coen 252 computer forensics l.
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 252 Computer Forensics PowerPoint Presentation
Download Presentation
COEN 252 Computer Forensics

play fullscreen
1 / 21
Download Presentation

COEN 252 Computer Forensics - PowerPoint PPT Presentation

meadow
96 Views
Download Presentation

COEN 252 Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. COEN 252 Computer Forensics Hard Drive Geometry

  2. Drive Geometry Basic Definitions: • Track • Sector Floppy

  3. Hard Drive Geometry • Cylinder Cylinder is formed by the tracks on all the platters with fixed actuator. (Due to different temperatures and hence different arm length, it is impossible to read and write in parallel.)

  4. Hard Drive Geometry • Writing and Reading on a Track

  5. Hard Drive Geometry Data is stored in the form of a magnetization pattern.

  6. Complete Disk IBM Ultrastar Z

  7. Sectors • Complete Sectors are written and read.

  8. Sectors • Consists of • Inter-sector gap • ID Information (including defective mark) (no longer used in modern drives) • Synchronization fields • Client Data (512B) • ECC • Inter-sector gap

  9. Formatting • Low level format • Creates “data structures” for tracks and sectors. • Defective sectors and regions are remapped. • There is no direct access to the disk layout. • This is not the usual formatting.

  10. Interfaces • Disks are getting smarter: • In the history of disk drives, control function moved to the disk. • Disks uses Logical Sector or Cylinder-Head-Sector addressing interface • SCSI: Small Computer Systems Interface • Block Device (Logical Sector) • SCSI 1, 2, 3 standards implement generic command language • ATA (AT Attachment): PATA, SATA

  11. Interfaces • ATA / IDE (Integrated Disk Electronics) • Specified as family of standards ATA-1 (1994) to ATA-7 (in draft) • ATA disks require a controller (“channel”) built into the motherboard. • Controller controls one or two disks. • Master and slave disk. • Typical motherboard has two channels with up to two disks / devices.

  12. Interfaces • SATA (Serial ATA) as opposed to PATA • uses Advanced Host Controller Interface (AHCI) • supported by Vista, Linux, but not XP • often implemented in conjunction with Serial Attached SCSI (SAS) • look like PATA at the application level but completely non-interchangeable at the device level 7 pin SATA data cable 15 pin SATA power cable

  13. Interfaces • Addressing • Distinguish • Physical addresses (low level format) and • Logical addresses (changed by normal formatting / repartitioning) • Physical addresses • Cylinder Head Sector proved to limiting: • 10b cylinder, 4b head, 6b sector • 16b cylinder, 4b head, 6b sector • LBA (Logical Block Addresses) • In older systems, the BIOS might have to do address translation. • This causes a FE (forensic examiner) head-ache if disks are mounted on other systems.

  14. Interfaces • Terminology is difficult to understand. • http://www.pcguide.com/ref/hdd/if/ide • Removable media specifications in • AT Attachment Packet Interface (ATAPI)

  15. Interfaces • Controller issues commands over the ribbon cable. • Single bit determines whether the master or the slave executes the command. • Controller writes to command register. • Disk responds by writing to status register.

  16. Interfaces • Hard Drive Passwords • Established in ATA-3. • Set through BIOS or through software. • If implemented: • User password • Master password (for organization) • High-security: both passwords unlock disk. • Maximum-security: master password only unlocks after disk drive has been wiped.

  17. Interfaces • Hard Drive Passwords • Locked disk is usually visible to the OS. • Need SECURITY_UNLOCK with the correct password before most ATA commands are executed. • There are tools (hdunlock, atapwd) to unlock a drive • Used mainly to circumvent IP protection in game consoles (X-box)

  18. Host Protected Area: HPA • Appeared first in ATA-4 • Used so that computer vendors could store data that a user cannot damage by formatting. • HPA can be used to hide data.

  19. Host Protected Area: HPA • Investigative Process • READ_NATIVE_MAX_ADDRESS returns number of physical sectors • IDENTIFY_DEVICE returns number of sectors that a user can access. • Difference shows existence and extend of HPA. • Creating HPA • SET_MAX_ADDRESS limits user access to last sectors. • Rerunning it with maximum physical address unlocks HPA. • Volatility bit determines whether HPA exists after the disk is shut down and restarted. • This can be used to temporarily unlock a HPA.

  20. DCODevice Configuration Overlay • ATA-6 • Limits the apparent maximum number of physical sectors. • Use the DEVICE_CONFIGURATION_SET / RESET ATA commands.

  21. Interface • PATA vs. SATA • SATA has speed advantage and also smaller cable.