1 / 56

91.580.203 Computer Network Forensics

2. Outline. Understanding the boot sequenceUnderstanding disk drivesUnderstanding partitioning and formatting . 3. Understanding the Boot Sequence. Avoid data contamination or modificationMake sure computer boots from a floppy diskDelete keyCtrl Alt InsertCtrl ACtrl F1F2F12. 4. Understandin

hop
Download Presentation

91.580.203 Computer Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems

    2. 2 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

    3. 3 Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12

    4. 4 Understanding the Boot Sequence (Cont.)

    5. 5 BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and features of your system Select and configure hard drives, floppy drives, and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and special features Support advanced operating systems, including networks, Windows 9x, and Windows 2000 (Plug and Play) Many others Configuration of built-in ports, such as IDE hard disk, floppy disk, serial, parallel, PS/2 mouse, and USB Selection and configuration of special motherboard features, such as memory error correction, antivirus protection, and fast memory access Configuration of built-in ports, such as IDE hard disk, floppy disk, serial, parallel, PS/2 mouse, and USB Selection and configuration of special motherboard features, such as memory error correction, antivirus protection, and fast memory access

    6. 6 BIOS on the Motherboard

    7. 7 Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM (Real-Time-Clock/Non-Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit Battery Power CMOS to keep its settings

    8. 8 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

    9. 9 Floppy Disks Yes these still exist!

    10. 10 Side View of Floppy in Disk Drive Original floppies were only formatted on one side, the bottom. They could store 160K of data. The sides of the disk are numbered starting with the number zero. On a floppy, side 0 is on the bottom. This is the standard configuration so that a floppy disk could be used in drives from different manufacturers. Original floppies were only formatted on one side, the bottom. They could store 160K of data. The sides of the disk are numbered starting with the number zero. On a floppy, side 0 is on the bottom. This is the standard configuration so that a floppy disk could be used in drives from different manufacturers.

    11. 11 FD Densities & Capacity

    12. 12 Hard Disk Structure Hard disk drives are organized as a concentric stack of disks or ‘platters’ Each platter has 2 surfaces How a hard disk works? The platters rotate on the spindle The heads move along the radius of the platters This allows the head to access all parts of the surfaces

    13. 13 Disassembling a Hard Drive This exploded view shows the various components inside a typical hard drive. A hard drive may have more than one platter. The drive may have more than 2 sides (heads). All the read/write heads move together. Sides (heads) start numbering at zero (0). PCB (parallel component bus), This exploded view shows the various components inside a typical hard drive. A hard drive may have more than one platter. The drive may have more than 2 sides (heads). All the read/write heads move together. Sides (heads) start numbering at zero (0). PCB (parallel component bus),

    14. 14 HD Elements 16 heads 8 Platters

    15. 15 HD Head Each platter has a planar magnetic surface on which digital data may be stored Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material

    16. 16 HD Head Clearance The distance between the read/write head and the surface of the hard drive(head fly/floating height) is so small that a strand of human hair will not pass between them. •Hard drives rotation speed depends on the specific model. Typical speeds are 5,400 RPM, 7,200 RPM, and 10,000 RPM. •Hard drives were originally coated with ferrous oxide (rust), similar to the coating on audio tapes.  Modern drives have some form of “thin film magnetic media”, which allows for closer placement of the read/write heads and allowing more data to be written to the disk (areal density). The distance between the read/write head and the surface of the hard drive(head fly/floating height) is so small that a strand of human hair will not pass between them. •Hard drives rotation speed depends on the specific model. Typical speeds are 5,400 RPM, 7,200 RPM, and 10,000 RPM. •Hard drives were originally coated with ferrous oxide (rust), similar to the coating on audio tapes.  Modern drives have some form of “thin film magnetic media”, which allows for closer placement of the read/write heads and allowing more data to be written to the disk (areal density).

    17. 17 How Data is Organized on HD - Tracks The data is stored on concentric circles on the surfaces known as tracks Numbering starts with 0 at the outermost cylinder

    18. 18 How Data is Organized on HD Sectors/Blocks A sector is a continuous linear stream of magnetized bits occupying a curved section of a track Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data Numbering physical sectors within a track starts with 1

    19. 19 How Data is Organized on HD - Cylinders The same organizational structure of sectors, tracks, cylinders and heads that exists on floppy disks also exists on a hard disk. A hard disk will have multiple platters and thus more heads or sides which comprise a cylinder. Track 0 on side 0, 1, 2, 3, 4, and 5 together make up cylinder 0 since they are vertically aligned. The slide displays a simplified representation of the hard disk structure, but things are considerably more complicated than this. The same organizational structure of sectors, tracks, cylinders and heads that exists on floppy disks also exists on a hard disk. A hard disk will have multiple platters and thus more heads or sides which comprise a cylinder. Track 0 on side 0, 1, 2, 3, 4, and 5 together make up cylinder 0 since they are vertically aligned. The slide displays a simplified representation of the hard disk structure, but things are considerably more complicated than this.

    20. 20 Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can place into data The bytes in a cluster varies according to the size of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (216) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2 Blocks in the UNIX world Allocation Units as well Information on Byte /sector and Sectors/cluster are stored in the MBR.Blocks in the UNIX world Allocation Units as well Information on Byte /sector and Sectors/cluster are stored in the MBR.

    21. 21 FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB - 1024MB logical hard drive partition - 32 sectors 1024MB - 2048MB logical hard drive partition - 64 sectors 2048MB - 4095MB logical hard drive partition - 128 sectors

    22. 22 What is this disk?

    23. 23 Hard Disk Addressing Older BIOSes in PC’s used 24 bit addressing which could only access up to 8.4 GB (224 * 512 bytes). Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.

    24. 24 C H S Each storage unit on a disk can be identified by a 3-coordinate system identifying the Cylinder Head/Side Sector One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB IDE (Integrated Disk Electronics) Extended IDE (EIDE). IDE (Integrated Disk Electronics) Extended IDE (EIDE).

    25. 25 Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk - IDE disk The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed. IDE (Integrated Disk Electronics) Extended IDE (EIDE).IDE (Integrated Disk Electronics) Extended IDE (EIDE).

    26. 26 Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB

    27. 27 File Slack The area between the end of the file and the end of the last cluster allocated for that file

    28. 28 File Slack Illustration

    29. 29 NTFS Clusters and Cluster Sizes

    30. 30 A Computer test.csv Two questions: What is the cluster size of the partition? What is the partition size range?

    31. 31 Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces make up a cylinder Data is stored in sectors and usually read in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB

    32. 32 Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

    33. 33 Key things The function of the FDISK program Primary partition, extended partition, active partition, and logical drive   How logical partitions can be hidden The necessity of understanding the suspect’s partitioning scheme

    34. 34 Initializing a Hard Drive Think of a new hard drive as a large piece of blank paper. Rather than just put information all over the paper at random, we want to develop a logical system to manage the information. Continuing advances in hard disk drive technology have resulted in lower cost drives with very high capacities. The trouble with some of these drives is that they may not be recognized, in their full capacity, by earlier versions of DOS, or some of the system BIOSes in existence. Generally speaking, Intel 486-based machines may not recognize drives larger than 504MB, because of BIOS limitations at that time. The next generation of BIOS supported drives up to 2.1GB, then 8.4 GB. The next drive limit is 136GB, imposed by the ATA drive interface. The FAT32 file system supported by Windows versions starting with 95B can support drives up to two terabytes (2TB). Think of a new hard drive as a large piece of blank paper. Rather than just put information all over the paper at random, we want to develop a logical system to manage the information. Continuing advances in hard disk drive technology have resulted in lower cost drives with very high capacities. The trouble with some of these drives is that they may not be recognized, in their full capacity, by earlier versions of DOS, or some of the system BIOSes in existence. Generally speaking, Intel 486-based machines may not recognize drives larger than 504MB, because of BIOS limitations at that time. The next generation of BIOS supported drives up to 2.1GB, then 8.4 GB. The next drive limit is 136GB, imposed by the ATA drive interface. The FAT32 file system supported by Windows versions starting with 95B can support drives up to two terabytes (2TB).

    35. 35 Low-level (Factory) Format The first step in initializing a drive is a low-level format. Drives are normally low-level formatted at the factory and cannot be low-level formatted by the local dealer or the consumer without special software. Older model drives (MFM, ST-506, etc.) could be low-level formatted by the local dealer or knowledgeable user. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller. The most commonly used low-level format creates sectors that contain 512 bytes of data storage area.The first step in initializing a drive is a low-level format. Drives are normally low-level formatted at the factory and cannot be low-level formatted by the local dealer or the consumer without special software. Older model drives (MFM, ST-506, etc.) could be low-level formatted by the local dealer or knowledgeable user. Low-level formatting establishes the communication, or hand-shaking, between the drive and its controller. The most commonly used low-level format creates sectors that contain 512 bytes of data storage area.

    36. 36 Results of Low-level Format The low-level formatting process works cylinder by cylinder. This minimizes the amount of head movement required during the format process. The low-level formatting process works cylinder by cylinder. This minimizes the amount of head movement required during the format process.

    37. 37 Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record at Cylinder-0, Head-0, Sector-1 Using FDISK, we first create a primary partition which contains logical drive C. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. The entire remainder of that track is reserved, by DOS. Normally, no other information is written there. The partition table data is stored in the Master Boot Record, which is contained in the 1st sector of cylinder zero, head zero. The remaining sectors on that track are reserved. Data may only be written to this space by using a disk editor program that will access the space. Some software programs, such as disk encryption or password protection software, may also read and write to the reserved area, but these applications were specifically designed to bypass the operating system. DOS does not utilize this space. Some special software packages, such as disk encryption or password protection software, may use some of that reserved area for special purposes. However, to date, DOS has not utilized that space. Master Boot Code This is a very small program that transfers control to whatever boot program is in the active (i.e. startable) partition. In many systems this would be the OS/2 Boot Manager. Using FDISK, we first create a primary partition which contains logical drive C. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. The entire remainder of that track is reserved, by DOS. Normally, no other information is written there. The partition table data is stored in the Master Boot Record, which is contained in the 1st sector of cylinder zero, head zero. The remaining sectors on that track are reserved. Data may only be written to this space by using a disk editor program that will access the space. Some software programs, such as disk encryption or password protection software, may also read and write to the reserved area, but these applications were specifically designed to bypass the operating system. DOS does not utilize this space. Some special software packages, such as disk encryption or password protection software, may use some of that reserved area for special purposes. However, to date, DOS has not utilized that space. Master Boot Code This is a very small program that transfers control to whatever boot program is in the active (i.e. startable) partition. In many systems this would be the OS/2 Boot Manager.

    38. 38 Master Partition Table Maximum of 4 entries Valid entries contain essential information about the partition Partition type/code Active (yes or no) Partition start and end information Unused entries are blank A partition table is 64 bytes long. An entry in the partition table is 16 bytes long. There is room for 4 entries in a partition table, but not all entries have to be used. Normally, if an entry is not being used, that entry will contain all 0’s. In order for the BIOS or an operating system to recognize a partition, it’s entry must contain recognizable, valid information. The term “Active partition” refers to the primary partition that is designated as such in the Master Partition Table. During the boot process, the partition table is examined to identify the active, primary partition, and code redirects the boot process to the first sector of that partition. To be actually used to boot the system, it must also contain the necessary system files. There can only be one active partition, and only a primary partition may be marked active. A partition table is 64 bytes long. An entry in the partition table is 16 bytes long. There is room for 4 entries in a partition table, but not all entries have to be used. Normally, if an entry is not being used, that entry will contain all 0’s. In order for the BIOS or an operating system to recognize a partition, it’s entry must contain recognizable, valid information. The term “Active partition” refers to the primary partition that is designated as such in the Master Partition Table. During the boot process, the partition table is examined to identify the active, primary partition, and code redirects the boot process to the first sector of that partition. To be actually used to boot the system, it must also contain the necessary system files. There can only be one active partition, and only a primary partition may be marked active.

    39. 39 Types of Entries in Master Partition Table Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as “Active” Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries) Partition ‡ logical drive

    40. 40 Partition Type Codes File systems are assigned characteristic type codes that are listed in partition table entries DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported DOS/Windows systems will not assign a drive letter to partition types not supported Other operating systems, such as Linux, Macintosh, and Unix do not use drive letters to designate logical or physical drives.Other operating systems, such as Linux, Macintosh, and Unix do not use drive letters to designate logical or physical drives.

    41. 41 Common Partition Type Codes http://www.win.tue.nl/~aeb/partitions/partition_types-1.html has a rather comprehensive list of partition types and links to other sources of information Type FAT Size DOS 01 12 0 - 15 Mb 2.0 04 16 16 - 32 Mb 3.0 05 (Ext) 0 - 2 Gb 3.3 06 16 32 Mb – 2 Gb 4.0 0B 32 512 Mb – 2 Tb OSR2 0C 32x 512 Mb – 2 Tb OSR2 0E 16x 32 Mb – 2 Gb W95 0F (Extx) 0 – 2 Tb W95 http://www.win.tue.nl/~aeb/partitions/partition_types-1.html has a rather comprehensive list of partition types and links to other sources of information Type FAT Size DOS 01 12 0 - 15 Mb 2.0 04 16 16 - 32 Mb 3.0 05 (Ext) 0 - 2 Gb 3.3 06 16 32 Mb – 2 Gb 4.0 0B 32 512 Mb – 2 Tb OSR2 0C 32x 512 Mb – 2 Tb OSR2 0E 16x 32 Mb – 2 Gb W95 0F (Extx) 0 – 2 Tb W95

    42. 42 Single Primary Partition Using FDISK, we first create a primary partition. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here. Using FDISK, we first create a primary partition. This partitioning information is stored in the Master Partition Table in the Master Boot Record (MBR), located at cylinder 0, head 0, sector 1. Any primary or extended partition will be defined here.

    43. 43 Single Primary Partition (Cont.) Many disk drives are partitioned in this basic manner.  One Active, Primary DOS partition is created, using the entire drive. Many newer systems, with large hard drives, use multiple partitions. Many disk drives are partitioned in this basic manner.  One Active, Primary DOS partition is created, using the entire drive. Many newer systems, with large hard drives, use multiple partitions.

    44. 44 Single Primary Partition (Cont.) Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit.

    45. 45 One Primary with Extended Partition In this case, a smaller primary partition is made, using only a portion of the hard drive. FDISK may then be used to set up an Extended partition with the remaining sectors. Within that partition, one or more logical drives may be defined. This example shows the entire extended partition being used for one logical drive. When the system reboots, DOS recognizes the existence of two logical drives (the primary partition, and the single logical drive defined in the extended partition) and assigns drive letters to each. We now have two partitions on our physical drive — a Primary Partition and an Extended Partition containing the second logical drive. In this case, a smaller primary partition is made, using only a portion of the hard drive. FDISK may then be used to set up an Extended partition with the remaining sectors. Within that partition, one or more logical drives may be defined. This example shows the entire extended partition being used for one logical drive. When the system reboots, DOS recognizes the existence of two logical drives (the primary partition, and the single logical drive defined in the extended partition) and assigns drive letters to each. We now have two partitions on our physical drive — a Primary Partition and an Extended Partition containing the second logical drive.

    46. 46 Partition Tables The Master Partition Table (found in the Master Boot Record) will define any primary or extended partition on the drive. Within an Extended Partition, each logical drive will have its own partition table. Each table will Define the limits of the logical volume it precedes Point to the location of the next Partition Table. In this way a partition table may be described as being “linked”. In other words, one table points to another. Once all the desired partitions are set up, the system must be rebooted (from floppy) so that the partitioning information is read and the logical drive letters are assigned. The Master Partition Table (found in the Master Boot Record) will define any primary or extended partition on the drive. Within an Extended Partition, each logical drive will have its own partition table. Each table will Define the limits of the logical volume it precedes Point to the location of the next Partition Table. In this way a partition table may be described as being “linked”. In other words, one table points to another. Once all the desired partitions are set up, the system must be rebooted (from floppy) so that the partitioning information is read and the logical drive letters are assigned.

    47. 47 One Primary & One Extended Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location. Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location.

    48. 48 One Primary & One Extended Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location. Cyl 0, Side/Head 0, Sector 1 – Object is the “Partition Table” (master boot record) as viewed with Diskedit. The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition that defines the next logical drive. The partition table located at Cyl 80, Side/Head 0, Sector 1 defines a logical drive and also points to the next partition table location.

    49. 49 Partitions and More Than One Logical Drives Extended partition may contain more than one logical partitions

    50. 50 Why Care about Partitioning? Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's partitioned? Reasons to examine the partition tables: To look for multiple operating systems To look for hidden partitions To make sure all space on the drive is accounted for. Reasons to examine the partition tables: To look for multiple operating systems To look for hidden partitions To make sure all space on the drive is accounted for.

    51. 51 Partitioning Reasons to examine the partition tables: To make sure all space on the drive is accounted for To look for multiple operating systems To look for hidden partitions

    52. 52 Hidden Partitions Partitions can be hidden. Using a program like DiskEdit, a suspect could change the partition table pointers and hide vast amounts of data.  To access the data, he would simply reset the pointers back to the original settings. While this method is technically difficult, software such as Partition Magic, GDISK and PART make hiding partitions simple. The user simply has to issue a command and the utility does the work by employing a different method. These utilities change the code in the partition table which identifies the partition type to a value which is not recognized by DOS and thus doesn’t receive a drive letter assignment. Partitions can be hidden. Using a program like DiskEdit, a suspect could change the partition table pointers and hide vast amounts of data.  To access the data, he would simply reset the pointers back to the original settings. While this method is technically difficult, software such as Partition Magic, GDISK and PART make hiding partitions simple. The user simply has to issue a command and the utility does the work by employing a different method. These utilities change the code in the partition table which identifies the partition type to a value which is not recognized by DOS and thus doesn’t receive a drive letter assignment.

    53. 53 Hidden Partitions

    54. 54 Partition Table Doctor Link: http://www.ptdd.com/ The only limitation is that DEMO version can not write to disk. Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP). Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition before recovery. Backup MBR (Master Boot Record), Partition Table, Boot Sectors. Restore MBR, Partition Table and Boot Sectors from a backup file if they are damaged. Support IDE / ATA / SATA / SCSI drives.

    55. 55 Main Window

    56. 56 Partition->Edit Properties

More Related