Computer Forensics Hard Drive Format Hard Drive Partitioning

  • Slides: 50
Download presentation
Computer Forensics Hard Drive Format

Computer Forensics Hard Drive Format

Hard Drive Partitioning n n n Boot process starts in ROM. Eventually, loads master

Hard Drive Partitioning n n n Boot process starts in ROM. Eventually, loads master boot record from booting device. MBR located at well-known location.

Hard Drive Partitioning (Windows Only) n n MBR located always in the first sector

Hard Drive Partitioning (Windows Only) n n MBR located always in the first sector of booting device. Cylinder 0, Head 0, Sector 1

MBR Structure n n First part bootstrap program. Is loaded into memory, then relocates

MBR Structure n n First part bootstrap program. Is loaded into memory, then relocates itself in order to make room for another copy. Starting at offset 0 x 1 be 16 B partition table Last two bytes of sector are 0 x 55 and 0 xaa.

Partition Table Entry n n n Byte 0: active (0 x 80) or inactive

Partition Table Entry n n n Byte 0: active (0 x 80) or inactive (0 x 00) Bytes 1 -3: Start of Partition Byte 4: Partition Type Bytes 5 -7: End of Partition Bytes 8 -12: LBA address of start sector relative to start of disk in little endian Bytes 13 -16: Number of sectors in the partition

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Byte 1: 00 = inactive (not bootable) Only one partitions on a windows system should be bootable.

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Bytes 1 -3: Split up as | h 7 -h 0 | c 9 c 8 s 5 -s 0 | c 7 -c 0 | In binary, we have 0000 0001 0000 h 7 h 6 h 5 h 4 h 3 h 2 h 1 h 0 c 9 c 8 s 5 s 4 s 3 s 2 s 1 s 0 c 7 c 6 c 5 c 4 c 3 c 2 c 1 c 0 So: H=1, C = 0, S = 0 x 1 = 1.

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Byte 4: Partition Type 0 x. DE. Look this one up in a table. It is a Dell Power. Edge Server utilities (FAT fs) 0 x 01 12 b FAT Partition 0 x 04 16 b FAT Partition 0 x 05 Extended Partition 0 x 06 BIGDOS FAT 0 x 07 NTFS

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Bytes 5 -7: End of Partition Split up as | h 7 -h 0 | c 9 c 8 s 5 -s 0 | c 7 -c 0 | 1111 1110 0011 1111 0000 0100 So: h=0 x. E, c=0 x 04, s = 0 x 3 f

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Bytes 8 -12: LBA 3 F 00 00 00 in Little Endian That is 00 00 00 3 F is the real start LBA Go to Sector 63 and find indeed the FAT boot sector.

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F

Partition Table Example 00 01 01 00 DE FE 3 F 04 3 F 00 00 00 86 39 01 00 Bytes 13 -16: Number of Sectors in the partition (in Little Endian). Value is 0 X 86 39 01 00. Translate into true value: 0 x 00 01 39 86 = 80, 262 sectors

Partition Table Example We have a Dell partition of size 40 MB. This partition

Partition Table Example We have a Dell partition of size 40 MB. This partition is invisible to Windows and could be used to hide data. Dell uses this area to help with recovery from OS disasters.

Master Boot Record n By creating a partition and then editing the MBR I

Master Boot Record n By creating a partition and then editing the MBR I can create hidden partitions. n The data on these hidden partitions is not visible from Windows.

Master Boot Record n The partitions do not have to fill up the disk

Master Boot Record n The partitions do not have to fill up the disk completely, there can be unused sectors (which could contain hidden data. )

Extended Partitions Overcome the four partition limit.

Extended Partitions Overcome the four partition limit.

Extended Partitions n n n Marked by a partition code of 0 x 05

Extended Partitions n n n Marked by a partition code of 0 x 05 or 0 x 0 f. First sector of an extended partition contains a partition table with up to two entries. Extended partition is a container for secondary extended partition.

Extended Partitions n n First sector contains partition table, structured like MBR Entries are

Extended Partitions n n First sector contains partition table, structured like MBR Entries are 16 B with the same structure First entry is for primary extended partition. Optional second entry is for secondary, extended partition.

Extended Partitions n Primary extended partition contains the secondary extended partition.

Extended Partitions n Primary extended partition contains the secondary extended partition.

Extended Partitions

Extended Partitions

Unassigned sectors n n n Many sectors on a disk are not assigned to

Unassigned sectors n n n Many sectors on a disk are not assigned to a partition. Cannot be seen from OS. Good hiding place for a virus.

64 b Future n n Itanium uses 64 b. Completely different structure.

64 b Future n n Itanium uses 64 b. Completely different structure.

FAT n n n “File Allocation Table” gives the name. 3 different varieties, FAT

FAT n n n “File Allocation Table” gives the name. 3 different varieties, FAT 12, FAT 16, FAT 32 in order to accommodate growing disk capacity Tightly packed data structure

FAT Boot Sector n Occupies the first sector in the partition or on the

FAT Boot Sector n Occupies the first sector in the partition or on the floppy.

FAT Boot Sector n n n Jump instruction (EB 34 90) OEM Manufacturer name

FAT Boot Sector n n n Jump instruction (EB 34 90) OEM Manufacturer name BIOS Parameter Block (BPB) Extended BPB Bootstrap code End of Sector Marker (in reality a signature)

BPB n n Learn how to read it. Field Definition in Lecture Notes http:

BPB n n Learn how to read it. Field Definition in Lecture Notes http: //www. ntfs. com/fat-partition-sector. htm

BPB n There are utilities that translate the data

BPB n There are utilities that translate the data

BPB The data allows us to draw a picture of the partition:

BPB The data allows us to draw a picture of the partition:

FAT File System n File Allocation Table (FAT) n n n Three variants n

FAT File System n File Allocation Table (FAT) n n n Three variants n n Resides at the beginning of the volume Two copies of the table FAT 12 FAT 16 FAT 32 Allocation in clusters. n Clusters number is a power of two < 216

FAT File System n Root directory n n Maintains file names, location, characteristics, …

FAT File System n Root directory n n Maintains file names, location, characteristics, … File Allocation Table (FAT) n Allows files longer than a single cluster

FAT Principle n n n Root directory gives first cluster FAT gives subsequent ones

FAT Principle n n n Root directory gives first cluster FAT gives subsequent ones in a simple table Use FFFF to mark end of file.

Cluster Size n n Large clusters waste disk space because only a single file

Cluster Size n n Large clusters waste disk space because only a single file can live in a cluster. Small clusters make it hard to allocate clusters to files contiguously and lead to large FAT.

FAT Table n n n To save space, limit size of entry. That limits

FAT Table n n n To save space, limit size of entry. That limits total number of clusters. FAT 12: 12 bit FAT entries FAT 16: 16 bit FAT entries FAT 32: 32 bit FAT entries

FAT Table Entry FAT 12 000 001 FF 0 FF 8 -FFF 0 xhhh

FAT Table Entry FAT 12 000 001 FF 0 FF 8 -FFF 0 xhhh FAT 16 0000 0001 FFF 0 -FFF 6 FFF 7 0 xhhhh Meaning available not used reserved bad cluster next cluster used by file

Root Directory n n n A fixed length file (in FAT 16, FAT 32)

Root Directory n n n A fixed length file (in FAT 16, FAT 32) Entries are 32 B long. Subdirectories are files of same format.

Root Directory Entries Offset Length 0 x 00 8 B 0 x 08 3

Root Directory Entries Offset Length 0 x 00 8 B 0 x 08 3 B 0 x 0 b 1 B 0 x 0 c 10 B 0 x 16 0 x 18 0 x 1 a 0 x 1 c 2 B 2 B 2 B 4 B Meaning File Name Extension File Attribute Reserved: (Create time, date, access date in FAT 32) Time of last change Date of last change First cluster File size.

Root Directory Example n n n This is a deleted file ? wrd 0700.

Root Directory Example n n n This is a deleted file ? wrd 0700. tmp Size is 00 08 94 00 First cluster is 00 4 E n Multiply with the cluster size to find the sector.

Root Directory Entries n File Name: First character means n n n 0 x

Root Directory Entries n File Name: First character means n n n 0 x 00: Entry never used, end of directory 0 xe 5: File deleted 0 x 2 e: Directory

Root Directory Entries File Attribute

Root Directory Entries File Attribute

Root Directory Entries n n Hidden file: not displayed. System file: special treatment for

Root Directory Entries n n Hidden file: not displayed. System file: special treatment for deletion. Volume: Name of the volume if this bit is set. Rest of the name is in the reserved portion. Subdirectory: File is not a file but a directory (looks like the root directory).

Root Directory Entries Time and Date of Access

Root Directory Entries Time and Date of Access

FAT n n n Deleted files / directories with entries intact can be easily

FAT n n n Deleted files / directories with entries intact can be easily reconstructed. If entry is overwritten, then pieces might be found in the FAT. Large storage devices make it impossible to do it without a tool.

FAT 32 Root Directory n n n Uses 4 B to store the files

FAT 32 Root Directory n n n Uses 4 B to store the files first cluster. Adds access date and modification date and time Modification, Access, Creation (MAC) give important hints during an investigation

FAT 32 Root Directory 0 x 00 8 B File Name, padded with zeroes

FAT 32 Root Directory 0 x 00 8 B File Name, padded with zeroes 0 x 08 3 B 3 byte extension 0 x 0 b 1 B File attribute 0 x 0 c 1 B Reserved 0 x 0 d 1 B Millisecond stamp at file creation time. 0 x 0 e 2 B File creation time. 0 x 10 2 B File creation date. 0 x 12 2 B File access date. 0 x 14 2 B High word of file’s first cluster 0 x 16 2 B Last write time. 0 x 18 2 B Last write date. 0 x 1 a 2 B Low word of the file’s first cluster 0 x 1 c 4 B File size in bytes.

Long File Names n n Support for long file names needs to be backwards

Long File Names n n Support for long file names needs to be backwards compatible. Long file names should be stored next to the corresponding short entry. Disk utilities should not misdiagnose long file name entries as faulty Unicode support

Long File Name Entries n Encode long file name in several long entries n

Long File Name Entries n Encode long file name in several long entries n n n Precede immediately short entry Have entry order number. Last entry order number is or’d with 0 x 40 to mark it.

Long File Name Support n n Create a 8 B short file name from

Long File Name Support n n Create a 8 B short file name from long one. Calculate checksum from short name and store in all long records

Long File Name Entries 0 x 00 0 x 01 0 x 0 b

Long File Name Entries 0 x 00 0 x 01 0 x 0 b 0 x 0 c 0 x 0 d 0 x 0 e 0 x 1 a 0 x 1 c 1 B 10 B 1 B 12 B 2 B 4 c Entry order number. Characters 1 -5 of name entry. File Attribute. MUST be 0 F. Should be 00. Checksum of short file name. Characters 6 -11 of name entry. MUST be 00 00 to be compatible. Characters 12 -13 of name entry.

Long File Name Entries Entry Order Number Attribute

Long File Name Entries Entry Order Number Attribute

Subdirectories n n Are files with the same structure as root directory. Contain two

Subdirectories n n Are files with the same structure as root directory. Contain two special entries. . Has name “. . ” and refers to parent directory. Has name “. ” and refers to itself.