Hard Disk Drive F orensic
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 1/45
Hard Disk Drive Forensic
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 2/45
The Important of Hard Disk Drivey HDD is the most significant method of data storage
y Relatively low internal data transfer rates
y Immature optimization algorithmsy Lifetime of data written to HDD is longer than any
other media
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 3/45
Understanding HDDy Physical Layer
y Volume
y File Systemy File
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 4/45
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 5/45
HDD Physical Layery Major components of HDD
y Platter
y Controllery Read/Write Head
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 6/45
HDD Componentsy Platter
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 7/45
HDD Componentsy Controller
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 8/45
HDD Componentsy Read/Write Head
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 9/45
Physical Disk Geometry
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 10/45
Physical Disk Geometryy One head for each surface
y All tracks at r=dn form a cylinder
y The number of sectors varies with the cylindery Each sector has 512+ octets of information
y Why 512+ ?
y Not all portions of the disk are addressable by theOS
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 11/45
Physical Disk Geometryy One head for each surface
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 12/45
Physical Disk Geometryy Cylinder
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 13/45
Physical Disk Geometryy Sector
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 14/45
MagneticMedia Storagey Data will be written from surface one to surface n
(beginning sector to end sector)
yEach platter has two surfaces
y Last surface is used for positioning andsynchronization
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 15/45
Low Level Format Low level formatting creates units of storage called
sectors
Most modern HDDs use 512+ octet sectors ± The + accounts for sector overhead bytes (differs by
manufacturer)
O verhead bytes provide error correction and timing
recovery functions Bad sectors are automatically remapped to redundant
sectors by the HDD controller
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 16/45
Some Key Issues in HDD Physical
Layer Forensicy O verwritten data can potentially be recovered
y Not all areas of a HDD can be accessed through
standard ATA commandsy E.g. sector overhead, administrative storage, excluded
storage
y Bad sectors are remapped to redundant sectors and no
longer addressable (i.e. through ATA commands)
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 17/45
HDD Volumesy Volumes are logical storage containers on HDD
y Volumes can contain almost any data structure
y File systemsy Databases
y Swap space
y Hidden backups
y Redundant sectors
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 18/45
Partitioning TheMaster Boot Record (MBR) is created and includes
theMaster Boot Code (MBC) and theMaster Partition
Table (MPT) ± Always at sector 1 on any bootable media
MBC is executed at boot if the HDD is designated asthe boot device
MPT contains information about logical volumes(partitions), including the active partition (i.e. whosethe Volume Boot Code will be executed)
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 19/45
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 20/45
The Boot Process Begin execution from R OM
Jump to BIOS power on self test
System initialization from CMOS and device BIOS
Transfer execution to master boot record (MBR) atcylinder 0, head 0, sector 1 of boot media (if it exists)
Transfer execution to boot code on active partitionindicated by the master partition table in MBR ± Hundreds of files are modified/touched
± Constant memory and HDD modification
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 21/45
y High level format file systems
y Flash back
y Blank media
y Low level format
HDD High Level Format
Sectors
(512 + B)Redundant Sectors
(512 + B)
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 22/45
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 23/45
y High level format creates the file systems
y Sectors are too small for most HDD (address space is
too large)y Sectors are grouped into groups of N to form clusters
y Clusters = Blocks = Fragments = Different names forthe same thing
HDD High Level Format
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 24/45
MPT now contains file system type and cluster size
± Cluster sizes are multiple of 512 octets (sector size)
±
Cluster is file size for the operating system A file system structure is created
± FAT creates file allocation table
± NTFS creates a master file table
± Linux Ext2/3 creates a virtual file system ± Each file system behaves differently
HDD High Level Format
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 25/45
y HDD Size = Number of platters * number of heads *number of sectors * 512
HDD Size
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 26/45
y The DOS file system file allocation table (FAT) wasnever designed to handle storage device with more
than 32767 units of data. 32767 is the largest numberthat can be represented with 16 bits.
y Data is written in sectors of 512 bytes (hard drives,floppy), or 2048 bytes (CD-R OM).
Disk Size
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 27/45
y In FAT16, maximum unit of data that can be handledis,
= (2^15) - 1 ->>>> 32767 unitIf each unit represent one sector, what is the size of the
data storage?
= 16MB
Disk size an exercise
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 28/45
y This set an arbitrary limit on disk storage devices of 512x32767 = 16MB.
y That simply means, the maximum hard disk size =16MB.
y If the size of the hard disk is more than 16MB, whathappened?
There will be sectors that cannot be referred or has noreference in the file allocation table
Disk Size
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 29/45
Disk Size
y To accommodate larger drives the concept of clusters was invented.
y Clusters are a group of sectors written as a single
atomic unit.
y The larger the drive capacity the more sectors aregrouped into clusters. (up to 128 sectors)
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 30/45
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 31/45
Disk Sizey What about FAT32?
y What about the maximum size of the disk?
Activity 1: What is the maximum size of the disk forFAT32 filesystem
= 17TB
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 32/45
Disk Sizey Because sectors are at the hardware level and
clusters are at the operating system level, you often
hear techie types refer to sectors as physicaladdress space and clusters as logical addressspace.
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 33/45
y A sector is the smallest addressable unit of a hard disk.
y A cluster is a fixed number of contiguous sectors (but not necessarily physically contiguous).
y As you use files, increase and decrease their size and create new files,formerly contiguous clusters are now scattered randomly across yourhard disk, which is referred to as fragmentation.
y Most operating systems, including Windows, have their owndefragmentation utilities.
y Periodic defragmentation of your hard disk will reduce the risk of dataloss and improve overall system performance.
Things to remember about FAT
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 34/45
y In Computer forensic, we are interested in category 5 of the stored data
y 5 categories of stored data:y Onliney Offliney Near-liney Backup tapesy Fragmented/hidden/deleted/encrypted
y So where to find category 5 stored data?
Where to find hidden data
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 35/45
y With clustering comes slack space
y What is slack space?y
Space between end of file and end of cluster
y Consider a file containing 4628 bytes
Slack Space
Sector
(512 bytes) Cluster (2*512 bytes)
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 36/45
y 4628 = (1024 * 4) + 532 bytes
y 4 full clusters and part of fifth cluster
y There will be (5 clusters * 1024) 4628
= 492 unused octets or slack space
Slack Space
Slack space
(492 octets
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 37/45
y RA M Slack
y If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the
file system will pad the data out to the end of the currentsector with RA M slack.
y RA M slack is random data that happens to be in RA M memory at the time the file is written.
y
It can contain any data that you were working on since you last booted the PC. Such as emails, worddocuments, graphics, etc.
Slack Space
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 38/45
y Drive Slack
y Unlike RA M slack which comes from working storage,
drive slack is data left on the drive from a previous file.y After completing the last partial sector with RA M slack,
subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.
y This is possible because deleting a file only removes itfrom the FAT, the data remains on the drive until thesector it occupies is overwritten by a subsequent file.
Slack Space
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 39/45
` When a file is deleted, the file system puts a marker in itsfile management system to let the system know that thefile is no longer at that cluster or block.
` By doing this, the file system logically deletes the file fromits records in an efficient manner, but hasnt physically worked its way through the storage device and wiped outthe binary data.
Deleted File
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 40/45
` By saving itself from doing this task, the operating systemhas left behind a virtual binary archeological site that youcan sift through.
` The irony here is that as storage devices get bigger, theamount of data left over from previous deletions staysintact longer because so much more storage space isavailable to work with.
Deleted File
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 41/45
y Unall ocated space is space that the file system considersempty and ready for use.
y Even though the operating system thinks the area is empty, you can find quite a bit of data there.
Unallocated space
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 42/45
y Older file systems, such as DOS, tend to have deleted datain unallocated space more so than modern Microsoft
computers because newer operating systems essentially usea two-step process involving the Recycle Bin to delete files.
y In this case, check the Recycle Bin first and then check theunallocated space.
Unallocated space
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 43/45
` Y ou can also find cached data in unallocatedspace.
` For example, when youre viewing your Y ahoo! e-mail, the screen is cached to the storage device atcertain times.
` This caching is used to speed up the viewing of your Web page, but has the unintended effect of saving the Web page you were viewing even afterthe cache file has been deleted.
Unallocated space
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 44/45
y Provides data storage and retrieval
y Associates names with data files
y Organize files into parent directoriesy Stores file attributes
y Modify, access, creation times
y Disk blocks used for file storage
y Maintains lists of unallocated disk blocks
Role of a file system
8/8/2019 Hard Disk Drive Forensic
http://slidepdf.com/reader/full/hard-disk-drive-forensic 45/45
y Several forensic tools area available to help usunderstanding hard disk structure
y Next lecture will introduce several forensic toolsrelated to hard disk investigation
Investigating Hard Disk Structure