Presentation is loading. Please wait.

Presentation is loading. Please wait.

BACS 371 Computer Forensics

Similar presentations

Presentation on theme: "BACS 371 Computer Forensics"— Presentation transcript:

1 BACS 371 Computer Forensics
Files & Partitions

2 Data Hierarchy Computer Hard Disk Drive Partition File Cluster Sector
Physical File Logical File Cluster Sector Word Byte Bit

3 File Collection of Information written to a disk
Generally created in an application-specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the next cluster in the file The final cluster contains the End of File (EOF) marker

4 Files Logical File Size Physical File Size File Slack
Exact size of contents of file in bytes Physical File Size Amount of space a file occupies on disc in bytes File Slack Unused space between logical end of file and physical end of a cluster Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->

5 File Slack What does File Slack Contain? Who knows??!!
Old data that was deleted but not overwritten yet May contain remnants of older files, or other evidence including Passwords Old directory structures Miscellaneous information

6 File Slack Example Hello World! Has 12 Characters in the file
But occupies 4096 bytes on the disk!

7 File Slack Example

8 File Slack Example File Contents: “Hello world!” 12 bytes 3rd Sector
Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

9 File Slack Example RAM Slack Disk Slack
The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time Disk Slack The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

10 RAM Slack Unused space at the end of a sector
Contains information adjacent to the stored information from Main Memory (RAM)

11 Partitions

12 Partition Layout

13 Master Boot Record (MBR)
Executable Code Machine Language Code Processor Specific Decodes Partition Table 446 bytes long Partition Table 4 Entries First Entry Starts at offset 0x01BE MBR “Signature” 0x55AA

14 Partition Table A partition is a logical drive or volume
Describes every logical volume on disk Master Partition Table Contains descriptions of partitions on disk Room to describe 4 primary partitions One partition is marked as active and is used for booting Partition Gap Unused space between partitions

15 Partition Boot Sector 0x00-0x02 Jump Instruction (3 bytes)
0x03-0x0A OEM ID (8 Bytes) 0x0B-0x53 BIOS Parameter Block (BPB) (includes all below plus additional fields) 0x0B Bytes Per Sector 2 Bytes 0x0D Sectors Per Cluster 1 Byte 0x15 Media Descriptor 1 Byte 0x18 Sectors Per Track 2 Bytes 0x1A Number of Heads 2 Bytes 0x1C Hidden Sectors 4 Bytes 0x20 Total Sectors 4 Bytes 0x3E-0x1FF Bootstrap Code (448 Bytes) Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

16 Partition Boot Record (PBR)
BIOS Parameter Block Executable Code Machine Language Code Processor Specific Decodes BPB Searches for OS PBR “Signature” 0x55AA

17 Partition Boot Sector AKA File System Boot Sector
The first physical sector in a logical volume C 0, H 1, S 1 for first partition Contains Code File System Specification Information

18 Partition Boot Sector Decoded

19 Extended Partition Layout

20 Computer Boot Process Power-on Signal CPU Reset ROM BIOS/bootstrap
POST (Power On Self Test) Memory test Support circuitry Major Peripherals (ROM) Boot Drive A: CDROM Hard Drive Master Boot Record (Volume) Boot Record

21 Computer Boot Details Power Switch Activated
Power Supply performs self-test (PowerGood signal to Motherboard) Microprocessor executes BIOS code starting at 0xFFFF0000 – tests hardware Power On Self Test (POST) executed – checks CPU, ROM, RAM, support circuitry, peripherals BIOS searches for MBR at C 0, H 0, S1 on default boot drive MBR loaded into memory and tested/executed MBR code locates first bootable partition Partition Boot Record is loaded into memory and tested/executed Operating System is loaded based upon command in PBR NTLDR IOSYS On NTFS volumes NTLDR loads the $MFT; The NT volume is mounted NTDETECT.COM detects computerID, bus adapter, video adapter, … NTLDR loads NTOSKRNL.EXE (kernel) and HAL.DLL (hardware abstraction layer) The kernel initiates the OS

Download ppt "BACS 371 Computer Forensics"

Similar presentations

Ads by Google