COEN 252 Computer Forensics Hard Drive Geometry Drive

COEN 252 Computer Forensics Hard Drive Geometry

Drive Geometry Basic Definitions: n Track n Sector Floppy

Hard Drive Geometry n Cylinder is formed by the tracks on all the platters with fixed actuator. (Due to different temperatures and hence different arm length, it is impossible to read and write in parallel. )

Hard Drive Geometry n Writing and Reading on a Track

Hard Drive Geometry Data is stored in the form of a magnetization pattern.

Complete Disk IBM Ultrastar Z

Sectors n Complete Sectors are written and read.

Sectors n Consists of n n n Inter-sector gap ID Information (including defective mark) (no longer used in modern drives) Synchronization fields Client Data (512 B) ECC Inter-sector gap

Formatting n Low level format n n Creates “data structures” for tracks and sectors. Defective sectors and regions are remapped. There is no direct access to the disk layout. This is not the usual formatting.

Interfaces n Disks are getting smarter: n n In the history of disk drives, control function moved to the disk. Disks uses Logical Sector or Cylinder-Head. Sector addressing interface n SCSI: Small Computer Systems Interface n n n Block Device (Logical Sector) SCSI 1, 2, 3 standards implement generic command language ATA (AT Attachment): PATA, SATA

Interfaces n ATA / IDE (Integrated Disk Electronics) n n n Specified as family of standards ATA-1 (1994) to ATA-7 (in draft) ATA disks require a controller (“channel”) built into the motherboard. Controller controls one or two disks. n n Master and slave disk. Typical motherboard has two channels with up to two disks / devices.

Interfaces n Addressing n Distinguish n n n Physical addresses (low level format) and Logical addresses (changed by normal formatting / repartitioning) Physical addresses n Cylinder Head Sector proved to limiting: n n 10 b cylinder, 4 b head, 6 b sector 16 b cylinder, 4 b head, 6 b sector LBA (Logical Block Addresses) In older systems, the BIOS might have to do address translation. n This causes a FE (forensic examiner) head-ache if disks are mounted on other systems.

Interfaces n Terminology is difficult to understand. n http: //www. pcguide. com/ref/hdd/if/ide n Removable media specifications in n AT Attachment Packet Interface (ATAPI)

Interfaces n n Controller issues commands over the ribbon cable. Single bit determines whether the master or the slave executes the command. Controller writes to command register. Disk responds by writing to status register.

Interfaces n Hard Drive Passwords n n n Established in ATA-3. Set through BIOS or through software. If implemented: n n User password Master password (for organization) High-security: both passwords unlock disk. Maximum-security: master password only unlocks after disk drive has been wiped.

Interfaces n Hard Drive Passwords n n n Locked disk is usually visible to the OS. Need SECURITY_UNLOCK with the correct password before most ATA commands are executed. There are tools (hdunlock, atapwd) to unlock a drive n Used mainly to circumvent IP protection in game consoles (X-box)

Host Protected Area: HPA n n n ATA-4 Used so that computer vendors could store data that a user cannot damage by formatting. HPA can be used to hide data.

Host Protected Area: HPA n Investigative Process n n READ_NATIVE_MAX_ADDRESS returns number of physical sectors IDENTIFY_DEVICE returns number of sectors that a user can access. Difference shows existence and extend of HPA. Creating HPA n n SET_MAX_ADDRESS limits user access to last sectors. Rerunning it with maximum physical address unlocks HPA. Volatility bit determines whether HPA exists after the disk is shut down and restarted. This can be used to temporarily unlock a HPA.

DCO Device Configuration Overlay n n n ATA-6 Limits the apparent maximum number of physical sectors. Use the DEVICE_CONFIGURATION_SET / RESET ATA commands.

Interface n PATA vs. SATA n SATA has speed advantage and also smaller cable.