20-755: The Internet Lecture 3: Computer Systems II
advertisement
20-755: The Internet Lecture 3: Computer Systems II David O’Hallaron School of Computer Science and Department of Electrical and Computer Engineering Carnegie Mellon University Institute for eCommerce, Summer 1999 Lecture 3, 20-755: The Internet, Summer 1999 1 Today’s lecture • • • Input/Output (I/O) (50 min) Break (10 min) Copenhefer’s blunder (50 min) – Case studies in computer crime and forensics Lecture 3, 20-755: The Internet, Summer 1999 2 The I/O subsystem (except the network) Keyboard Processor Interrupt controller Mouse Keyboard controller Modem Serial port controller Printer Parallel port controller Local/IO Bus Memory IDE disk controller SCSI controller Video adapter Network adapter Display Network SCSI bus disk disk Lecture 3, 20-755: The Internet, Summer 1999 cdrom 3 Bus • • A bus is a shared medium that connects the processor, memory, and I/O devices address/data Consists of control and data/address wires – control: requests, acks, type of data (address or data) – data lines: data, addresses – address lines (optional): address • control OR control address data Only one device at a time Lecture 3, 20-755: The Internet, Summer 1999 4 Bus types • Processor-memory bus – short, fast, proprietary – fixed number of devices with known performance • I/O bus – longer, slower, open – unknown number of devices with different performance » disk: 5 MB/s » 4x CDROM: 640 KB/s – Examples: SCSI II, PCI, ISA, EISA Lecture 3, 20-755: The Internet, Summer 1999 5 PCI bus layout processor cache bridge/memory controller PCI local bus LAN card sound card DRAM SCSI card Bus interface graphics card ISA bus ISA card Lecture 3, 20-755: The Internet, Summer 1999 6 Display column Display screen pixel Each pixel is painted with a color. row diagon al Lecture 3, 20-755: The Internet, Summer 1999 7 Display control grid heating filament vertical deflection electron beam phosphor coated screen focusing system horizontal deflection Lecture 3, 20-755: The Internet, Summer 1999 8 Raster scan horizontal retrace vertical retrace vertical: horizontal: Lecture 3, 20-755: The Internet, Summer 1999 9 Frame buffer (grayscale) frame buffer display 0 0 1 1 1 1 1 1 Key ideas: The frame buffer is just an area of memory that can be read and written. Lecture 3, 20-755: The Internet, Summer 1999 10 The RGB color space blue magenta cyan white 1 black green 0 red Lecture 3, 20-755: The Internet, Summer 1999 yellow 11 Frame buffer with color map frame buffer color map R G B 0 0 1 1 display 111 111 000 yellow 1 1 1 1 red 111 000 000 Lecture 3, 20-755: The Internet, Summer 1999 12 Display performance • The quality of a display is measured by its resolution, which is the number of rows and columns of pixels. – e.g., 640x480 (640 rows, 480 columns) • • Modern displays support multiple resolutions. The size of a display is measured by the size in inches (like a TV). – e.g., 17” • Each pixel requires 1-4 bytes of display memory on the display controller. Lecture 3, 20-755: The Internet, Summer 1999 13 Magnetic Disks Disk surface spins at 3600–7200 RPM read/write head arm The surface consists of a set of concentric magnetized rings called tracks Each track is divided into sectors Lecture 3, 20-755: The Internet, Summer 1999 The read/write head floats over the disk surface and moves back and forth on an arm from track to track. 14 Disk Capacity • Parameter 18 GB Example – – – – – Number Platters : 12 Surfaces / Platter: 2 Number of tracks: 6962 Number sectors / track: 213 Bytes / sector: 512 • Total Bytes Lecture 3, 20-755: The Internet, Summer 1999 18,221,948,928 15 Disk Operation • Operation – Read or write complete sector • Seek – Position head over proper track – Typically 6-9 ms • Rotational Latency – Wait until desired sector passes under head – Worst case: complete rotation 10,025 RPM 6 ms • Read or Write Bits – Transfer rate depends on # bits per track and rotational speed – E.g., 213 * 512 bytes @10,025RPM = 18 MB/sec. – Modern disks have external transfer rates of up to 80 MB/sec » DRAM caches on disk help sustain these higher rates Lecture 3, 20-755: The Internet, Summer 1999 16 Disk / System Interface • (1) Initiate Sector Read 1. Processor Signals Controller Processor – Read sector X and store starting at memory address Y • Reg 2. Read Occurs – “Direct Memory Access” (DMA) transfer – Under control of disk controller • (3) Read Done 3. Disk Controller Signals Completion Memory-I/O bus (2) DMA Transfer – Interrupts processor – Can resume suspended process Lecture 3, 20-755: The Internet, Summer 1999 Memory disk controller Disk Disk 17 Disk performance • Disk size is given by the diameter of the surface – e.g., 3 1/2 “ or 5 1/4” • Disk capacity is given by number of bytes – e.g., 500 MB, 1GB • Disk speed is given by seek time and throughput – seek time: average time for the read/write head to move from one track to another track in milliseconds (1/1000 seconds). » e.g., typical seek time is 10 milliseconds. – throughput: once the read/write head is positioned correctly, throughput is the number of MBytes that can be transferred each second. » e.g., typical throughput is 1 MByte/second. Lecture 3, 20-755: The Internet, Summer 1999 18 Storage Trends SRAM DRAM Disk metric 1980 $/MB access (ns) metric 1990 1995 1999 1999:1980 19,200 2,900 300 150 320 35 256 15 100 3 190 100 1980 1985 1990 1995 1999 1999:1980 $/MB 8,000 access (ns) 375 typical size(MB) 0.064 880 200 0.256 100 100 4 30 70 16 1.5 60 64 5,300 6 1,000 metric 1985 1990 1995 1999 1999:1980 100 75 10 8 28 160 0.30 10 1,000 0.05 8 9,000 10,000 11 9,000 1980 $/MB 500 access (ms) 87 typical size(MB) 1 1985 (Culled from back issues of Byte and PC Magazine) Lecture 3, 20-755: The Internet, Summer 1999 19 Storage Price: $/MB 1.E+05 1.E+04 1.E+03 1.E+02 SRAM DRAM Disk 1.E+01 1.E+00 1.E-01 1.E-02 1980 1985 Lecture 3, 20-755: The Internet, Summer 1999 1990 1995 1999 20 Storage Access Times (nsec) 1.E+08 1.E+07 1.E+06 1.E+05 SRAM DRAM Disk 1.E+04 1.E+03 1.E+02 1.E+01 1.E+00 1980 1985 Lecture 3, 20-755: The Internet, Summer 1999 1990 1995 1999 21 Processor clock rates Processors metric 1980 typical clock(MHz) 1 processor 8080 1985 1990 1995 1999 6 286 20 386 150 400 Pentium P-II 1999:1980 400 culled from back issues of Byte and PC Magazine Lecture 3, 20-755: The Internet, Summer 1999 22 The CPU vs. DRAM Latency Gap (ns) 1.E+03 1.E+02 SRAM DRAM CPU cycle 1.E+01 1.E+00 1980 1985 Lecture 3, 20-755: The Internet, Summer 1999 1990 1995 1999 23 I/O Summary • Key concept: – data travels between the processor, memory, and other I/O devices over a shared medium called a bus (not too unlike an ethernet) • For both DRAMs and magnetic disks, cost per MB is decreasing much faster than access times. – falling way behind processor speeds. Lecture 3, 20-755: The Internet, Summer 1999 24 Break time! (10 min) Lecture 3, 20-755: The Internet, Summer 1999 25 Today’s lecture • • • Input/Output (I/O) (50 min) Break (10 min) Copenhefer’s blunder (50 min) – Case studies in computer crime and forensics Lecture 3, 20-755: The Internet, Summer 1999 26 Copenhefer’s Blunder: Case studies in computer crime and computer forensics • • Copenhefer capital murder case Steele mail fraud case Lecture 3, 20-755: The Internet, Summer 1999 27 Copenhefer capital murder case • June 17, 1988 (Erie, PA) – Sally Weiner, wife of bank executive Harry Weiner, is kidnapped, held for ransom, and then murdered before the money can be delivered. • June 27, 1988 (Erie, PA) – State trooper notices computer-generated sign in the window of a bookstore owned by David Copenhefer that looks similar to the ransom note. Becomes the basis for a search warrant. – Police obtain warrant, and the FBI finds deleted versions of the ransom note and the murder plan on the disk drives in the PC’s in the bookstore and Copenhefer’s house. • May, 1989 (Pittsburgh, PA) – Copenhefer sentenced to die. – Still in the appeals process (1997). Lecture 3, 20-755: The Internet, Summer 1999 28 How did he get caught? • He didn’t understand the PC’s DOS filesystem. – The data in a deleted file is still on the disk! • • The FBI knew this and searched the tracks of the disk for the character string “exactely”, a misspelling that appears several times in the ransom note. In 1994, I examined both of Copenhefer’s computers as an expert witness to the Commonwealth of PA , “undeleted” the ransom note, and printed it out. Lecture 3, 20-755: The Internet, Summer 1999 29 DOS File System • The disk is treated as a linear sequence of n “logical sectors”, each 512 bytes in length: – sector 0, sector 1, sector 2, ...., sector n-2, sector n-1 Lecture 3, 20-755: The Internet, Summer 1999 30 DOS Disk Map Logical sector 0: Reserved area File Allocation Table (FAT) Files area (files and directories) Lecture 3, 20-755: The Internet, Summer 1999 31 Directory entries • The eight parts of a directory entry – filename (8 bytes) e.g., report.doc – filename extension (3 bytes) e.g., report.doc – attribute (1 byte) e.g., file or directory, read only or read/write – unused (10 bytes) – time (2 bytes) – date (2 bytes) – starting sector number (2 bytes) – file size (4 bytes) Lecture 3, 20-755: The Internet, Summer 1999 32 File Allocation Table (FAT) • • The FAT is a sequence of 16 bit entries. The ith FAT entry corresponds to the ith logical disk sector. The values of the entries form a chain that shows which logical sectors contain the data in a file or directory entry. “9999” ends the chain. size Directory entry report FAT 2 doc 2K 4 5 6 9999 3 4 5 Lecture 3, 20-755: The Internet, Summer 1999 starting sector 6 7 8 0003 9 10 33 Deleting a file • When a file is deleted, the first word in the directory is changed to a special character (we’ll call it ‘’) and the fat chain is cleared. However, data is intact. size Directory entry eport FAT 2 doc 2K 0 0 0 0 3 4 5 6 Lecture 3, 20-755: The Internet, Summer 1999 starting sector 7 8 0003 9 10 34 Recovering a deleted file • Look for occurances of ‘’ to find deleted directories. Use starting sector and size fields in directory and assume contiguous sector allocation to recover the file data. eport Directory entry FAT 2 doc 0 0 0 0 3 4 5 6 Lecture 3, 20-755: The Internet, Summer 1999 7 size Starting sector 2K 0003 8 9 10 35 Steele mail fraud case • March 6, 1993 (Pittsburgh, PA) – Phil McCalister, disgruntled associate at Pgh law firm Steele & Hoffman, after watching the movie "The Firm", copies school board billing records from firm's laptops onto some diskettes, then resigns. • July 29, 1993 – McCalister hands over 4 diskettes to postal instpectors as evidence of systematic overbilling of school systems by Charlie Steele, managing partner of Steele & Hoffman. • September, 1996 – I'm asked by defense to determine if the 4 diskettes are the originals from March 6, 1993 (they weren't). • December, 1996 – Despite brilliant testimony by the computer expert witness, Charlie Steele convicted of mail fraud and sentenced to 3 years in federal pen and $80,000 fine. Lecture 3, 20-755: The Internet, Summer 1999 36 Internal fragmentation in DOS files Files allocated in fixed size logical sectors cluster abc data slack (internal fragmentation) Lecture 3, 20-755: The Internet, Summer 1999 37 How slack takes a picture of a disk when a file is copied (1) 1. read source directory ("DE" is directory entry) DE1 DE2 DE3 DE4 disk buffer abc source disk Lecture 3, 20-755: The Internet, Summer 1999 destination disk 38 How slack takes a picture of a disk when a file is copied (2) 2. read file into disk buffer (notice that old slack is not copied into disk buffer!) abc DE1 DE2 DE3 DE4 disk buffer abc source disk Lecture 3, 20-755: The Internet, Summer 1999 destination disk 39 How slack takes a picture of a disk when a file is copied (3) 3. write file to destination disk. Notice that slack now contains a snapshot of the files on the source disk when the file was copied. abc DE1 DE2 abc DE3 DE4 abc DE1 source disk Lecture 3, 20-755: The Internet, Summer 1999 disk buffer DE2 DE3 DE4 destination disk 40 Federal diskette F1 is not an original Cluster 1,789, Sector 1,820 [F1:1991-$.IN C1638-1789] Name .Ext Size Date Time Cluster Arc R/O Sys Hid Dir Vol ----------------------------------------------------------------------------... YS 33430 11-11-91 5:00 am 2 R/O Sys Hid MSDOS SYS 37394 11-11-91 5:00 am 5419 R/O Sys Hid CONFIG SYS 57 10-26-92 8:47 am 8998 Arc AUTOEXEC BAT 24 10-26-92 8:47 am 8997 Arc DOS 0 3-22-93 4:40 pm 19 Dir WININST 0 3-22-93 4:41 pm 597 Dir WINDOWS 0 3-22-93 4:43 pm 3042 Dir COMMAND COM 47845 11-11-91 5:00 am 5429 Arc SCAN 0 3-22-93 4:50 pm 5570 Dir WINA20 386 9349 11-11-91 5:00 am 14 HARCHLRD REG 1492 6-14-93 12:50 pm 5859 Arc ASP 0 3-23-93 11:59 am 6242 Dir DO 0 3-23-93 12:01 pm 6295 Dir GOLF 0 3-23-93 12:01 pm 6361 Dir LOTUS 0 5-07-93 4:32 pm 5341 Dir NORTON 0 3-23-93 12:04 pm 6977 Dir Source: Norton Utilities Diskedit program Lecture 3, 20-755: The Internet, Summer 1999 41 Federal diskette F2 is not an original Cluster 501, Sector 532 [F2:CRIMALDI C498-501] Name .Ext Size Date Time Cluster Arc R/O Sys Hid Dir Vol ----------------------------------------------------------------------------... WP51 0 3-23-93 12:05 pm 7242 Dir XTALK 0 3-23-93 12:13 pm 8910 Dir KATHY REL 2239 6-14-93 1:20 pm 5869 Arc FRECOVER DAT 101376 3-24-93 11:29 am 8951 Arc R/O GO BAT 198 10-26-92 8:47 am 8966 Arc MENU BAT 947 10-26-92 8:47 am 8967 Arc SD INI 2497 10-26-92 8:47 am 8968 Arc XMENU EXE 5521 10-26-92 8:47 am 8969 Arc XMENU PIF 296 10-26-92 8:47 am 8971 Arc FRECOVER IDX 29 3-24-93 11:29 am 41442 Arc R/O Sys Hid ?UMMINGS 4763 5-20-93 2:45 pm 6617 Arc ?UMMINGS BK! 4664 5-19-93 8:18 pm 5895 Arc Source: Norton Utilities Diskedit program Lecture 3, 20-755: The Internet, Summer 1999 42 Summary • • Computer programs leave traces of themselves. These traces can be recovered using simple understanding of systems basics. Lecture 3, 20-755: The Internet, Summer 1999 43
