1 / 40

Mastering File Systems & Data Backup Techniques

Learn differences between FAT32 and NTFS file systems, backup strategies, fault tolerance, data retrieval in Windows, disk partitioning, forensic data collection, and more.

millsg
Download Presentation

Mastering File Systems & Data Backup Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COMP1321 Digital Infrastructures Richard Henson November 2018

  2. Week 9: File Systems, Data Backup, Fault Tolerance • Objectives • Explain differences between FAT32 and NTFS file systems • Effectively use the features in Windows that aid data backup and rapid data retrieval

  3. “If it can get lost, it will!”………… anon

  4. Hard Disk Matters • Also known as a volume… • can have a number of partitions • partitions can carry different file systems • “first” partition (normally C: ) can be “bootable” • can be used to load an operating system on that same partition • For addressing, volume divided into cylinders and sectors

  5. File Systems, Sectors, Cylinders • Each type of file system uses that hard disk in a different way • each cylinder can carry a fixed number of bits • Bytes/sector depends on file system: • FAT 512 bytes per sector • NTFS: 4096 bytes per sector Very many cylinders In a single volume

  6. Reminder of “Partitions” • The basic logical unit for storing data – applies to all storage devices • hard disks can have many partitions • most storage devices limited to one • A partition can only accept data once it has been formatted • formatting also determines the file system use to organise data e.g. FAT, FAT32, NTFS

  7. Any data that is stored by computer must be retrievable (!) • Software for managing data onto storage… “file system” • e.g. FAT32, NTFS • Provides mechanism to • index locations on the storage device • put data into files • mark locations where files are stored • locate stored data so files can easily be retrieved into memory

  8. Putting data onto a Partition memory • Data held in memory as a file taking up x memory locations • Calculation made regarding where to fit the file on secondary storage partition • Data sent from memory to storage CPU Secondary storage

  9. Extracting data from a Partition memory • Data held in storage as a file taking up x locations • Calculation made regarding where to fit the file in memory • Data sent from storage into memory CPU Secondary storage

  10. Files between storage devices Device A (NTFS) memory • File system software makes file easy to locate, via catalogue/index • Retrieval (to memory as a stream of bytes…) • Saved to another storage device (B) CPU Device B (FAT32)

  11. Cloning a Disk • Need to bypass the file system… • Every sector copied in turn to memory… • then copied back to device B • Lot of sectors… can take time! memory Device B Device A CPU

  12. Basic Principles for Collecting Evidence • Association of Chief Police Officers (ACPO) Guidelines on Computer Evidence. • basic principles of acquiring evidence from computer systems. • accepted by the courts in the United Kingdom.

  13. ACPO Principle 1 • No action taken by the Police or their agents should change the data held on a computer or other media. • Where possible computer data must be ‘copied’ and the copy examined.

  14. ACPO Principle 2 • In exceptional circumstances it maybe necessary to access the original data held on a target computer. • However it is imperative that the person doing so is competent and can account for their actions.

  15. ACPO Principles 3 • An audit trail must exist to show all the processes undertaken when examining computer data • Many forensic tools record logs of processes performed and results obtained

  16. ACPO Principle 4 • The onus rests with the person in charge of the case to show that a computer has been correctly examined in accordance with the law and accepted practice

  17. Forensic Imaging Process • Make a bit wise image of the contents of digital media • Store the original media and carry out forensic analysis using the copy image • If necessary to switch on suspect machine; • Restore image to another drive and install it in suspects machine • Or mount and start in a Virtual Machine • Retrieve evidence in a readable form

  18. Image Hard Disk

  19. Forensic Examination Process • Decide on best forensic tool(s) for the job • Expand ALL compound files • Hash ALL File Streams • Perform File Signature Analysis • Perform Entropy Test • Generate Index and/or Thumbnails of Graphics • Carve Data • Carve Meta Data

  20. FTK EnCase X-Ways Cellebrite XRY Oxgyen Recognised Forensic Tools… • Accepted by the court and validated in case law • Non-invasive computer forensic investigative tools • Cater for large volumes of data. • Read FAT, NTFS, HFS, UNIX and LINUX - Proprietary Phone Systems • Integrated environment allows users to perform all functions of a forensic analysis

  21. Expand All Compound Files • Archive Files • ZIP • RAR • Complex Files • OLE (Object Linking and Embedding) • Mail Boxes • Outlook.pst • Inbox.dbx • Operating System Files • Thumbs Caches • Internet History

  22. Hash All File Streams MD5 (Message Digest 5)Generates a unique 128 Bit value for each file or data stream: Example MD5 HashesMD5 = a08a8cf89436f18ea8084817357a59c1MD5 = 271979ddf56c38805b7562046984fe40An MD5 Hash can be used to:Identify Files to be ignored (OS Files).Identify Files of importance (Contraband Files). “This is a small text file.” “This is a small text file”

  23. File Signature Analysis • Check file header to determine if file has the correct extension • Highlight files with mismatch for manual checking

  24. Entropy Test • Can identify files that may be encrypted or compressed • An automated frequency analysis algorithm is used to determine if file content is encrypted • Files identified are then exported from the image and transferred to specialist decryption software

  25. Generate Index • Generate an index of all strings of characters in the disk image • Speed up subsequent searches of suspect image • Index can be used as a dictionary for password cracking

  26. Forensics and Data relating to a “suspect” • Meticulous records need to be made • ACPO guidelines must be upheld • need to show evidence of this in court • Need to explain to jury what it all means • Essential Role: Expert Witness

  27. “Fault Tolerant” • “A computer system or component designed so that, • in the event that a component fails • a backup component or procedure can immediately take its place • with no loss of service” • https://www.youtube.com/watch?v=P7gXmKd4Cck

  28. Fault Tolerance and Computer Systems • All about availability • Any organisation now dependent on digital data • Power cut… people stop work… most of what they do involves a computer • Good fault tolerance is about minimising the chances of this happening…

  29. Fault Tolerance role of the Network Operating System • Each important hardware component on the network should have a backup that can take over in the event of a failure • It should, therefore • detect failures • enable a backup to automatically take over when the fault is detected...

  30. Achieving Fault Tolerance • ONE APPROACH… • carefully written software • software detects failure of other software • takes evasive action in real time • hardware has an embedded system that: • detects failure • rapidly swaps alternative hardware into action • Makes sense for the operating system to do all of this… • detects both hardware and software failure • restarts program(s) • swaps in alternative pre-wired hardware

  31. Concept of Data “Mirroring” • Problem with periodic backup: • data copied the previous night • what if the system hard disk goes kaput in the middle of the next day? • Copy of all data should additionally be stored “shorter term” on further media • easiest way is to have another disk in reserve • everything copied to system disk also copied to mirror

  32. Disk Mirroring Disk A • Increases boot/system disk fault tolerance under most conditions • In its simplest form: • all data held on one disk: • second disk is an exact copy of the first • When anything is written to disk… • written simultaneously to both disks Writes data to A Disk controller Writes same data to B Disk B

  33. Where even Mirroring alone is not enough… • If the system crashes and will not reboot… • operating system doesn’t get reloaded • therefore the mirror never gets activated • and copied files cannot be read…

  34. Fault Tolerance and Re-boot • If a system crashes and/or is rebooted… • availability is temporarily lost • Needs to be a reserve system (backup server) that will perform that system’s functions in the meantime • Network Operating system needs to synchronise processes across systems to enable this to take place…

  35. The Backup Server • Essential for 100% availability • Should be configured as a replacement for the main server • also needs to be a domain controller • must also have a copy of the users database, regularly synchronised with the main domain controller • also configured to be able to log users onto the network

  36. Keeping Servers Cool! • Servers work hard (especially the disks…) • CPUs can get hot • will reduce MTBF of components • Need good ventilation at all times…

  37. Minimising Effects of Power Failure • Power failure can ruin hardware • mains spikes can overheat components • sudden lack of power will lose data currently being processed • Best to protect all hardware: • bottom line - surge preventer • better: UPS (uninterruptible power supply)

  38. The UPS • Battery packs that can provide mains voltage after a power cut • for a few minutes (cheap but effective) • or half an hour (expensive, less down time) • NOS needs to make sure it automatically cuts in when voltage drops sharply • Power continuation must include the backup domain controller, so synchronisation can occur • procedure of “graceful degradation” • allows processing to go to completion • allows new system settings to be written

  39. The Fault Tolerant Network Operating System • A Fault Tolerant system needs to have good control of hardware, backup hardware and software • The NOS, and those who configure it, need to use fault tolerance effectively so an organisational network will • keep going… (accessibility) • do what is expected… (reliability, stability)

  40. Business Continuity… • More and more businesses use solely digital systems • saved data very precious! • if not looked after and no copy taken… • no plan B if data destroyed e.g. by flooding • no data means no business! • Need also to save data to a secure, but different location as part of Business Continuity Planning (BCP)

More Related