Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Structures

Disk Structures

advertisement 
1
! 
File access and storage methods have a logical
progression from low level to high level
! 
Disk
Volumes and partitions
Others (covered later)
! 
Disk Structures
File System Abstraction Model
! 
! 
COMP 2555: Principles of Computer Forensics
! 
Autumn 2014
http://www.cs.du.edu/2555
! 
L3: Disk Structure
! 
File system
Data unit
Metadata
File name
A physical storage device
! 
! 
! 
! 
! 
! 
! 
Conventional disk drives are made up of one or more
platters coated with magnetic material
! 
Disk drive geometry
SCSI or SATA hard drive
Secure Digital card from a digital camera
Analysis requires
Understanding Disk Drives
! 
extensive specialized training and knowledge
clean room
expensive electron microscopy equipment
! 
! 
! 
Head
Tracks
Cylinders
Sectors
L3: Disk Structure
! 
3
Disk
L3: Disk Structure
2
5
Disk Structure
a track
a sector
! 
CHS: Cylinder – Head – Sector
! 
CHS addressing: method to refer to a sector of the disk
read/write head
! 
read/write head
! 
Only possible addressing mode in old systems
L3: Disk Structure
a cylinder
(collection of same tracks)
physical structure is usually much complicated
special hardware on the drive (disk controllers) take care of
the mapping from CHS values to physical location
L3: Disk Structure
! 
one side of a platter
7
Disk Size from CHS
! 
C = No. of Cylinders = 1024
H = No. of Heads = 32
S = No. of sectors per cylinder = 63
! 
Logical Block Addressing (LBA)
Alternative to using C, H and S values to refer to a
sector
Blocks (typically 512 byte sectors) are numbered from 0
to max LBA
Total sectors = C x H x S =
2064384
! 
Size of a sector = 512 bytes
! 
! 
Size of Disk = 2064384 x 512
bytes
! 
= 1.056 GB
C=0, H=0, S=1 is LBA 0
C=0, H=0, S=2 is LBA 1
C=0, H=2, S=1 is LBA 126 (based on previous slide)
BIOS interrupt call (INT 0x13) function 0x08 returns
drive parameters
! 
L3: Disk Structure
6
CHS Addressing
total cylinders, total heads, total sectors per track, total
sectors
L3: Disk Structure
4
8
9
Surplus Sectors
!deft ~ % fdisk -l
Device Boot Start End Blocks Id System
11
! 
MBR stores information about partitions on a disk and
their locations, size, and other important items
MBR code can also load elaborate GUI driven boot
loaders
512 bytes
MBR
In multi-partition systems, the first sector of a bootable
partition is called a Volume Boot Record (VBR)
OS dependent boot code
Other system files and data
L3: Disk Structure
Typically holds code to load the OS
L3: Disk Structure
! 
Single OS Boot Process
BIOS loads MBR into memory and executes
Executed code on MBR loads and executes the OS related boot code
HDD
The first sector of the disk contains special code called
the Master Boot Record (MBR)
Unused space between partitions
Possibility of a hidden partition
L3: Disk Structure
! 
Master Boot Record
! 
! 
Partition gap
L3: Disk Structure
Some older systems require aligning a partition boundary
on a cylinder; that can leave some sectors lying around
(good for hiding data)
! 
! 
! 
/dev/sda1 * 2048 40394751 20196352 83 Linux
/dev/sda2 40396798 41940991 772097 5 Extended
/dev/sda5 40396800 41940991 772096 82 Linux swap / Solaris!
10
! 
A disk can be divided into collections of sectors, forming
a logical drive
A partition is a logical drive
! 
Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00084d1c
Volumes and Partitions
13
Multi Partition Boot Process
BIOS loads MBR into memory and executes
MBR code identifies active partition
MBR code loads VBR of active partition and transfers control
Execution proceeds as in the case of single OS method
512 bytes
512 bytes
MBR
OS dependent boot code
Partition 1
Partition 2
Other system files and data
L3: Disk Structure
Data files
14
! 
Disk editor utility can alter information in partition table
! 
! 
VBR
GRUB Stage 2
! 
To hide a partition
Norton DiskEdit, WinHex, Hex Workshop
The structure of the stored data must be known
before reading a hex dump
Structures are usually specified using offsets
! 
Analyze the key hexadecimal codes the OS uses to
identify and maintain partitions
Reading Hex Dumps
Hex dumps are meaningless unless you know what you
are reading
! 
! 
An offset specifies the location of a specific piece of data
relative to
! 
! 
! 
L3: Disk Structure
! 
OS dependent boot code
Other system files and data
Can examine a partition at the physical level with an
editor:
! 
OS dependent boot code
Other system files and data
15
Disk Partitions (contd.)
VBR
L3: Disk Structure
VBR
MBR code (GRUB) loads GRUB Stage 2 code
GRUB Stage 2 asks user to choose one VBR
Partition 2
Partition 1
MBR
Multi OS Boot with GRUB
the beginning of the hex dump
or the beginning of another structure
The first byte in a hex dump is at offset zero
L3: Disk Structure
12
! 
17
Hex Dump Example
Say we have stored a character (1 byte), followed by an
integer (4 bytes), followed by a date (4 bytes) in a file
hex dump
4B
CD
34
AB
12
09
0F
DE
07
offset
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
! 
The date bytes are 09 0F DE 07
! 
! 
18
! 
DE 07 (= 0x07DE = 2014)
L3: Disk Structure
! 
Disk identifier – 4 bytes
Partition Table
Each 16 byte entry tells us about a partition
Structure
! 
! 
! 
Partition table – 16x4 = 64 bytes
Offset 0x0: 0x80 if bootable partition (has VBR), otherwise
0x00
Offset 0x1: CHS values of first sector
Offset 0x4: partition type code
! 
! 
Offset 0x1FE
! 
! 
instructions to locate bootable partition, load first sector of
that partition (VBR) and execute
Offset 0x1BE
! 
! 
! 
Offset 0x1B8
! 
! 
19
A Typical MBR
First 440 bytes: bootloader code
! 
! 
! 
L3: Disk Structure
but what date is stored? we need to know the structure!
0x0F (15)
Offset 0x2: year YYYY
0x12AB24CD (the bytes CD 34 AB 12 arranged in littleendian format)
Offset 0x5: date (4 bytes)
! 
! 
! 
0x09 (September)
Offset 0x1: day DD
! 
Offset 0x1: integer (4 byte)
! 
! 
! 
0x4B (the character K in ASCII)
! 
Boot record signature – 2 bytes
0xAA55
! 
Total of 512 bytes
L3: Disk Structure
! 
Offset 0x0 (in the date bytes): month MM
! 
Offset 0x0: character (1 byte)
! 
If the date was stored as the number of seconds since Jan 1,
1970, then 0x07DE0F09 would be Mar 3, 1974
Say the date was stored as MM DD YY YY
! 
! 
Hex Dump Example
! 
http://en.wikipedia.org/wiki/Partition_type#List_of_partition_IDs
Offset 0x5: CHS values of last sector
Offset 0x8: LBA of first sector
Offset 0xC: number of sectors in partition
Little-endian format: multi-byte values are stored in last
byte to first byte order
L3: Disk Structure
16
20
http://thestarman.pcministry.com/asm/mbr/PartTables.htm
! 
Has much more than what is covered here
L3: Disk Structure
! 
References
Related documents
12hardwarefin
12hardwarefin
Four Functions of a Computer:
Four Functions of a Computer:
Download
advertisement