computer forensics l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Forensics PowerPoint Presentation
Download Presentation
Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 33

Computer Forensics - PowerPoint PPT Presentation


  • 206 Views
  • Uploaded on

Computer Forensics. DOS Partitioning. Partitioning Practices. We separate partition practices into those used by Personal Computers: DOS Apple Servers Free BSD Sun Solaris GPT. DOS Partitions.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Forensics' - sinjin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer forensics

Computer Forensics

DOS Partitioning

partitioning practices
Partitioning Practices
  • We separate partition practices into those used by
    • Personal Computers:
      • DOS
      • Apple
    • Servers
      • Free BSD
      • Sun Solaris
      • GPT
dos partitions
DOS Partitions
  • Although there is no standard specification, there are several accepted partitioning practices
    • Most common type of partitioning system for PCs (and servers)
      • Microsoft calls disks using this type of partitioning system Master Boot Record (MBR) disks
    • Another type is GUID Partition Table (GPT) used by servers
definitions
Definitions
  • Starting with Windows 2000, Microsoft differentiates between:
    • Basic disk – MBR or GPT disk on which partitions are independent and standalone
    • Dynamic disk – MBR or GPT on which partitions can be combined or merged to form larger partitions (e.g. RAID)
    • We will focus on Basic disk using MBR
dos partitions5
DOS Partitions
  • MBR is from the first sector on the disk, followed by four partition tables
  • When there is need for more than 4 partitions, one partition may be extended to contain secondary partitions
  • The extended partition contains a table similar to the MBR in its first sector
  • Non-extended partition entries have their starting sector and size displayed. The ending sector address can be calculated:
    • Starting sector addr + sector size - 1
reasons for partitioning
Reasons for partitioning
  • Allowing users to have more than one operating system on a single computer
  • Separation of operating system files from user files
  • Improving performance by breaking up file space into smaller units
slide7
MBR
  • MBR resides in front of the first partition
    • MBR is the first 512-bytes of the disk
    • MBR is in LBA Sector 0
  • MBR contains
    • Boot code – how to process the partition table and how to locate the operating system
    • Partition table
    • Signature
  • The MBR contains the Partition Table which has 4 entries, one for each partition
mbr contents
MBR contents

ByteDescriptionEssential

0-445 Boot code no

446-461 Entry #1 yes

462-477 Entry #2 yes

478-493 Entry #3 yes

494-509 Entry #4 yes

510-511 Signature value 0xAA55yes

Table 5.1 Carrier

partition table entries bytes 446 509
Partition Table Entries (Bytes 446-509)
  • Each entry in the partition table (16 bytes) has the following fields
    • Starting CHS address
    • Ending CHS address
      • Each uses 10-bits for cylinder, 8-bits for head, 6-bits for sector
    • Starting LBA address
      • Either CHS or LBA is used, but usually not both
    • Number of sectors in partition
    • Type of partition – FAT, NTFS, etc.
    • Flags – identify which partition is bootable, thus which operating system will be loaded
  • Each table entry describes the layout of a partition in CHS and LBA addresses
    • CHS addresses only work for disks less than 8GB (ignored if >)
    • LBA addresses work for disks that are terabytes (TB) in size
dos partition table entries
DOS Partition Table Entries

ByteDescription

0 Bootable Flag

1-3 Starting CHS Address

4 Partition Type

5-7 Ending CHS Address

8-11 Starting LBA Address

12-15 Size in sectors

partition types
Partition Types

TypeDescription

0x00 Empty

0x01 FAT12

0x04 FAT16, 16-32 MB

0x06 FAT16, 32 MB – 2GB

...

0xa8 Mac OSX

...

0xfb VMware File System

From Table 5.3 Carrier

basic dos disk
Basic DOS disk

Partition #1

Partition #2

MBR

Figure 5.1 Carrier, simple disk with two partitions and the MBR

extended partitions
Extended Partitions
  • If we need more than four partitions, we can use extended partitions
    • Example: we want to divide a 12GB disk into six 2GB partitions for using multiple operating systems
  • Use up to 3 partitions normally then create an extended partition that can be further subdivided
dos disk partition variations
DOS disk partition variations

Primary

File System

#1

Primary

File System

#2

Primary

File System

#3

Primary

Extended

Partition

MBR

Contains

Secondaries...

Figure 5.2 Carrier, DOS disk with three primary file system partitions and one primary extended partition

secondary extended partitions
Secondary Extended Partitions

Secondary

Extended

#1

See also

Figure 5.4

Secondary

File System

#1

Secondary

Extended

#2

Secondary

File System

#2

Figure 5.3 Carrier

boot code
Boot Code
  • The partition that is to be booted is indicated by the bootable flag = TRUE
    • Standard boot code for a system with only one OS is indicated by a flag set to 0x80
    • Or the boot code may prompt the user to choose a partition for booting
extracting sectors from an actual system
Extracting sectors from an actual system

Using the dd command we can get the first sector of the disk:

#dd if=disk3.dd bs=512 skip=0 count=1 | xxd

slide18
MBR from previous dd commandASCII output removed and stored as little endian with lsb at lowest address

0000000: eb48 9010 8ed0 bc00 b0b8 0000 8ed8 8ec0

[REMOVED]

0000384: 0048 6172 6420 4469 736b 0052 6561 6400

0000400: 2045 7272 6f72 00bb 0100 b40e cd10 ac3c

0000416: 0075 f4c3 0000 0000 0000 0000 0000 0000

0000432: 0000 0000 0000 0000 0000 0000 0000 0001

0000448: 0100 07fe 3f7f 3f00 0000 4160 1f008000

[REMOVED]

0000496: 01cd 05f3 ffff 8d40 3200 79eb 9604 55aa

Bytes 0 – 445 contain boot code. The 0xaa55 signature is in the last two bytes of the sector. The partition table entry for partition 1 is in red and shows a partition type of 0x07 and starting sector of 63.

Looking at the output on p. 92, which partition is bootable?

How did we get Figure 5.5?

extended partition example
Extended Partition Example

Look at Figure 5.6

  • A primary extended partition starts in sector 1,000 with a length of 11,000 sectors
    • The partition table has two entries:
      • A FAT file system, starting at relative sector 63 (actual 1,063) why 63?
      • An extended partition, starting at relative sector 4,000 (actual 5,000)
    • The secondary extended partition contains an NTFS file system, starting at sector 63 (actual 5, 063)
      • The second entry is for another extended partition, starting at 6,500 (actual 7,500)
    • Continue?
continued example
Continued example
  • Contents of the first sector of the primary extended partition in sector 3,293,325 (see Table 5.4)

# dd if=disk3.dd bs=512 skip=3293325 count=1 | xxd

[REMOVED]

0000432: 0000 0000 0000 0000 0000 0000 0000 0001

0000448: 01cd 83fe 7fcb 3f00 0000 0082 3e00 0000

0000464: 41cc 05fe bf0b 3f82 3e00 40b0 0f00 0000

0000480: 0000 0000 0000 0000 0000 0000 00000000

0000496: 0100 07fe 3f7f 3f00 0000 4160 1f0055aa

The last two entries are empty. Type is 0x83 – Linux, so it is a secondary file system partition and it starts relative to the start of the current extended partition ... Table 5.5 is an extension of Table 5.4. Calculate the start of the DOS extended partition.

tools
Tools
  • fdisk – lists partitions
  • mmls – marks partitions as unused
fdisk
fdisk

# fdisk –lu disk3.dd

Disk disk3.dd: 255 heads, 63 sectors, 0 cylinders

Units = sectors of 1 * 512 bytes

Device Boot Start End Blocks Id System

disk3.dd1 63 2056319 1028128 7 NTFS

disk3.dd2 * 2056320 22635164 104422 83 Linux

disk3.dd3 2265165 3293324 514080 83 Linux

disk3.dd4 3293325 80292869 38499772 5 Extended

...

This output lists only the primary extended partition (disk3.dd4). This is acceptable because only primary and secondary file system partitions are needed for an investigation. But not all entries are shown.

slide23
mmls

# mmls –t dos disk3.dd

Units are in 512-byte sectors

Slot Start End Length Description

00: ---- 00000 0000000 00001 Table #0

01: ---- 00001 0000062 00062 Unallocated

02: 00:00 00063 2056319 big NTFS(0x07)

03: 00:01 2056257 208845 208845 Linux(0x83)

04: 00:02 2265165 3293324 1028160 Linux(0x83)

05: 00:03 ...

Unused sectors are marked unallocated, partition tables are indicated and extended partition locations are indicated.

See pages 98 and 99.

summary
Summary
  • If we need one to four partitions, we use only the MBR to find all partitions
  • If we need more than four partitions, we create up to 3 of partitions using the MBR and make the fourth MBR entry point to the sections that hold the remainder
  • DOS-based partitions are the most common for current computer investigations. They are also difficult to understand.
  • Tools can help to list the layout of disks and to find the used and unused spaces.
removable media
Removable Media
  • Most removable media also have partitions and many use the same structures used by hard disks.
    • Floppy disks: each disk is a single partition
    • Thumb drives: some contain only one file system, but others have partitions
    • Zip drives: are partitioned
    • Flash cards (cameras): many use FAT file systems and can be analyzed using normal investigation tools
    • CD-ROMs: most use ISO 9660 format so that multiple OSs can read them...complex
chapter 6 server based partitions
Chapter 6: Server-based partitions
  • BSD (sometimes called Berkeley) UNIX servers use their own partitioning system
    • FreeBSD (also uses DOS partitioning), OpenBSD, NetBSD
    • Many use IA32-based hardware (Intel’s x86/i386)
  • It is becoming common to encounter a Linux system during an investigation, but Linux uses only the DOS-based partitions
  • When an operating system runs, it can choose what partitions it will give for user access
disk label
Disk Label
  • Central data structure for BSD partition system is a disk label
    • Located in the second sector of the BSD partition
    • At least 276 bytes
  • Structure is shown in Table 6.1
gpt partitions
GPT Partitions
  • Systems with 64-bit Intel Itanium processors (IA64) do not have a BIOS like IA32 systems
  • Instead, they have an Extensible Firmware Interface (EFI)
    • The EFI uses a partition system called the GUID Partition Table (GPT) GUID is ‘globally unique identifier
      • It can support up to 128 partitions and uses a 64-bit LBA address
      • Usually found in high-end servers
multiple disk volumes
Multiple Disk Volumes
  • Multiple disks can be used to contain data, but such systems may be difficult to investigate
  • Initially used in high-end and critical systems, but are becoming more popular in with desktop systems
  • Two types discussed here:
    • RAID systems: provide redundancy
    • Disk spanning: creates larger volumes
slide30
RAID

RAID 0: 2 or more disks on which data is striped across disks. (no redundancy)

RAID 1: data is repeated across disks for redundancy

RAID 2: rare. Uses error-correcting codes.

RAID 3: 3 or more disks; one disk assigned for parity

  • Parity disk can recreate a failed disk
  • Byte-sized chunks

RAID 4: similar to level 3, data striped is block chunks instead of byte chunks

RAID 5: similar to level 4, no dedicated parity disk. Parity alternated amongst data

There are several more RAID levels

analysis
Analysis
  • Use hardware write-blockers on individual hard disks to prevent modifications when trying acquisition
  • It may also be useful to make images of the individual disks before making an image of the entire RAID volume
  • Some RAID systems use only part of the hard disk...unused space may contain old data, or could be used to hide data
disk spanning
Disk Spanning
  • Makes multiple disks appear to be one large disk using software, creating a logical volume.
  • Example

Like using a 3-ring binder, instead of a spiral notebook. It becomes easier to add more storage (i.e. disks) as more space is needed.

  • Logical volume: the output of the disk-spanning software.
disk spanning33
Disk Spanning

D0

D100

D1

D101

D2

D102

...

...

D99

D199

Disk 2

Disk 1

The storage space from a new disk is appended to the end of the existing storage space. This generates a logical volume made up from two disks.