Presentation is loading. Please wait.

Presentation is loading. Please wait.

Storage Forensics Anatomy of a Hard Drive

Published byValentin Meissner Modified over 6 years ago

Similar presentations

Presentation on theme: "Storage Forensics Anatomy of a Hard Drive"— Presentation transcript:

1 Storage Forensics Anatomy of a Hard Drive
© Dr. D. Kall Loper, all rights reserved Storage Forensics Anatomy of a Hard Drive

2 Theory of Operation In recent years, the field of storage forensics has been complicated by the introduction of new hard drive technologies and rapidly growing storage capacities. In October of 2004, 250 GB EIDE hard drives are available as “mainstream” drives. With 4 EIDE controllers per board, a 1 terabyte system are possible. In February of 2012, 3 TB SATA3 hard drives are available as “mainstream” drives. With 6 SATA controller on the motherboard, 18 TB systems can be found. © Dr. D. Kall Loper, all rights reserved

3 Theory of Operation Hard drive developments can be understood in the context of the three imperatives of hard drive manufacturers: Storage Density, Speed, & Heat/Energy Savings © Dr. D. Kall Loper, all rights reserved

4 Theory of Operation Storage Density
Storage density allows manufacturers to increase the storage capacity of hard drives. By packing more bits closer together, storage capacity has increased without the form factor (physical size) of the device increasing. © Dr. D. Kall Loper, all rights reserved

5 Theory of Operation Storage Density (cont.)
Some of the physical differences in hard drives can be explained by the increasing density of information. Multiple platters allow more storage space. A denser magnetic medium means that individual bits can be written in smaller physical space and still be resolved by new, more sensitive read heads. More precision means less space must be wasted between tracks of data arranged in concentric rings on the disk. © Dr. D. Kall Loper, all rights reserved

6 Theory of Operation Speed
Speed is a constant goal of storage manufacturers. The storage system of most computers is its slowest link. By increasing the speed of the hard drive, significant speed increases can be obtained for common tasks. © Dr. D. Kall Loper, all rights reserved

7 Theory of Operation Speed (cont.)
The fastest part of the computer can only operate as quickly as the data and instructions can arrive. Computer architecture is designed to keep the most frequently used and most vital information in the fastest storage possible. © Dr. D. Kall Loper, all rights reserved

8 Anatomy of a Hard Drive Illustration Anatomy Lesson
Physical Structures Logical Structures Files System Illustration © Dr. D. Kall Loper, all rights reserved

9 Physical Structures Illustration
Photo courtesy of Western Digital © Dr. D. Kall Loper, all rights reserved

10 Theory of Operation Techniques to enhance speed
Keep data in the fastest storage possible. Electro-magnetic operations are fastest. Disk rotation is the next fastest Arm movements are the slowest Many slow operations performed at the same time can move data quickly. Platters can be written simultaneously Blocks of data are written together* *RAM Slack © Dr. D. Kall Loper, all rights reserved

11 Physical Structures Illustration Magnetic Force Microscope
Image Courtesy NIST © Dr. D. Kall Loper, all rights reserved

12 Physical Structures Illustration A Bit As Seen Through an MFM
Notice the fine granularity of the picture. The MFM can read magnetic domains thousands of times smaller than the read/write head. Illustration Image Courtesy NIST © Dr. D. Kall Loper, all rights reserved

13 Physical Structures Illustration A Bit As Seen Through an MFM
Apparently Entropic Region Illustration Manufacturing imperfection in Read/Write Head Image Courtesy NIST © Dr. D. Kall Loper, all rights reserved

14 Anatomy of a Hard Drive Illustration Tracks Read/Write Head Buffer
Magnetic Field © Dr. D. Kall Loper, all rights reserved

15 Theory of Operation Perpendicular Magnetic Recording
© Dr. D. Kall Loper, all rights reserved

16 Anatomy of a Hard Drive Illustration Magnetic Force Microscope
© Dr. D. Kall Loper, all rights reserved

17 Theory of Operation Solid State Storage (SSD)
Reads are approximately twice as fast as writes. Initial fall-off speeds are related to this. All blocks operate at the same speed—no fast zones like HDDs Fragmentation is not relevant. Defragmentation only burns write cycles. © Dr. D. Kall Loper, all rights reserved

18 Physical Structures Illustration
SATA Interface Power Data Flash Controller Flash Memory Illustration OCZ Core Series MLC Photo courtesy of OCZ © Dr. D. Kall Loper, all rights reserved

19 Logical Structures Illustration SATA Interface Flash Controller NAND
© Dr. D. Kall Loper, all rights reserved

20 Theory of Operation Solid State Storage (SSD)
Wear-leveling extends life of memory blocks—usually. Proprietary schemes vary performance by up to 300%. Reserved areas decrease systemic failure. Efficient write allocation degrades performance, but increases total life span. Swapping static files increases total life span. © Dr. D. Kall Loper, all rights reserved

21 And the Associated Standards
Physical Interfaces And the Associated Standards

22 Data Storage Interfaces
Data Interfaces AT Attachment Interface PATA ATAPI (ATA Packet Interface – Optical) SATA Small Computer System Interface SCSI LVD HVD SE (Single Ended) SAS *Nerds: ATAPI actually uses the SCSI command set, but the AT Attachment. *Nerds: SATA is a Low Voltage Differential system, but uses Serial channels. SCSI, starting with Ultra 2, began using LVD signaling. Ultra 3 was often marketed under “SCSI LVD160” Ultra 4 was called “SCSI LVD320.” © Dr. D. Kall Loper, all rights reserved

23 Acquisition SATA Power Connector Illustration SATA Data Connector

24 Acquisition SATA Power Connector Illustration

25 Acquisition Illustration SATA Power Connector – Contacts Exposed
Alignment Flange Illustration Alignment Notch Side View

26 Acquisition SATA Connector Illustration

27 Acquisition Illustration SATA Connector – Contacts Exposed
Alignment Notch Illustration Serial ATA Technology 3rd Edition: Technology Brief Alignment Flange

28 Acquisition Jumpers Illustration 40-pin IDE Data Connector Molex Power

29 Anatomy of a Hard Drive Illustration Anatomy Lesson
Physical Structures Logical Structures Files System Illustration © Dr. D. Kall Loper, all rights reserved

30 Anatomy of a Hard Drive Low-level Formatting Defines Cylinders
Defines Tracks Defines Sectors © Dr. D. Kall Loper, all rights reserved

31 Anatomy of a Hard Drive Definitions Track
During a low-level format, hard disks platters are divided into tracks and sectors. Tracks define concentric circles on a disk. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 242 © Dr. D. Kall Loper, all rights reserved

32 Anatomy of a Hard Drive Definitions Cylinder
A cylinder is a track that writes across all of the platters in a hard disk drive. Tracks are not used in physical addressing schemes. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

33 Anatomy of a Hard Drive Illustration
Physical disks (platters) are arranged on a central spindle. Cylinders are logical structures that span the platters—based on tracks. When read/write heads fall on one location, the other platters may also be written without moving the heads. Written data spans all of the platters. Illustration © Dr. D. Kall Loper, all rights reserved

34 Anatomy of a Hard Drive Definitions Sector
During a low-level format, hard disks are divided into tracks and sectors. Sectors are segments with each track. Definitions Constant Sector Zone Bit Recording Image ©The PC Guide, Charles M. Kozierok 2001 © Dr. D. Kall Loper, all rights reserved

35 Anatomy of a Hard Drive Illustration Constant Sector Tracks
Early hard disks controllers couldn't handle complicated arrangements that changed between tracks. As a result, every track had the same number of sectors. Illustration Image ©The PC Guide, Charles M. Kozierok 2001 © Dr. D. Kall Loper, all rights reserved

36 Anatomy of a Hard Drive Illustration Zone Bit Recording
To eliminate wasted space, tracks are grouped into zones. From the innermost part of the disk to the outer edge successive zones contain more sectors per track. This allows for more efficient use of the larger tracks on the outside of the disk. Illustration Image ©The PC Guide, Charles M. Kozierok 2001 © Dr. D. Kall Loper, all rights reserved

37 Anatomy of a Hard Drive Definitions Advanced Format (Large Sector)
As of 2010, hard disk manufacturers are transitioning from small sectors (512 bytes) to large sectors (4,096 bytes). Advanced format disk controllers can emulate 512 byte sector size for backward compatibility. Definitions © Dr. D. Kall Loper, all rights reserved

38 Anatomy of a Hard Drive Advanced Format (Large Sector)
Historically, sector size has been 512 bytes. Modern operating systems tend to gather these sectors into logical clusters or blocks to optimize storage. When storage size was at a premium, block size was carefully matched to expected storage needs to minimize cluster waste. Today, the default is often 4,096 bytes (4k). © Dr. D. Kall Loper, all rights reserved

39 Anatomy of a Hard Drive Advanced Format (Large Sector)
For every byte storage blocks, Advanced format drives save 512 bytes worth of storage space by omitting disk housekeeping items. Data Area 4,096 bytes ECC Gap Servo Sync Address Error Correcting Code © Dr. D. Kall Loper, all rights reserved

40 Anatomy of a Hard Drive Advanced Format (Large Sector)
In addition, a larger, unified ECC block allows for more robust error correction. Advanced format ECC can handle corruption of 4 times more data per sector. Data Area 4,096 bytes ECC Gap Servo Sync Address Error Correcting Code © Dr. D. Kall Loper, all rights reserved

41 Anatomy of a Hard Drive Definitions CHS Addressing
A now obsolete method of location data on a disk by stating it in terms of Cylinder, Head, Sector. References to this method are retained in all modern MBR-based systems for backward compatibility. Definitions © Dr. D. Kall Loper, all rights reserved

42 Anatomy of a Hard Drive CHS addressing was limited by the BIOS’s ability to interpret these values. C=1024, H=16, and S=63 giving a limit of 504 MB “Enhanced BIOS” (Int13) C=1024, H=255, and S=63 giving a limit of 7.8 GB © Dr. D. Kall Loper, all rights reserved

43 Anatomy of a Hard Drive Math CHS Allocation Blocks =
Cylinder * Heads * Sector Math Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

44 Anatomy of a Hard Drive CHS Conclusion
CHS values have been virtualized beyond any actual association with physical structures for all HDD’s above 504 MB. No longer used in favor of arbitrary indexed addressing system. © Dr. D. Kall Loper, all rights reserved

45 Anatomy of a Hard Drive Definitions LBA, Logical Block Addressing
An LBA is an indexed value that defines a storage location on the drive. CHS addressing is no longer used in favor of this scheme. Definitions © Dr. D. Kall Loper, all rights reserved

46 Anatomy of a Hard Drive High-level Format Implements File System
Defines File Allocation Table (index of files) Master Boot Record (system information) Sets Cluster Size © Dr. D. Kall Loper, all rights reserved

47 Anatomy of a Hard Drive Definitions Cluster
Fixed-length blocks that store files. Each cluster is assigned a unique number by the computer operating system. A cluster is a high-level formatting artifact. Definitions Access Data (2003). Forensic tool kit: User’s guide. Orem, UT: Access Data. p. 241 © Dr. D. Kall Loper, all rights reserved

Download ppt "Storage Forensics Anatomy of a Hard Drive"

Similar presentations

Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:

Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Hard Disk Drives Chapter 7.

Hard Disk Drives Chapter 7.
Faculty of Information Technology Department of Computer Science Computer Organization Chapter 7 External Memory Mohammad Sharaf.

Faculty of Information Technology Department of Computer Science Computer Organization Chapter 7 External Memory Mohammad Sharaf.
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.

COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
Magnetic Disk Magnetic disks are the foundation of external memory on virtually all computer systems. A disk is a circular platter constructed of.

Magnetic Disk Magnetic disks are the foundation of external memory on virtually all computer systems. A disk is a circular platter constructed of.
Disk Fundamentals. More than one platter (round cylinders)

Disk Fundamentals. More than one platter (round cylinders)
Chapter4: Memory External Memory.

Chapter4: Memory External Memory.
“Redundant Array of Inexpensive Disks”. CONTENTS Storage devices. Optical drives. Floppy disk. Hard disk. Components of Hard disks. RAID technology. Levels.

“Redundant Array of Inexpensive Disks”. CONTENTS Storage devices. Optical drives. Floppy disk. Hard disk. Components of Hard disks. RAID technology. Levels.
EET 450 – Advanced Digital Chapter 10 Hard Disk Drives.

EET 450 – Advanced Digital Chapter 10 Hard Disk Drives.
EET 450 - Advanced Digital Chapter 8 Mass Storage.

EET Advanced Digital Chapter 8 Mass Storage.
CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.

CPSC 231 Secondary storage (D.H.)1 Learning Objectives Understanding disk organization. Sectors, clusters and extents. Fragmentation. Disk access time.
IDE and SCSI Devices Terms and Definitions.

IDE and SCSI Devices Terms and Definitions.
Mass Storage System EMELIZA R. YABUT MSIT. Overview of Mass Storage Structure Traditional magnetic disks structure ◦Platter- composed of one or more.

Mass Storage System EMELIZA R. YABUT MSIT. Overview of Mass Storage Structure Traditional magnetic disks structure ◦Platter- composed of one or more.
12.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 12: Mass-Storage Systems.

12.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 12: Mass-Storage Systems.
Secondary Storage Unit 013: Systems Architecture Workbook: Secondary Storage 1G.

Secondary Storage Unit 013: Systems Architecture Workbook: Secondary Storage 1G.
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 8 Understanding and Installing Hard Drives.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 8 Understanding and Installing Hard Drives.
Physical Storage and File Organization COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.

Physical Storage and File Organization COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.

Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Understanding and Troubleshooting Your PC. Chapter 5: Understanding, Installing, and Troubleshooting Disk Drives2 Chapter Objectives  In this chapter,

Understanding and Troubleshooting Your PC. Chapter 5: Understanding, Installing, and Troubleshooting Disk Drives2 Chapter Objectives  In this chapter,

Similar presentations

Ads by Google