91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.

91.580.203 Computer & Network

Forensics

Xinwen Fu

Chapter 7Working with Windows

and DOS Systems

BIS@DSU2

Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

BIS@DSU3

Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy

disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12

BIS@DSU4

Understanding the Boot Sequence (Cont.)

Who provides this setup screen for you?

BIS@DSU5

BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and

features of your system Select and configure hard drives, floppy drives,

and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and

special features Support advanced operating systems, including

networks, Windows 9x, and Windows 2000 (Plug and Play)

Many others

BIS@DSU6

BIOS on the Motherboard

BIOS

Battery

http://www.informit.com/articles/article.asp?p=130913&seqNum=4&rl=1

BIS@DSU7

Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM

(Real-Time-Clock/Non-Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit

Battery Power CMOS to keep its settings

BIS@DSU8

Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

BIS@DSU9

Floppy Disks Yes these still exist!

5.25 3.5

• Originally single sided

• Then became double sided

BIS@DSU10

Original floppies were single-sided

Side View of Floppy in Disk Drive

0 Side 0

Single-sided Disk

Disk Drive

BIS@DSU11

FD Densities & Capacity

Disk Size Density Sectors/Track Capacity

5.25 Low 9 360K

5.25 High 15 1200K

3.5 Low 9 720K

3.5 High 18 1,440K

BIS@DSU12

Hard Disk Structure Hard disk drives are

organized as a concentric stack of disks or ‘platters’

Each platter has 2 surfaces

How a hard disk works? The platters rotate on the

spindle The heads move along

the radius of the platters This allows the head to

access all parts of the surfaces

BIS@DSU13

Disassembling a Hard Drive

BIS@DSU14

HD Elements 16 heads 8 Platters

BIS@DSU15

HD Head Each platter has a

planar magnetic surface on which digital data may be stored

Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material

BIS@DSU16

HD Head Clearance

BIS@DSU17

How Data is Organized on HD - Tracks

The data is stored on concentric circles on the surfaces known as tracks

Numbering starts with 0 at the outermost cylinder

BIS@DSU18

How Data is Organized on HD Sectors/Blocks

A sector is a continuous linear stream of magnetized bits occupying a curved section of a track

Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data

Numbering physical sectors within a track starts with 1

Sector 1

Track 0

Sector 2

Track 0

BIS@DSU19

How Data is Organized on HD - Cylinders

CYLINDER

Head Stack Assembly

Head 0

Head 1

Head 2

Head 3

Head 4

Head 5

TrackSector

Corresponding tracks on all platter surfaces make up a cylinder

On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder

BIS@DSU20

Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can

place into data The bytes in a cluster varies according to the size

of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (216) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2

BIS@DSU21

FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB - 1024MB logical hard drive partition - 32 sectors 1024MB - 2048MB logical hard drive partition - 64 sectors 2048MB - 4095MB logical hard drive partition - 128 sectors

BIS@DSU22

What is this disk?

Disk Size

Density Sectors/Track Capacity

5.25 Low 9 360K

5.25 High 15 1200K

3.5 Low 9 720K

3.5 High 18 1,440K

If you cannot see Properties, clickView-> Properties

BIS@DSU23

Hard Disk Addressing Older BIOSes in PC’s used 24 bit

addressing which could only access up to 8.4 GB (224 * 512 bytes).

Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.

BIS@DSU24

C H S Each storage unit on a disk can be identified by a

3-coordinate system identifying the Cylinder Head/Side Sector

One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes

= approx. 6GB

BIS@DSU25

Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA

(Advanced Technology Attachment) interface which connects to the hard disk - IDE disk

The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.

BIS@DSU26

Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with

more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity

As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a

capacity of 156,301,488 * 512 = 80GB

BIS@DSU27

File Slack The area between the end of the file and

the end of the last cluster allocated for that file

BIS@DSU28

File Slack Illustration

BIS@DSU29

NTFS Clusters and Cluster Sizes

Partition Size Range (GiB)

Default Number of Sectors Per Cluster

Default Cluster Size (kiB)

<= 0.5 1 0.5

> 0.5 to 1.0 2 1

> 1.0 to 2.0 4 2

> 2.0 to 4.0 8 4

> 4.0 to 8.0 16 8

> 8.0 to 16.0 32 16

> 16.0 to 32.0 64 32

> 32.0 128 64

http://www.pcguide.com/ref/hdd/file/ntfs/archCluster-c.html

BIS@DSU30

A Computer test.csv Two questions:

1. What is the cluster size of the partition?

2. What is the partition size range?

BIS@DSU31

Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces

make up a cylinder Data is stored in sectors and usually read

in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB

BIS@DSU32

Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting

BIS@DSU33

Key things The function of the FDISK program Primary partition, extended partition, active

partition, and logical drive   How logical partitions can be hidden The necessity of understanding the suspect’s

partitioning scheme

BIS@DSU34

This represents all the available surface area on a hard drive that can be used for storage

Initializing a Hard Drive

The first thing to do is magnetically create a

system of unique storage areas

BIS@DSU35

Step 1: Use a low-level format program to create a magnetic structure of sectors

Low-level (Factory) Format

One 512-byte sector

• Low-level formatting is usually done at the factory.• Low-level formatting establishes the communication,

or hand-shaking, between the drive and its controller.

BIS@DSU36

The sectors are organized by tracks

All the sectors on one track

Results of Low-level Format

BIS@DSU37

MBR

Initializing a Hard Drive with FDiskStep 2: FDISK writes partition information in the Master

Boot Record at Cylinder-0, Head-0, Sector-1

Master Boot Record 1. Master Boot Code 2. Master Partition Table

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

The remainder of that track is “Reserved”

BIS@DSU38

Master Partition Table Maximum of 4 entries Valid entries contain essential information about

the partition Partition type/code Active (yes or no) Partition start and end information

Unused entries are blank

BIS@DSU39

Types of Entries in Master Partition Table

Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as “Active”

Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition

table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries)

Partition ‡ logical drive

Total number of entries may not exceed four!

BIS@DSU40

Partition Type CodesFile systems are assigned characteristic

type codes that are listed in partition table entries

DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported

DOS/Windows systems will not assign a drive letter to partition types not supported

BIS@DSU41

Common Partition Type Codes

BIS@DSU42

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR

Single Primary Partition

BIS@DSU43

Hard drive with one active primary partition (single logical drive)

Single Primary Partition (Cont.)

Hub

Logical Drive

BIS@DSU44

Master Partition Table - DiskEdit View

Single Primary Partition (Cont.)

“Yes” indicates “Active”

BIS@DSU45

One Primary with Extended Partition

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Partition Table

Primary Partition Extended Partition

BIS@DSU46

Each partition table points to the next

Partition Tables

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Partition Table

BIS@DSU47

Master Partition Table – DiskEdit View

One Primary & One Extended

Primary Partition Entry

BIS@DSU48

Extended Partition Table – DiskEdit View

One Primary & One Extended

The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.

Extended Partition Entry

BIS@DSU49

Partitions and More Than One Logical Drives Extended partition may contain more than one

logical partitions

Primary, Extended and Logical Partitions Primary, Extended and Logical Partitions

Graphical depiction of the partitioning

Primary Partition

Extended Partition with Three Logical Drives

c: d: e: f:

BIS@DSU50

Why Care about Partitioning? Important Point: When

examining a suspect’s hard drive, why is it necessary to know how it's partitioned?

BIS@DSU51

PartitioningReasons to examine the partition tables:

To make sure all space on the drive is accounted for

To look for multiple operating systems To look for hidden partitions

BIS@DSU52

Hidden Partitions

View of a hidden partition using the PART utility

DOS/Windows partitions can be “hidden” by changing the partition-type code

BIS@DSU53

Hidden Partitions

This partition disappears!

BIS@DSU54

Partition Table Doctor Link: http://www.ptdd.com/

The only limitation is that DEMO version can not write to disk.

Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).

Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition

before recovery. Backup MBR (Master Boot Record), Partition Table, Boot

Sectors. Restore MBR, Partition Table and Boot Sectors from a backup

file if they are damaged. Support IDE / ATA / SATA / SCSI drives.

BIS@DSU55

Main Window

BIS@DSU56

Partition->Edit Properties