1 / 21

BACS 371 Computer Forensics

BACS 371 Computer Forensics. Files & Partitions. Data Hierarchy. Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word Byte Bit. File. Collection of Information written to a disk Generally created in an application-specific format

deana
Download Presentation

BACS 371 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACS 371Computer Forensics Files & Partitions

  2. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word Byte Bit

  3. File • Collection of Information written to a disk • Generally created in an application-specific format • Occupies a fixed number of clusters • Each file’s cluster has a pointer to the next cluster in the file • The final cluster contains the End of File (EOF) marker

  4. Files • Logical File Size • Exact size of contents of file in bytes • Physical File Size • Amount of space a file occupies on disc in bytes • File Slack • Unused space between logical end of file and physical end of a cluster • Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->

  5. File Slack • What does File Slack Contain? • Who knows??!! • Old data that was deleted but not overwritten yet • May contain remnants of older files, or other evidence including • Passwords • Old directory structures • Miscellaneous information

  6. File Slack Example Hello World! Has 12 Characters in the file But occupies 4096 bytes on the disk!

  7. File Slack Example

  8. File Slack Example File Contents: “Hello world!” 12 bytes 3rd Sector Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes • Assumptions: • Sector Size = 512 Bytes • Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

  9. File Slack Example • RAM Slack • The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time • Disk Slack • The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

  10. RAM Slack • Unused space at the end of a sector • Contains information adjacent to the stored information from Main Memory (RAM)

  11. Partitions

  12. Partition Layout http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

  13. Master Boot Record (MBR) • Executable Code • Machine Language Code • Processor Specific • Decodes Partition Table • 446 bytes long • Partition Table • 4 Entries • First Entry Starts at offset 0x01BE • MBR “Signature” • 0x55AA

  14. Partition Table • A partition is a logical drive or volume • Describes every logical volume on disk • Master Partition Table • Contains descriptions of partitions on disk • Room to describe 4 primary partitions • One partition is marked as active and is used for booting • Partition Gap • Unused space between partitions

  15. Partition Boot Sector • 0x00-0x02 Jump Instruction (3 bytes) • 0x03-0x0A OEM ID (8 Bytes) • 0x0B-0x53 BIOS Parameter Block (BPB) (includes all below plus additional fields) • 0x0B Bytes Per Sector 2 Bytes • 0x0D Sectors Per Cluster 1 Byte • 0x15 Media Descriptor 1 Byte • 0x18 Sectors Per Track 2 Bytes • 0x1A Number of Heads 2 Bytes • 0x1C Hidden Sectors 4 Bytes • 0x20 Total Sectors 4 Bytes • 0x3E-0x1FF Bootstrap Code (448 Bytes) • Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

  16. Partition Boot Record (PBR) BIOS Parameter Block • Executable Code • Machine Language Code • Processor Specific • Decodes BPB • Searches for OS • PBR “Signature” • 0x55AA

  17. Partition Boot SectorAKA File System Boot Sector • The first physical sector in a logical volume • C 0, H 1, S 1 for first partition • Contains • Code • File System Specification Information

  18. Partition Boot Sector Decoded

  19. Extended Partition Layout http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

  20. Computer Boot Process • Power-on Signal • CPU Reset • ROM BIOS/bootstrap • POST (Power On Self Test) • Memory test • Support circuitry • Major Peripherals (ROM) • Boot • Drive A: • CDROM • Hard Drive • Master Boot Record • (Volume) Boot Record

  21. Computer Boot Details Power Switch Activated Power Supply performs self-test (PowerGood signal to Motherboard) Microprocessor executes BIOS code starting at 0xFFFF0000 – tests hardware Power On Self Test (POST) executed – checks CPU, ROM, RAM, support circuitry, peripherals BIOS searches for MBR at C 0, H 0, S1 on default boot drive MBR loaded into memory and tested/executed MBR code locates first bootable partition Partition Boot Record is loaded into memory and tested/executed Operating System is loaded based upon command in PBR NTLDR IOSYS On NTFS volumes NTLDR loads the $MFT; The NT volume is mounted NTDETECT.COM detects computerID, bus adapter, video adapter, … NTLDR loads NTOSKRNL.EXE (kernel) and HAL.DLL (hardware abstraction layer) The kernel initiates the OS

More Related