Bits, Bytes, Files, Hard Drives

Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information ● 1 ASCII Character ● Letters ● Word is a collection of letters/characters ● Is just string of bits.

Hard Drive Geometry Platter with 2 heads Top and Bottom Sector Track Second platter

Tracks, Heads, Sectors ● Heads, Tracks and Sectors – Head is one side of a platter ● Drives usually have 1 or 2 platters, hence 1 – 4 heads – Track is an narrow ring around a platter ● There upwards of 20,000 tracks per inch of platter. ● 3.5” hard drive has 1.2” of platter = 24,000 tracks – Sector is a pie shaped piece of the platter. ● 1” of track can hold about 200,000 bits of information ● 10 – 40 Gigabits per platter

Sectors ● Each sector has a unique address on the hard drive. ● Each sector is exactly 512 bytes. ● Minimum amount that can be read or written.

Time and Technology ● HDD Addressing – Olden days: head/sector/track ● Worked for small drives – Today: LBA – Logical Block Address ● Capable of addressing Tera bytes of dat

Read – Write ● The computer can access only one sector at a time. ● Must read or write exactly 1 sector (512 bytes). ● To change 1 character in a document: ● Read 1 sector ● Change the character ● Write 1 sector

Logical Structure of a HDD ● The hard drive can be subdivided into partitions or volumes. ● Partition structure is important for the integrity of the drive. ● It can be analyzed by WinHex. ● But not for this course

Partitions Partition 1Partition 2 Partition Table Extended Partition

Windows – Drives ● In Windows drives are specified by a letter followed by a colon. ● C:, D:, etc. ● Each drive is either a partition or an actual hard drive. ● Often referred to as logical drives.

Files ● A File is data that is related, as such it is a logical grouping of data. ● Files are allocated storage space on a drive when it is created. ● As a file is used it is allocated more space as needed. ● File names usually have a first name that is descriptive of its contents. ● And a second name, the file extension, that indicates the type of file, such as.txt,.pdf,.exe, etc.

Clusters ● Space is allocated to a file one cluster at a time – A cluster is a fixed number of sectors ● Must be a power of 2 (1,2,4,8,... 64) – Unused sectors retain the data that was on them prior to allocation – A cluster is the minimum file allocation unit

Disk Storage Review ● Data is stored on disks one entire sector at a time – A sector is usually 512 bytes – If you use only one byte, the system still provides the other 511 bytes for you – A sector is the minimum size read from, or written to, a disk – A sector is the minimum I/O unit

Clusters Sector 1 Sector 2 Sector 3 Sector 4 Cluster 1 Sector 1 Sector 2 Sector 3 Sector 4 Cluster 2

File Data Sector 1 Sector 2 Sector 3 Sector 4 Cluster 1 Sector 1 Sector 2 Sector 3 Sector 4 Cluster 2

Slack ● Slack is the space allocated to a file, but unused – Space at the end of a sector that remains unused by the file – Sectors allocated to the file that the file hasn’t yet used ● Slack space often contains useful evidence – Unused bytes in an allocated sector are less useful – Unused sectors in an allocated cluster retain their original contents and are very useful ● Current operating systems write 0’s in the slack space per sector, often leaving the residual data in the unused sectors in the allocated cluster.

File Data Sector 1 Sector 2 Sector 3 Sector 4 Cluster 1 Sector 1 Sector 2 Sector 3 Sector 4 Cluster 2 Slack Space

Unallocated Clusters ● Many clusters on a modern hard drive are unallocated ● Some have never contain data ● Unallocated clusters may have been allocated earlier though and since been deleted –These clusters retain their data until they are reallocated to a new file –Deleted files are still recoverable!

File Systems ● High-level formatting creates file system data structures –Root directory –Data that tracks which clusters are unused, allowing the OS to find available clusters quickly File Allocation Table (FAT) on older Windows systems $Bitmap in the Master File Table (MFT) on newer Windows –Exact details depend on operating system

FAT ● FAT – File Allocation Table ● Keeps a table of clusters and connects the ones used for a file and which are unallocated. ● Also keeps a directory in the data area of the partition. ● MAC times ● File name ● First cluster – FAT tells the rest of the clusters

File Allocation Table Concepts Partition 1Partition 2 FAT File System Reserved Area FAT AreaData Area FAT Boot Sector Primary and Backup FATs Clusters FAT Entry 000 … … … 072 FFF … … next cluster Cluster 001 … not allocated next cluster end of file

FAT Directories Partition 1Partition 2 FAT File System Reserved Area FAT AreaData Area FAT Boot Sector Primary and Backup FATs Clusters DirectoryFiles Directory Entry Long File Name 8.3 Filename File attributes (read only, hidden, system, archive, etc.) Created time/day Accessed day Modified time/day First cluster address Size of file (0 for directory)

Deleting a FAT File Deleting C:taxes.txt Find the FAT, and Data areas Locate taxes.txt in the Directory for C:; determine its starting cluster Go to the FAT Set FAT entries for taxes.txt cluster to 0 Therefore not allocated Follow the links Change filename to  axes.txt in C: directory –First character becomes 0xE5

WinHex to the Rescue ● Presents the file system ● Lets you look at the individual files ● Shows files that have been deleted ● Attempts to recover deleted files ● Gathers slack space

Deleted Files

Go Find The File

Note the First Character of Name

Attempts to Recover File

Unallocated Space ● After deleting a file the previously allocated clusters become unallocated. ● They ready to be allocated to some other file. ● They have not been touched. ● They still contain the data from the original file. ● You can recover the data so long it hasn’t been written over by a new file.

Media Details

Disk Analysis Space Alphabet

Text Search

Files and Drives ● Hard drive geometry ● File systems ● Files ● WinHex