Volume versus Partition
• Hard or fixed disks store information on a revolving platter of metal or glass coated with a magnetic material.
• The disk typically consists of several physical platters on a common spindle.
• Each disk consists of platters, rings on each side of each platter called tracks, and sections within each track called sectors. A sector is the smallest physical storage unit on a disk , almost always 512 bytes in size.
• On hard disks, the data are stored on the disk in thin, concentric bands called tracks.
• There are more than a 1,000 tracks on a 3 ½ inch hard disk.
• Tracks are a logical rather than physical structure, and are established when the disk is low-level formatted.
• Track numbers start at 0, and track 0 is the outermost track of the disk.
• The highest numbered track is next to the spindle.
• A cylinder consists of the set of tracks that are at the same head position on the disk.
• Tracks are divided into sectors. A sector is the smallest memory unit on the disk. The data size of a sector is always a power of two and is almost always 512 bytes.
• Each track has the same number of sectors, which means that the sectors near the center are packed much closer together.
• The disk controller uses the sector identification information stored in the area immediately before the data in the sector to determine where the sector itself begins.
• As a file is written to the disk, the file system allocates the appropriate number of clusters to store the file’s data.
• Example:
– If you have an 800 byte file, two clusters will be allocated because each cluster has 512.
– Later if you update the file to 1,600 byte file, another two clusters will be allocated.
• If the cluster is not next to the other cluster, the file is written in somewhere else on the disk and considered to fragmented. This will cause the system to slow down.
CHS (Cylinder Head Sector) vs Logical Block
Addressing.
• CHS used for older x86 based systems. CHS used 3 numbers one for the Cylinder, one for the Head and one for the Sector for addressing. 0,3,1 0 Cylinder, 3 Head, 1
Sector.
• LBA (Logical Block Addressing) – each sector is giving a unique number.
• CHS – is like the houses in the USA, where they have an address, City, State & zip to identify it.
• LBA – every house in the USA would be given a unique number.
• Represents starting sector of CHS
– Example:
• 80 01 01 00 07 …
• 0x80 being the start of the active partition, the first , second and third offset represents the Cylinder, Sector
& Head. Remember Little Endian 01 01 00 00 01 01 which will give you CHS value (0, 1, 1)
– Head value = 01
– Sector Value = 01
– Cylinder Value = 00
• Represents the final CHS address.
• Very tricky to figure out.
– Example FE FF FF
– The first value is reserved for the Head Value FE FE =
254
– The other two are tricky. The values are NOT reversed
(little endian) but they are regrouped.
– FF 11111111 FF 11111111
– 11111111 11111111
– Regroup first one is 6 and second is 10. It is regrouped because of coding. (111111) (1111111111)
– (111111) 63 Sector & (1111111111) 1023 Cylinder
– Final CHS address value 1023:254:63 Starts with 0:1:1
• Goes back to being called as a witness and answering the question of “Please tell the court where you found the evidence on the hard drive?”
• There are many tools you can use as a forensic investigator, but it is important knowing how everything works.
• Though sometimes people interchange these two terms as being the same thing, they really is a difference between Volume and Partitions.
• A Partition is a collection of (physically) consecutive sectors.
• A volume is a collection of (logically) addressable sectors
– The difference is the data contained within a volume may appear consecutively, but only logically.
• A volume is an area defined or interpreted by an operating system. A volume is recognized by the operating system and will the term drive or disk.
• Examples:
– C:, D:, and E:, are volumes
– Hard Disk 1 and Hard Disk 2 are physical disks
– Any of these can be called a drive.
• Partitioning a drive may help increase HDD efficiency by making cluster size smaller.
Volumes, on the other hand, create logically intuitive storage areas (e.g. Save it to the K drive)
• Volumes are identified by file systems, and file
Systems are the way in which files are accessed and stored by an operating system.
• We already know that a single hard drive can have up to four partitions. The reason being is that there is that there are only enough bytes available in the partition table of the MBR to accommodate four entries.
• We are also aware that typically when a partition is created on a single hard drive, it automatically becomes a volume and is assigned a drive letter (e.g C:, D:, etc.). At this point volume and partition are the same.
• One of the four partitions defined by the partition table of a hard drive may be subdivided into multiple logical partitions (volumes), therefore allowing two or more volumes to exist within one partition.
• The partition table contained in the MBR still only defines four partitions and as far as it is concerned, only four partition exists.
• There is no limit on the number of logical volumes other than the fact that there are only
26 letters in the alphabet and A,B, and C have been taken.
• As an investigator, it is extremely important to understand where the data is located and convey that to the jury.
• Forensic investigator has software packages that does most of the work, but you need to know how to explain it to a jury if asked.