Computer amp Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems 2 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting ID: 268023
Download Presentation The PPT/PDF document "91.580.203" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
91.580.203 Computer & Network Forensics
Xinwen Fu
Chapter 7
Working with Windows
and DOS SystemsSlide2
2Outline
Understanding the boot sequence
Understanding disk drives
Understanding partitioning and formatting
Slide3
3Understanding the Boot Sequence
Avoid data contamination or modification
Make sure computer boots from a floppy disk
Delete key
Ctrl+Alt+Insert
Ctrl+A
Ctrl+F1
F2
F12Slide4
4Understanding the Boot Sequence (Cont.)
Who provides this setup screen for you?Slide5
5BIOS - Basic Input/Output System
A piece of firmware ("software on a chip")
Support for the following devices and features of your system
Select and configure hard drives, floppy drives, and CD-ROM drives
Configure main and cache memory
Support different CPU types, speeds, and special features
Support advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play)
Many othersSlide6
6BIOS on the Motherboard
BIOS
Battery
http://www.informit.com/articles/article.asp?p=130913&seqNum=4&rl=1Slide7
7Two Components Supporting BIOS
CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non-Volatile RAM)
Store setting
Contain the system's Real-Time-Clock circuit
Battery
Power CMOS to keep its settingsSlide8
8Outline
Understanding the boot sequence
Understanding disk drives
Understanding partitioning and formattingSlide9
9Floppy Disks
Yes these still exist!
5.25
3.5
Originally single sided
Then became double sidedSlide10
10
Original floppies were single-sided
Side View of Floppy in Disk Drive
0
Side 0
Single-sided Disk
Disk DriveSlide11
11FD Densities & Capacity
Disk Size
Density
Sectors/Track
Capacity
5.25
Low
9
360K
5.25
High
15
1200K
3.5
Low
9
720K
3.5
High
18
1,440KSlide12
12Hard Disk Structure
Hard disk drives are organized as a concentric stack of disks or ‘platters’
Each platter has 2 surfaces
How a hard disk works?
The platters rotate on the spindle
The heads move along the radius of the platters
This allows the head to access all parts of the surfacesSlide13
13
Disassembling a Hard DriveSlide14
14HD Elements
16 heads
8 PlattersSlide15
15HD Head
Each platter has a planar magnetic surface on which digital data may be stored
Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic materialSlide16
16HD Head ClearanceSlide17
17How Data is Organized on HD - Tracks
The data is stored on concentric circles on the surfaces known as
tracks
Numbering starts with 0
at the outermost cylinderSlide18
18How Data is Organized on HD Sectors/Blocks
A
sector
is a continuous linear stream of magnetized bits occupying a curved section of a track
Sectors are the smallest physical storage units on a disk-
Each sector stores 512 bytes of data
Numbering
physical sectors within a track
starts with 1
Sector 1
Track 0
Sector 2
Track 0Slide19
19
How Data is Organized on HD - Cylinders
CYLINDER
Head Stack Assembly
Head 0
Head 1
Head 2
Head 3
Head 4
Head 5
Track
Sector
Corresponding tracks on all platter surfaces make up a cylinder
On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinderSlide20
20Cluster (Blocks)
1 or more contiguous sectors
The smallest pieces of storage that an OS can place into data
The bytes in a cluster varies according to the size of the drive and the version of the OS
65,536 sector limit in DOS FAT16 (2
16
)
Using clusters allows for grouping multiple sectors
Total number of sectors per cluster is always a power of 2Slide21
21FAT16/FAT12 Number of Sectors/Cluster
Low density 5.25 inch floppy diskette - 2 sectors
High density 5.25 inch floppy diskette - 2 sectors
Low density 3.5 inch floppy diskette - 2 sectors
High density 3.5 inch floppy diskette - 1 sector
Zero - 15MB logical hard drive partition - 8 sectors
16MB -127MB logical hard drive partition - 4 sectors
128MB - 255MB logical hard drive partition - 8 sectors
256MB - 512MB logical hard drive partition - 16 sectors
512MB - 1024MB logical hard drive partition - 32 sectors
1024MB - 2048MB logical hard drive partition - 64 sectors
2048MB - 4095MB logical hard drive partition - 128 sectorsSlide22
22What is this disk?
Disk Size
Density
Sectors/Track
Capacity
5.25
Low
9
360K
5.25
High
15
1200K
3.5
Low
9
720K
3.5
High
18
1,440K
If you cannot see Properties, click
View-> Properties
Slide23
23Hard Disk Addressing
Older BIOSes in PC’s used 24 bit addressing which could only access up to 8.4 GB (2
24
* 512 bytes).
Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.Slide24
24C H S
Each storage unit on a disk can be identified by a 3-coordinate system identifying the
Cylinder
Head/Side
Sector
One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e.
CHS
) together, and then multiply by the block size of 512 Bytes:
Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GBSlide25
25Hard Disk Addressing (Cont.)
Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE disk
The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.Slide26
26Exception: LBA – Logical Block Addressing
By industry agreement, large IDE disks (with more than
16,514,064
sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in
LBA
capacity
As such the BIOS must know to use the
LBA
capacity
The total number of accessible sectors
Eg
. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GBSlide27
27File Slack
The area between the end of the file and the end of the last cluster allocated for that fileSlide28
28File Slack IllustrationSlide29
29NTFS Clusters and Cluster Sizes
Partition Size Range (GiB)
Default Number of Sectors Per Cluster
Default Cluster Size (kiB)
<= 0.5
1
0.5
> 0.5 to 1.0
2
1
> 1.0 to 2.0
4
2
> 2.0 to 4.0
8
4
> 4.0 to 8.0
16
8
> 8.0 to 16.0
32
16
> 16.0 to 32.0
64
32
> 32.0
128
64
http://www.pcguide.com/ref/hdd/file/ntfs/archCluster-c.htmlSlide30
30A Computer
test.csv
Two questions:
What is the cluster size of the partition?
What is the partition size range?Slide31
31Summary of Hard Disk
Data on a HD are stored on tracks
Corresponding tracks on all surfaces make up a cylinder
Data is stored in sectors and usually read in blocks or clusters
A storage unit can be identified by CHS
LBA is used for drives in excess of 7.8 GBSlide32
32Outline
Understanding the boot sequence
Understanding disk drives
Understanding partitioning and formattingSlide33
33Key things
The function of the FDISK program
Primary partition, extended partition, active partition, and logical drive
How logical partitions can be hidden
The necessity of understanding the suspect’s partitioning schemeSlide34
34
This represents all the available surface area on a hard drive that can be used for storage
Initializing a Hard Drive
The first thing to do is magnetically create a system of unique storage areasSlide35
35
Step 1: Use a low-level format program to create a magnetic structure of sectors
Low-level (Factory) Format
One 512-byte sector
Low-level formatting is usually done at the factory.
Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller.Slide36
36
The sectors are organized by tracks
All the sectors on one track
Results of Low-level FormatSlide37
37
MBR
Initializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the Master Boot Record at
Cylinder-0, Head-0, Sector-1
Master Boot Record
Master Boot Code
Master Partition Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
The remainder of that track is “Reserved”Slide38
38Master Partition Table
Maximum of 4 entries
Valid entries contain essential information about the partition
Partition type/code
Active (yes or no)
Partition start and end information
Unused entries are blankSlide39
39Types of Entries in Master Partition Table
Primary Partition(s) - up to 4 allowed
Contains
one
logical drive
Only one
may
be marked as “Active”
Extended Partition (only 1 allowed)
Contains
one or more
logical drives
Each logical drive is defined by
its own partition table
which
may
contain a second entry pointing to the next logical drive within that extended partition (at most two entries)
Partition ‡ logical drive
Total number of entries may not exceed four!Slide40
40Partition Type Codes
File systems are assigned characteristic type codes that are listed in partition table entries
DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported
DOS/Windows systems will not assign a drive letter to partition types not supportedSlide41
41Common Partition Type CodesSlide42
42
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Single Primary PartitionSlide43
43
Hard drive with one active primary partition
(single logical drive)
Single Primary Partition (Cont.)
Hub
Logical DriveSlide44
44
Master Partition Table - DiskEdit View
Single Primary Partition (Cont.)
“Yes” indicates “Active”Slide45
45One Primary with Extended Partition
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
Primary Partition
Extended PartitionSlide46
46
Each partition table points to the next
Partition Tables
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition TableSlide47
47
Master Partition Table – DiskEdit View
One Primary & One Extended
Primary Partition EntrySlide48
48
Extended Partition Table – DiskEdit View
One Primary & One Extended
The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.
Extended Partition EntrySlide49
49Partitions and More Than One Logical Drives
Extended partition may contain more than one logical partitions
Primary, Extended and Logical Partitions
Primary, Extended and Logical Partitions
partition containing three logical DOS volumes.
Graphical depiction of the partitioning
P
r
imary Partition
Extended Partition with Three Logical Drives
c:
d:
e:
f:Slide50
50Why Care about Partitioning?
Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's
partitioned?Slide51
51Partitioning
Reasons to examine the partition tables:
To make sure all space on the drive is accounted for
To look for multiple operating systems
To look for hidden partitionsSlide52
52Hidden Partitions
View of a hidden partition using the PART utility
DOS/Windows partitions can be “hidden” by changing the partition-type codeSlide53
53Hidden Partitions
This partition disappears!Slide54
54Partition Table Doctor
Link:
http://www.ptdd.com/
The only limitation is that DEMO version can not write to disk.
Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
Displays complete physical and logical drive information.
Fix the Boot Sector of FAT and NTFS partition.
Preview boot files and boot directories of each partition before recovery.
Backup MBR (Master Boot Record), Partition Table, Boot Sectors.
Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged.
Support IDE / ATA / SATA / SCSI drives.Slide55
55Main WindowSlide56
56Partition->Edit Properties