1 / 22

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 12, 2005

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 12, 2005. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Structure of Storage Media Chapter 3. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Storage Media. Floppy Disks Hard Disks CDs DVDs

lyle
Download Presentation

Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 12, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 12, 2005 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Structure of Storage MediaChapter 3 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  3. Storage Media • Floppy Disks • Hard Disks • CDs • DVDs • Memory Sticks • PC Cards • ……

  4. Floppy Disks • Single Sided/Double Sided • Mini Hard Disks • Fairly Rugged and Durable • Dynamic Storage

  5. Nested Data Structures on HD Hard Drive Partition File System File Record Field

  6. Hard Drives • IDE or SCSI • IDE (Integrated Drive Electronics) supports only two devices • EIDE can support four through two channels • SCSI (Small Computer Systems Interface) supports up to 7 devices • Each of them is identified by a unique ID

  7. Hard Disk Platters

  8. Cylinders

  9. Sectors 512 Bytes

  10. Blocks or Clusters 2, 4, 8, …., 64 Sectors per cluster

  11. Nested Data Structures on HD Hard Drive Partition File System File Record Field

  12. Partitions • Logical Divisions of a single hard drive • In Windows or MS-DOS, each is identified by a letter designation, e.g., C:, D:, Z: • In Unix or Linux, they are usually identified by a designation like: • /dev/hda1 • /dev/hda2

  13. Partitions • Each partition is seen by the Operating System as a logical drive • Partition information may be seen using the FDISK utility, or a commercial utility like partinfo. • Partitions tell you where on the hard disk you can find the file allocation tables.

  14. Nested Data Structures on HD Hard Drive Partition File System File Record Field

  15. File Systems • Index System similar to Database • Series of Tables • Directories, etc. • File Allocation Table Systems • NT File Systems • Unix File Systems

  16. File Allocation Tables • FAT-12 • MS-DOS, Floppy Disks • FAT-16 • Windows 95 • FAT-32 • Windows 98 • NTFS • Windows 2000, NT, XP

  17. Nested Data Structures on HD Hard Drive Partition File System File Record Field

  18. Files • Smallest addressable component. • Take up one or more clusters. • Clusters may contain forensic evidence in slack space. • Slack space = RAM Slack + File Slack • Free Space

  19. 0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 511 511 511 Storage Media Basics • Sector: 512 Bytes • Cluster (Block): 2 or more sectors (up to 64) …

  20. 0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 511 511 511 Slack Space • RAM Slack: That portion of a sector that is not overwritten in memory. • Disk Slack: Those sectors of the cluster that are not needed to store file. RAM Slack … EOF Disk Slack EOF

  21. 0 0 1 1 2 2 3 3 4 4 5 5 511 511 Slack Space • File Slack: Last cluster of file isn’t filled up completely, so data from the last use of that cluster isn’t overwritten. • File Slack = Disk Slack + RAM Slack File Slack RAM Slack Disk Slack EOF

  22. Free Space • That portion of the Media that is not currently in use. • Could have been used before, but not overwritten. • Especially true today with very large disks • Can we really erase a hard drive? • Even if formatted, the data is not lost.

More Related