Add to collection(s) Add to saved
  1. Science
  2. Physics
  3. Electronics
Uploaded by pesay79169

7 Removable Media

advertisement 
CISC 3650 Forensic Computing
Removable Media
Prof. Stephen R. Flatley
Review
Review
BIOS
• The Basic Input Output System
• The primary function of the BIOS is to load and start an operating
system.
• First it will initialize and identify system devices such as the video
display card, keyboard and mouse, hard disk, CD/DVD drive and
other hardware.
• It then locates software held on a peripheral device (designated as a
'boot device'), such as a hard disk or a CD, and loads and executes
that software, giving it control of the PC.
Review
• A BIOS will also have a user interface. Typically this is a menu system
accessed by pressing a certain key on the keyboard when the PC
starts.
• Through the user interface you can:
• configure hardware
• set the system clock
• enable or disable system components
• select which devices are eligible to be a potential boot device
• set a BIOS password.
Review
EFI
• The Extensible Firmware Interface (EFI) is a
specification that defines a software interface
between an operating system and platform
firmware. EFI is a replacement for the older
BIOS firmware interface present in all IBM PCcompatible personal computers.
Review
CMOS
• Complementary metal–oxide–semiconductor
is a technology for constructing integrated
circuits. CMOS technology is used in
microprocessors, microcontrollers, static
RAM, and other digital logic circuits.
Review
Memory
• RAM
• Static random-access memory (SRAM) is a type of
semiconductor memory where,unlike dynamic RAM
(DRAM), it does not need to be periodically refreshed.
• SRAM exhibits data remanence,but is still volatile in
the conventional sense that data is eventually lost
when the memory is not powered.
Review
RAM
• Dynamic random-access memory (DRAM) is a type of
random-access memory that stores each bit of data in
a separate capacitor within an integrated circuit. The
capacitor can be either charged or discharged; these
two states are taken to represent the two values of a
bit, conventionally called 0 and 1. Since real capacitors
leak charge, the information eventually fades unless
the capacitor charge is refreshed periodically. Because
of this refresh requirement, it is a dynamic memory.
Review
ROM
• Read-only memory (ROM) is a class of storage media
used in computers and other electronic devices.
• Data stored in ROM cannot be modified, or can be
modified only slowly or with difficulty.
• Mainly used to distribute firmware (software that is
very closely tied to specific hardware, and unlikely to
need frequent updates).
Review
Hard disk
• A hard disk drive (HDD) is a non-volatile, random
access device for digital data.
• It has rotating rigid platters on a motor-driven
spindle within a protective enclosure. Data is
magnetically read from and written to the platter
by read/write heads that float on a film of air
above the platters.
Review
Hard disk internal
Review
SSD
• A solid-state drive (SSD) is a data storage device that
uses solid-state memory to store data.
• Distinguished from traditional hard disk drives (HDDs),
which are electromechanical devices containing spinning
disks and movable read/write heads. SSDs, in contrast,
use microchips which retain data in non-volatile memory
chips.
• Contain no moving parts.
Review
SSD
• Less susceptible to physical shock
• Quieter, and have lower access time and
latency.
• Use the same interface as hard disk drives,
thus easily replacing them in most applications.
Review
SSD
• Wear leveling is a technique for prolonging the
service life of some kinds of erasable computer
storage media, such as Flash memory used in
solid-state drives (SSDs) and USB Flash drives.
There are a few wear leveling mechanisms
used in Flash memory systems, each with
varying levels of longevity enhancement.
Review
• Conventional file systems such as FAT, HFS+,
and NTFS were originally designed for
magnetic disks and rewrite many of their data
structures (such as their directories)
repeatedly to the same area. Some file
systems aggravate the problem by tracking
last-access times, which can lead to file
metadata being constantly rewritten in-place.
Review
Serial
• A serial communication physical interface through which
information transfers in or out one bit at a time.
• Throughout most of the history of personal computers, data
transfer through serial ports connected the computer to devices
such as terminals and various peripherals.
• While such interfaces as Ethernet, FireWire, and USB all send data
as a serial stream, the term "serial port" usually identifies hardware
more or less compliant to the RS-232 standard, intended to
interface with a modem or with a similar communication device.
Review
Serial port
Review
• A parallel port is a type of interface found on
computers (personal and otherwise) for
connecting various peripherals. In computing,
a parallel port is a parallel communication
physical interface. It is also known as a printer
port or Centronics port. The IEEE 1284
standard defines the bi-directional version of
the port, which allows the transmission and
reception of data bits at the same time.
Review
Parallel port
Review
USB
• Universal Serial Bus (USB) is a communication
specification between devices and a host
controller (usually a personal computer)
• USB has effectively replaced a variety of
interfaces such as serial and parallel ports.
Review
SCSI
• Small Computer System Interface, or SCSI, is a set
of standards for physically connecting and
transferring data between computers and peripheral
devices. The SCSI standards define commands,
protocols, and electrical and optical interfaces. SCSI
is most commonly used for hard disks and tape
drives, but it can connect a wide range of other
devices, including scanners and CD drives.
Review
SCSI connectors
Review
• The Parallel ATA standard is the result of a long
history of incremental technical development, which
began with the original AT Attachment interface,
developed for use in early PC AT equipment. The
ATA interface itself evolved in several stages from
Western Digital's original Integrated Drive Electronics
(IDE) interface. As a result, many near-synonyms for
ATA/ATAPI and its previous incarnations are still in
common informal use. After the introduction of Serial
ATA in 2003, the original ATA was retroactively
renamed Parallel ATA.
Review
IDE cable
Review
IDE slots on mother board
Review
IDE/PATA drive connections
Review
SATA
• Serial ATA (SATA or Serial Advanced Technology Attachment)
is a computer bus interface for connecting host bus adapters
to mass storage devices such as hard disk drives and optical
drives. Serial ATA was designed to replace the older ATA (AT
Attachment) standard (also known as EIDE), offering several
advantages over the older parallel ATA (PATA) interface:
reduced cable-bulk and cost (7 conductors versus 40),
native hot swapping, faster data transfer through higher
signalling rates, and more efficient transfer through an
(optional) I/O queuing protocol.
Review
SATA cable and mother board connector
Review
SATA hard drive
Removable Media
Removable Media
• Removable media is defined as anything that
can hold non-volatile data and is designed to
be removed from a computer
• Typical forms include, CDs, DVDs, thumb
drives, SD cards, tapes, Blue Ray Disks, etc.
Removable Media
• Some older, obsolete forms of removable
media:
• Magneto Optical Drives
• ZIP drives
• Floppy Drives
• WORM Drives
Removable Media
• We have already discussed at length floppy
disks and thumb drives
• To re-cap, floppies are FAT 12 formatted with
a maximum capacity of 1.44 MB
• Thumb Drives are generally FAT 32 formatted
with varying capacities.
Removable Media
SD Cards
• Generally FAT 32 formatted with varying
capacities
• Physically can be standard, mini, and micro
sized
Removable Media
Removable Media
Compact Disk
• A Compact Disc (also known as a CD) is an
optical disc used to store digital data.
• It was originally developed to store and
playback sound recordings exclusively, but
later expanded to encompass data storage.
Removable Media
Compact Disk
• Some CD formats include CD-ROM, write-once
audio and data storage CD-R, rewritable media
CD-RW, Video Compact Discs (VCD), Super
Video Compact Discs (SVCD), PhotoCD,
PictureCD, CD-i, and Enhanced CD.
• Audio CDs and audio CD players have been
commercially available since October 1982.
Removable Media
Compact Disk
• There are many different CD formats including:
• CD-R
• CD+R
• CD-RW
Removable Media
• A blank CD-R is not as "empty” as it would
seem.
• The polycarbonate layer has a spiral pregroove that is formed when the disc substrate
is injection molded against a stamper.
• This spiral has a "wobble" introduced into it,
which the read/write laser in the drive can read
while it is writing.
Removable Media
• The wobble is a slight sinusoidal wave
(22.05kHz) that has an "excursion" of .03nm
from the center of the track path.
• The drive will synchronize the rotation speed
to the reference speed of the wobble signal,
allowing it to maintain the speed of the track
as it passes the laser.
Removable Media
• The wobble is frequency-modulated which
creates an absolute time clocking signal,
known as Absolute Time In Pregroove (ATIP).
• The ATIP contains absolute minutes (A-MIN),
absolute seconds (A-SEC) and absolute
frames (A_FRAM) which are used to detect an
absolute position on the disc.
Removable Media
• When the compact disc was first created it
was specifically for storage of audio.
• The biggest need was to maximize storage
area while minimizing overhead, which led to
the creation of the 2352 user data byte CD
audio block sector.
Removable Media
• It would seem using all 2352 bytes for user
data and leaving no room for error correction
would be disastrous, but an error on an audio
CD would only cause a slight amount of
silence or static.
• That same error on a data CD could cause
you to lose that file, or worse, all the data on
the CD.
Removable Media
• A new standard, called “Mode 1”, was created after people started seeing
the potential for a CD to be a good medium for the storage of large amounts
of data.
• Mode 1 takes the same 2,352 bytes and breaks it up into the following areas:
• Synch—which allows the drive area to synchronize with the sector
• Sector ID—this gives us the absolute time and mode byte (the mode byte
tells the drive if the sector is a Mode 1 or Mode 2)
• User data—2,048 bytes are left for the user to store data
• Error Detection—CRC is used for error detection
• Null—which is padded with ZEROs
• Error Correction
Removable Media
Removable Media
Table of Contents
• The TOC describes the session and track
layout.
• The file system is used for tracking where and
how files and folders are located on the disc.
Removable Media
CD File systems
• CDfs for Linux and CDFS for Windows.
• CDfs is a file system for the Linux platform that
provides access to each CD-R session as
separate ISO 9660 images.
• This is possible because CDfs exports all tracks
and boot images on a CD as normal files.
Removable Media
CD File systems
• CD-ROM file system, or CDFS, was defined as the read-only
formatting standard for CD-ROM media.
• This is a Windows legacy file system for CDs that follows the
ISO 9660 Level 2 restrictions of a 31 character file name
maximum and a directory tree maximum depth of 8 levels.
• ISO 9660 does state CDFS is to display the date information
correctly for the local time zone, so files located on or
originating from media using CDFS are adjusted to reflect the
local time zone.
Removable Media
ISO 9660 File System
• ISO 9660 file system was actually an evolution of the High
Sierra file system and contains three levels:
• 1. Level 1: Guarantees the most interoperability, but
requires file names to be upper case and is limited to eight
characters with a three-character extension.
• 2. Level 2: File names may be up to 31 characters.
• 3. Level 3: Files allowed to be fragmented.
Removable Media
ISO 9660 File System
• All levels restrict names to upper case letter,
digits, and underscores (“_”), but some software
applications allow the user to use almost any
ASCII character. Even though the relaxed
standards don’t strictly conform to the ISO 9660
standard, most operating systems that can read
ISO 9660 file systems support this functionality.
Removable Media
Joliet File System
• Joliet file system is an extension of ISO 9660 that has been
specified and endorsed by Microsoft and supports long
filenames and Unicode.
• The file system allows files and directories to be up to 64
characters long (Unicode support), has support for multisession recording, and removed the 8-level deep subdirectory
barrier.
• Joliet file system is readable by PCs running Windows 95 or
later, Linux, Mac OS X, and FreeBSD.
Removable Media
Joliet File System
• Forensic implications of not using a forensic tool to review CDs and
DVDs on a Microsoft Windows PC.
• If you place a CD or DVD with a UDF and Joliet file system into a
Microsoft Windows computer you will only be shown sessions and data
with entries in the UDF file system.
• If you place a session written with the ISO 9660 file system on the
same disc as a session already written with ISO 9660, UDF and Joliet
file systems without making an entry in the UDF or Joliet file system,
the Windows PC will not show you the additional data placed on the
disc.
Removable Media
• All CDs and DVDs will have at least 2 file
systems present on them.
• Usually, the ISO and Joliet systems will be
present.
Removable Media
SESSIONS
• A session is defined as a lead-in (or intro or border-in), followed
by one or more tracks, followed by a lead-out (or closure or
border-out).
• There’s no minimum amount of tracks or data needed to
constitute a session, just the requirement to have a specified
beginning, some data, and a specified end.
• When a session is closed (or finalized), a TOC gets recorded in
the lead-in of that particular session describing the tracks and
session.
Removable Media
SESSIONS
• The lead-in and lead-out of higher sessions are
located in the program area which makes them
addressable but mostly not accessible by the host.
• When the entire disc is finalized, or closed, a
pointer to the next session is missing from the
lead-in of the last session, preventing subsequent
recording even if physical space is available.
Removable Media
• A forensic point of interest when reviewing
multi session optical media has come about
with the creation of UDF file systems.
• The UDF VAT allows a recordable disc to be a
virtual rewriteable disc by allowing files to be
“deleted”.
Removable Media
• Since the file is not actually deleted on
recordable media, a file entry pointer is just
removed from the table of contents, the file
pointer and data will be shown in previous
sessions.
• If you look at the contents of the UDF folder for
a session,there’s no entry for the file, but the
entry can be seen by going to the previous
session and looking at the UDF folder contents.
Removable Media
• Since UDF is a more sophisticated file
system, the operating system will rely on that
file system and only show you what’s
recorded in the UDF file system.
• This is forensically important if a drive, even
an RW drive, is used in conjunction with a
non-forensic tool to “rule out” the potential for
evidence existing on an evidentiary disc.
Removable Media
Size differences
• How is it that we can put 700 MB on a CD, 4
GB on a DVD, and 25 GB on a Blu Ray Disk?
• The answer lies in the color of the laser used,
and the construction of the disk.
Removable Media
Questions?
Related documents
TITLE: Removable Storage Devices policy (RSD)
TITLE: Removable Storage Devices policy (RSD)
Name________________________ Student I.D.___________________ Math 1210-1 Quiz 2
Name________________________ Student I.D.___________________ Math 1210-1 Quiz 2
Math 1210 Quiz 3 January 24th, 2014
Math 1210 Quiz 3 January 24th, 2014
Department Records Management Training
Department Records Management Training
Download
advertisement