Volume 1 Volume 2 Volume 3 Volume 4 Volume - Set of addressable sectors used for storage - Can span multiple devices (similar to RAID 0) Partition - Collection of consecutive sectors on a device Volume Analysis Hard Disk 1 Hard Disk 2 Hard Disk 3 Partition 1 Partition 2 Partition 3 Partition 4 Partition 5 Volumes Volumes appear differently on each operating system MacOS X Windows Linux Partitions Reasons for Partitions - maximum size of file system is smaller than hard disk - older FAT16 limited to 2 GB - section of disk used for special purposes - memory contents when laptop is put to sleep - swap area for some virtual memory systems - protection against file system corruption - multiple partitions localize damage - computers with multiple operating systems - each operating system requires separate partition Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS Sector offset from start of device Logical Block Address (LBA) - Sector offset from beginning of device - Physical address of sector - Used in partition table Logical Volume Address - Offset from start of volume Logical Partition Address - Offset from start of partition No volume or partition logical address Sector Addressing Volume 1 Volume 2 Volume 3 Volume 4 Hard Disk 1 Hard Disk 2 Hard Disk 3 Partition 1 Partition 2 Partition 3 Partition 4 Partition 5 Forensic Concepts Most investigations use entire hard drive - Must determine partition and volume structure Partition Table - Identifies start and end of each partition - Can be falsified to hide partitions - Consistency Checks - draw partition map Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 Unused 300 599 NTFS Sim mple Partit tion Table Start End Type 0 99 FAT 100 599 NTFS Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Forensic Concepts Most investigations use entire hard drive - Must determine partition and volume structure Partition Table - Identifies start and end of each partition - Can be falsified to hide partitions - Consistency Checks - draw partition map Partition Recovery - Assume a files system was located on each partition - Look for special or “magic” values - For example, in FAT - 0x55AA is stored in byte 510 of sector 0 (logical partition address) Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS