91.580.203 computer & network forensics xinwen fu chapter 7 working with windows and dos systems
Post on 29-Mar-2015
228 Views
Preview:
TRANSCRIPT
91.580.203 Computer & Network
Forensics
Xinwen Fu
Chapter 7Working with Windows
and DOS Systems
BIS@DSU2
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU3
Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy
disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12
BIS@DSU4
Understanding the Boot Sequence (Cont.)
Who provides this setup screen for you?
BIS@DSU5
BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and
features of your system Select and configure hard drives, floppy drives,
and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and
special features Support advanced operating systems, including
networks, Windows 9x, and Windows 2000 (Plug and Play)
Many others
BIS@DSU6
BIOS on the Motherboard
BIOS
Battery
http://www.informit.com/articles/article.asp?p=130913&seqNum=4&rl=1
BIS@DSU7
Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM
(Real-Time-Clock/Non-Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit
Battery Power CMOS to keep its settings
BIS@DSU8
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU9
Floppy Disks Yes these still exist!
5.25 3.5
• Originally single sided
• Then became double sided
BIS@DSU10
Original floppies were single-sided
Side View of Floppy in Disk Drive
0 Side 0
Single-sided Disk
Disk Drive
BIS@DSU11
FD Densities & Capacity
Disk Size Density Sectors/Track Capacity
5.25 Low 9 360K
5.25 High 15 1200K
3.5 Low 9 720K
3.5 High 18 1,440K
BIS@DSU12
Hard Disk Structure Hard disk drives are
organized as a concentric stack of disks or ‘platters’
Each platter has 2 surfaces
How a hard disk works? The platters rotate on the
spindle The heads move along
the radius of the platters This allows the head to
access all parts of the surfaces
BIS@DSU13
Disassembling a Hard Drive
BIS@DSU14
HD Elements 16 heads 8 Platters
BIS@DSU15
HD Head Each platter has a
planar magnetic surface on which digital data may be stored
Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material
BIS@DSU16
HD Head Clearance
BIS@DSU17
How Data is Organized on HD - Tracks
The data is stored on concentric circles on the surfaces known as tracks
Numbering starts with 0 at the outermost cylinder
BIS@DSU18
How Data is Organized on HD Sectors/Blocks
A sector is a continuous linear stream of magnetized bits occupying a curved section of a track
Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data
Numbering physical sectors within a track starts with 1
Sector 1
Track 0
Sector 2
Track 0
BIS@DSU19
How Data is Organized on HD - Cylinders
CYLINDER
Head Stack Assembly
Head 0
Head 1
Head 2
Head 3
Head 4
Head 5
TrackSector
Corresponding tracks on all platter surfaces make up a cylinder
On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
BIS@DSU20
Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can
place into data The bytes in a cluster varies according to the size
of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (216) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2
BIS@DSU21
FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB - 1024MB logical hard drive partition - 32 sectors 1024MB - 2048MB logical hard drive partition - 64 sectors 2048MB - 4095MB logical hard drive partition - 128 sectors
BIS@DSU22
What is this disk?
Disk Size
Density Sectors/Track Capacity
5.25 Low 9 360K
5.25 High 15 1200K
3.5 Low 9 720K
3.5 High 18 1,440K
If you cannot see Properties, clickView-> Properties
BIS@DSU23
Hard Disk Addressing Older BIOSes in PC’s used 24 bit
addressing which could only access up to 8.4 GB (224 * 512 bytes).
Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
BIS@DSU24
C H S Each storage unit on a disk can be identified by a
3-coordinate system identifying the Cylinder Head/Side Sector
One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes
= approx. 6GB
BIS@DSU25
Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA
(Advanced Technology Attachment) interface which connects to the hard disk - IDE disk
The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.
BIS@DSU26
Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with
more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity
As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a
capacity of 156,301,488 * 512 = 80GB
BIS@DSU27
File Slack The area between the end of the file and
the end of the last cluster allocated for that file
BIS@DSU28
File Slack Illustration
BIS@DSU29
NTFS Clusters and Cluster Sizes
Partition Size Range (GiB)
Default Number of Sectors Per Cluster
Default Cluster Size (kiB)
<= 0.5 1 0.5
> 0.5 to 1.0 2 1
> 1.0 to 2.0 4 2
> 2.0 to 4.0 8 4
> 4.0 to 8.0 16 8
> 8.0 to 16.0 32 16
> 16.0 to 32.0 64 32
> 32.0 128 64
http://www.pcguide.com/ref/hdd/file/ntfs/archCluster-c.html
BIS@DSU30
A Computer test.csv Two questions:
1. What is the cluster size of the partition?
2. What is the partition size range?
BIS@DSU31
Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces
make up a cylinder Data is stored in sectors and usually read
in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB
BIS@DSU32
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
BIS@DSU33
Key things The function of the FDISK program Primary partition, extended partition, active
partition, and logical drive How logical partitions can be hidden The necessity of understanding the suspect’s
partitioning scheme
BIS@DSU34
This represents all the available surface area on a hard drive that can be used for storage
Initializing a Hard Drive
The first thing to do is magnetically create a
system of unique storage areas
BIS@DSU35
Step 1: Use a low-level format program to create a magnetic structure of sectors
Low-level (Factory) Format
One 512-byte sector
• Low-level formatting is usually done at the factory.• Low-level formatting establishes the communication,
or hand-shaking, between the drive and its controller.
BIS@DSU36
The sectors are organized by tracks
All the sectors on one track
Results of Low-level Format
BIS@DSU37
MBR
Initializing a Hard Drive with FDiskStep 2: FDISK writes partition information in the Master
Boot Record at Cylinder-0, Head-0, Sector-1
Master Boot Record 1. Master Boot Code 2. Master Partition Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
The remainder of that track is “Reserved”
BIS@DSU38
Master Partition Table Maximum of 4 entries Valid entries contain essential information about
the partition Partition type/code Active (yes or no) Partition start and end information
Unused entries are blank
BIS@DSU39
Types of Entries in Master Partition Table
Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as “Active”
Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition
table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries)
Partition ‡ logical drive
Total number of entries may not exceed four!
BIS@DSU40
Partition Type CodesFile systems are assigned characteristic
type codes that are listed in partition table entries
DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported
DOS/Windows systems will not assign a drive letter to partition types not supported
BIS@DSU41
Common Partition Type Codes
BIS@DSU42
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Single Primary Partition
BIS@DSU43
Hard drive with one active primary partition (single logical drive)
Single Primary Partition (Cont.)
Hub
Logical Drive
BIS@DSU44
Master Partition Table - DiskEdit View
Single Primary Partition (Cont.)
“Yes” indicates “Active”
BIS@DSU45
One Primary with Extended Partition
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
Primary Partition Extended Partition
BIS@DSU46
Each partition table points to the next
Partition Tables
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
BIS@DSU47
Master Partition Table – DiskEdit View
One Primary & One Extended
Primary Partition Entry
BIS@DSU48
Extended Partition Table – DiskEdit View
One Primary & One Extended
The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.
Extended Partition Entry
BIS@DSU49
Partitions and More Than One Logical Drives Extended partition may contain more than one
logical partitions
Primary, Extended and Logical Partitions Primary, Extended and Logical Partitions
Graphical depiction of the partitioning
Primary Partition
Extended Partition with Three Logical Drives
c: d: e: f:
BIS@DSU50
Why Care about Partitioning? Important Point: When
examining a suspect’s hard drive, why is it necessary to know how it's partitioned?
BIS@DSU51
PartitioningReasons to examine the partition tables:
To make sure all space on the drive is accounted for
To look for multiple operating systems To look for hidden partitions
BIS@DSU52
Hidden Partitions
View of a hidden partition using the PART utility
DOS/Windows partitions can be “hidden” by changing the partition-type code
BIS@DSU53
Hidden Partitions
This partition disappears!
BIS@DSU54
Partition Table Doctor Link: http://www.ptdd.com/
The only limitation is that DEMO version can not write to disk.
Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition
before recovery. Backup MBR (Master Boot Record), Partition Table, Boot
Sectors. Restore MBR, Partition Table and Boot Sectors from a backup
file if they are damaged. Support IDE / ATA / SATA / SCSI drives.
BIS@DSU55
Main Window
BIS@DSU56
Partition->Edit Properties
top related