GB (224 * 512 bytes). Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.

24 C H S Each storage unit on a disk can be identified by a 3-coordinate system identifying the Cylinder Head/Side Sector One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB IDE (Integrated Disk Electronics) Extended IDE (EIDE).

25 Hard Disk Addressing (Cont.)
Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE disk The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed. IDE (Integrated Disk Electronics) Extended IDE (EIDE).

26 Exception: LBA – Logical Block Addressing
By industry agreement, large IDE disks (with more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB

27 File Slack The area between the end of the file and the end of the last cluster allocated for that file

28 File Slack Illustration

29 NTFS Clusters and Cluster Sizes
Partition Size Range (GiB) Default Number of Sectors Per Cluster Default Cluster Size (kiB) <= 0.5 1 0.5 > 0.5 to 1.0 2 > 1.0 to 2.0 4 > 2.0 to 4.0 8 > 4.0 to 8.0 16 > 8.0 to 16.0 32 > 16.0 to 32.0 64 > 32.0 128

30 A Computer test.csv Two questions:
What is the cluster size of the partition? What is the partition size range?

31 Summary of Hard Disk Data on a HD are stored on tracks
Corresponding tracks on all surfaces make up a cylinder Data is stored in sectors and usually read in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB

32 Outline Understanding the boot sequence Understanding disk drives
Understanding partitioning and formatting

33 Key things The function of the FDISK program
Primary partition, extended partition, active partition, and logical drive   How logical partitions can be hidden The necessity of understanding the suspect’s partitioning scheme

34 Initializing a Hard Drive
This represents all the available surface area on a hard drive that can be used for storage The first thing to do is magnetically create a system of unique storage areas Think of a new hard drive as a large piece of blank paper. Rather than just put information all over the paper at random, we want to develop a logical system to manage the information. Continuing advances in hard disk drive technology have resulted in lower cost drives with very high capacities. The trouble with some of these drives is that they may not be recognized, in their full capacity, by earlier versions of DOS, or some of the system BIOSes in existence. Generally speaking, Intel 486-based machines may not recognize drives larger than 504MB, because of BIOS limitations at that time. The next generation of BIOS supported drives up to 2.1GB, then 8.4 GB. The next drive limit is 136GB, imposed by the ATA drive interface. The FAT32 file system supported by Windows versions starting with 95B can support drives up to two terabytes (2TB).

35 Low-level (Factory) Format
Step 1: Use a low-level format program to create a magnetic structure of sectors One 512-byte sector The first step in initializing a drive is a low-level format. Drives are normally low-level formatted at the factory and cannot be low-level formatted by the local dealer or the consumer without special software. Older model drives (MFM, ST-506, etc.) could be low-level formatted by the local dealer or knowledgeable user. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller. The most commonly used low-level format creates sectors that contain 512 bytes of data storage area. Low-level formatting is usually done at the factory. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.

36 Results of Low-level Format
The sectors are organized by tracks All the sectors on one track The low-level formatting process works cylinder by cylinder. This minimizes the amount of head movement required during the format process.

37 Initializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the Master Boot Record at Cylinder-0, Head-0, Sector-1 MBR Reserved The remainder of that track is “Reserved” Master Boot Record Master Boot Code Master Partition Table Using FDISK, we first create a primary partition which contains logical drive C. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. The entire remainder of that track is reserved, by DOS. Normally, no other information is written there. The partition table data is stored in the Master Boot Record, which is contained in the 1st sector of cylinder zero, head zero. The remaining sectors on that track are reserved. Data may only be written to this space by using a disk editor program that will access the space. Some software programs, such as disk encryption or password protection software, may also read and write to the reserved area, but these applications were specifically designed to bypass the operating system. DOS does not utilize this space. Some special software packages, such as disk encryption or password protection software, may use some of that reserved area for special purposes. However, to date, DOS has not utilized that space. Master Boot Code This is a very small program that transfers control to whatever boot program is in the active (i.e. startable) partition. In many systems this would be the OS/2 Boot Manager.

38 Master Partition Table
Maximum of 4 entries Valid entries contain essential information about the partition Partition type/code Active (yes or no) Partition start and end information Unused entries are blank A partition table is 64 bytes long. An entry in the partition table is 16 bytes long. There is room for 4 entries in a partition table, but not all entries have to be used. Normally, if an entry is not being used, that entry will contain all 0’s. In order for the BIOS or an operating system to recognize a partition, it’s entry must contain recognizable, valid information. The term “Active partition” refers to the primary partition that is designated as such in the Master Partition Table. During the boot process, the partition table is examined to identify the active, primary partition, and code redirects the boot process to the first sector of that partition. To be actually used to boot the system, it must also contain the necessary system files. There can only be one active partition, and only a primary partition may be marked active.

39 Types of Entries in Master Partition Table
Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as “Active” Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries) Partition ‡ logical drive Total number of entries may not exceed four!

40 Partition Type Codes File systems are assigned characteristic type codes that are listed in partition table entries DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported DOS/Windows systems will not assign a drive letter to partition types not supported Other operating systems, such as Linux, Macintosh, and Unix do not use drive letters to designate logical or physical drives.

41 Common Partition Type Codes
has a rather comprehensive list of partition types and links to other sources of information Type FAT Size DOS Mb 2.0 Mb 3.0 05 (Ext) Gb 3.3 Mb – 2 Gb 4.0 0B Mb – 2 Tb OSR2 0C 32x 512 Mb – 2 Tb OSR2 0E 16x 32 Mb – 2 Gb W95 0F (Extx) 0 – 2 Tb W95

42 Single Primary Partition
MBR Reserved Reserved Reserved Reserved Using FDISK, we first create a primary partition. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. Reserved Reserved Reserved

43 Single Primary Partition (Cont.)
Hard drive with one active primary partition (single logical drive) Logical Drive Hub Many disk drives are partitioned in this basic manner.  One Active, Primary DOS partition is created, using the entire drive. Many newer systems, with large hard drives, use multiple partitions.

44 Single Primary Partition (Cont.)
Master Partition Table - DiskEdit View “Yes” indicates “Active” Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit.

45 One Primary with Extended Partition
Primary Partition Extended Partition Reserved MBR Partition Table In this case, a smaller primary partition is made, using only a portion of the hard drive. FDISK may then be used to set up an Extended partition with the remaining sectors. Within that partition, one or more logical drives may be defined. This example shows the entire extended partition being used for one logical drive. When the system reboots, DOS recognizes the existence of two logical drives (the primary partition, and the single logical drive defined in the extended partition) and assigns drive letters to each. We now have two partitions on our physical drive — a Primary Partition and an Extended Partition containing the second logical drive.

46 Each partition table points to the next
Partition Tables Each partition table points to the next Reserved MBR Partition Table The Master Partition Table (found in the Master Boot Record) will define any primary or extended partition on the drive. Within an Extended Partition, each logical drive will have its own partition table. Each table will Define the limits of the logical volume it precedes Point to the location of the next Partition Table. In this way a partition table may be described as being “linked”. In other words, one table points to another. Once all the desired partitions are set up, the system must be rebooted (from floppy) so that the partitioning information is read and the logical drive letters are assigned.

47 One Primary & One Extended
Master Partition Table – DiskEdit View Primary Partition Entry Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location.

48 One Primary & One Extended
Extended Partition Table – DiskEdit View Extended Partition Entry Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.

49 Partitions and More Than One Logical Drives
partition containing three logical DOS volumes.                                                                                                      Graphical depiction of the partitioning Partitions and More Than One Logical Drives Extended partition may contain more than one logical partitions Primary Partition Extended Partition with Three Logical Drives Primary, Extended and Logical Partitions Primary, Extended and Logical Partitions c: d: e: f:

50 Why Care about Partitioning?
Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's partitioned? Reasons to examine the partition tables: To look for multiple operating systems To look for hidden partitions To make sure all space on the drive is accounted for.

51 Partitioning Reasons to examine the partition tables:
To make sure all space on the drive is accounted for To look for multiple operating systems To look for hidden partitions

52 View of a hidden partition using the PART utility
Hidden Partitions View of a hidden partition using the PART utility Partitions can be hidden. Using a program like DiskEdit, a suspect could change the partition table pointers and hide vast amounts of data.  To access the data, he would simply reset the pointers back to the original settings. While this method is technically difficult, software such as Partition Magic, GDISK and PART make hiding partitions simple. The user simply has to issue a command and the utility does the work by employing a different method. These utilities change the code in the partition table which identifies the partition type to a value which is not recognized by DOS and thus doesn’t receive a drive letter assignment. DOS/Windows partitions can be “hidden” by changing the partition-type code

53 Hidden Partitions This partition disappears!

54 Partition Table Doctor
Link: The only limitation is that DEMO version can not write to disk. Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP). Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition before recovery. Backup MBR (Master Boot Record), Partition Table, Boot Sectors. Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged. Support IDE / ATA / SATA / SCSI drives.

55 Main Window

56 Partition->Edit Properties


Download ppt "Computer & Network Forensics"

Similar presentations


Ads by Google