1 / 20

BACS 371 Computer Forensics

BACS 371 Computer Forensics. Files & Partitions. Data Hierarchy. Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word Byte Bit. File. Collection of Information written to a disk Generally created in an application-specific format

rodd
Download Presentation

BACS 371 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACS 371Computer Forensics Files & Partitions

  2. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word Byte Bit

  3. File • Collection of Information written to a disk • Generally created in an application-specific format • Occupies a fixed number of clusters • Each file’s cluster has a pointer to the next cluster in the file • The final cluster contains the End of File (EOF) marker (hex FFFF)

  4. Files • Logical File Size • Exact size of contents of file in bytes • Physical File Size • Amount of space a file occupies on disc in bytes • File Slack • Unused space between logical end of file and physical end of a cluster • Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->

  5. File Slack Example File Contents: “Hello world!” 12 bytes 3rd Sector Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes (7 sectors) • Assumptions: • Sector Size = 512 Bytes • Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

  6. Partitions • A partition is a logical volume within a physical volume (i.e., disk). • The Master Boot Record (MBR) of a disk defines the partitions found on the physical disk. • An MBR can define 4 primary partitions (max). • These partitions can be defined as “logical partitions.” • Logical partitions are capable of being further subdivided into smaller “extended” logical partitions.

  7. MBR and Partitions Physical Disk <- Partition 0-> <- Partition 1-> Logical Volume MBR (1 sector) Unallocated space There can be up to 4 primary partitions defined in the master boot record (MBR)

  8. Partitions

  9. Master Boot Record (MBR) • Executable Code • Machine Language Code • Processor Specific • Decodes Partition Table • 446 bytes long 446 • Partition Table • 4 Entries • First Entry Starts at offset 446 10 • MBR “Signature” • 0x55AA

  10. Decoding a Partition Table Entry • Entry #3 starting at offset 478 10 • Starting Sector • Offset 2 • 6 bits (use 6 LSB) • Decode as bits • 0xC1 = 1100|0001 • 6 LSB = 000001 = Sector #1 • Starting Cylinder • Offset 3 • 10 bits (use remaining 2 bits from sector as upper 2 bits) • Decode as bits • 0xFF = 1111|1111 • 10 bits = 11|1111|1111 = 0x3FF = Cylinder # 1023 • Bootable? • Offset 0 • Value 0x80 means bootable • Starting Head • Offset 1 • 1 Byte • 0x00 = 0 Starting Head • File System Type • Offset 4 • Decode as table entry • 0x0C = Win 95 Fat-32 LBA • Number of Sectors • Offset 12 • 4 Bytes • Decode as Number (swap) • 0x000E37BA = 931,770 • # of sectors in this partition • 477,066,240 bytes (*512) • Relative Sectors (start of partition) • Offset 8 • 4 Bytes • Decode as Number (swap) • 0x1D0D9045 = 487,428,165 • # of sectors from start of drive to start of this partition Ending Head 5 Ending Sector 6 Ending Cylinder 7

  11. Partition Layout http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

  12. Extended Partition Layout http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

  13. Extended Boot Record 4th partition is an extended partition 446

  14. Secondary Extended Boot Record 446

  15. Partition Boot RecordAKA File System Boot Sector • Within each partition that has a file system, a partition boot record is found. • It defines the details of the file system located in the partition. • It is 1 sector long and is the first physical sector in a logicalvolume. • C 0, H 1, S 1 for firstpartition. First sector (plus partition offset) in subsequent partitions. • Contains • Code • File System Specification Information

  16. Partition Boot Record (PBR) BIOS Parameter Block • Executable Code • Machine Language Code • Processor Specific • Decodes BPB • Searches for OS • PBR “Signature” • 0x55AA

  17. Partition Boot Record • 010 - 210 Jump Instruction (3 bytes) • 310 - 1010 OEM ID (8 Bytes) • 1110 - 8310BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes • 6210 - 51110 Bootstrap Code (448 Bytes) • Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

  18. Decoding a Partition Boot Record (BIOS Parameter Block – BPB) • Jump Instruction • Offset 0 10 • 3 bytes • OEM Name • Offset 3 10 • 8 bytes • Decode as ASCII • “MSDOS5.0” • Bytes Per Sector • Offset 11 10 • 2 bytes • Decode as Number • (Swap “endian”) • 0x0200 = 512 • Sectors Per Cluster • Offset 13 10 • 1 byte • Decode as Number • 0x08 = 8 • 8 * 512 = 4096 bytes/cluster • Media Type • Offset 21 10 • 1 byte • Decode from Table • 0xF8 means HD • Heads • Offset 26 10 • 2 bytes • Decode as Number • (Swap “endian”) • 0x00FF = 255 • Sectors per Track • Offset 24 10 • 2 bytes • Decode as Number • (Swap “endian”) • 0x003F = 63 • Total Sectors • Offset 32 10 • 4 bytes • Decode as Number • (Swap “endian”) • 0x000E37BA = 931,770 • 477,066,240 Bytes • FAT Size (Sectors) • Offset 36 10 • 4 bytes • Decode as Number • (Swap “endian”) • 0x0000038D = 909 • 465,408 Bytes (*512) • 58,176 Entries (/4) • 238,288,896 bytes addressed • (*4096) • File System Type • Offset 82 10 • 8 bytes • Decode as ASCII • “FAT32 ”

  19. Partition Boot Sector Decoded

  20. Summary • Physical disks can be subdivided into logical volumes (partitions). • Each physical disk has a single MBR (1st sector) that defines the primary and extended logical partitions. • There can be up to 4 partitions defined in the MBR. One or more of these can be defined as extended partitions. These can further be sub-divided. • Each logical partition has a partition boot record (1st sector) that defines the structure within that partition. • The BIOS Parameter block of the partition defines the characteristics of the file system.

More Related