Computer Forensics
BACS 371
Computer System Basics 2
Hard Drive Storage & File Partitions
Computer System Basics 2

Hardware
Disk Drives
Formatting
Data Storage
File Partitions
File Systems introduction
Hardware

Disk Drives
 Formatting


Low-Level Formatting
High-Level Formatting
 Data






Storage
Encoded Bit
Byte
Word
Sector
Cluster
File
Hard Disk Drives
Hard Disk Drive
Sectors and Clusters
Disk Drive & Misc Hardware Videos
Details about how a hard drive works (apx 3:20)
http://www.youtube.com/watch?v=kdmLvl1n82U
See hard drive running and accessing (apx 1:40)
http://www.youtube.com/watch?v=4sz4VHCj2Ho
Why not freeze a hard drive?
http://www.youtube.com/watch?v=ad1uVAB5bNA
 Old 72 MB hard drive staring up. (apx 1:08)
http://www.youtube.com/watch?v=Y9Z8vF46fXo

Long video disassembling a big hard drive (apx 47 min)
https://www.youtube.com/watch?v=CBjoWMA5d84
Hard Drive Basics

Head


Track


A column of tracks on a disk drive with 2 or more platters
Sector


Individual circles on disk platter where data are located
Cylinder


Device which reads and writes data on the disk
An individual section of data on a track – the smallest
amount of data which can be written to the disk – usually
512 bytes
Disk Capacity (CHS calculation)
= #cylinders (platters) * #tracks * #sectors
Disk Addressing Schemes


There are 2 common disk addressing schemes:
CHS
 Cylinder,
Head, Sector
 Closely tied to the physical geometry of the disk drive

LBA
 Logical
Block Address
 Independent from the physical geometry of the disk
drive
 First block on disk numbered 0, next is 1, …
 Most modern drives use this scheme
CHS Calculation Example
Platter
Sector
Track
Cylinder
Capacity = Heads * Tracks * Sectors * Bytes/Sector
Hard Drive Data Storage I

Bit



Byte




Binary Digit
Stores either a ‘1’ or a ‘0’
8 bits
Single ASCII character
Values from 0~255
Word



Usually 4 Bytes
Represents the minimum piece of information which a computer can manipulate
Values from 0~4,294 ,967,296
Bit
Byte
8 bits
Word
32 bits or 4 bytes
Hard Drive Data Storage II

Sector






Cluster (File Allocation Units)



Minimum storage size on a hard drive
One “pie shaped” arc of a platter
Common storage size of 512 Bytes
Established during low-level formatting
Numbered sequentially starting at 1
Minimum storage size for a file as determined by file system
Common cluster size is 4096 Bytes (4KB) – 8 Sectors
File

Determined by file system
Sectors
Clusters
8 Sectors
File
2 Clusters
* Just an example,
your file may
occupy more or
fewer clusters.
Hard Drive Storage Capacities
Name
Exact
Amount
(Bytes)
Power of
10
(approx)
Power
of 2
(Exact)
Visual Comparison
Kilobyte
KB
1024
103
210
1024 Characters – One half
page of text
Megabyte
MB
1,048,576
106
220
Small Novel
5MB = Shakespeare’s work
Gigabyte
GB
1,073,741,8
24
109
230
Truck full of paper
Terabyte
TB
1,099,511,6
27,776
1012
240
10TB = Massive amounts
of data (small library)
Petabyte
PB
1,125,899,9
1015
250
06,842,624
Formatting and Partitioning

Low-Level Formatting
Physically defines tracks and sectors on disk
 Does erase data
 Typically only performed at factory


Partitioning
High-Level Formatting
 Dividing the disk into volumes – process of defining the file
system structure
 Appear as logical drives to OS
 Does not destroy data on Disk

Partitions





A partition is a logical volume within a physical
volume (i.e., disk).
The Master Boot Record (MBR) of a disk defines the
partitions found on the physical disk.
An MBR can define 4 primary partitions (max).
These partitions can be defined as “logical
partitions.”
Logical partitions are capable of being further
subdivided into smaller logical partitions.
Partitions
To open Computer Management, click Start, and
then click Control Panel. Click Performance
and Maintenance, click Administrative Tools,
and then double-click Computer Management.
Master Boot Record (MBR)
Executable Code
•
•
•
•
Machine Language Code
Processor Specific
Decodes Partition Table
446 bytes long
byte 446
Partition Table
• 4 Entries
• First Entry Starts at
offset 0x01BE (44610)
MBR “Signature”
• 0x55AA
Decoding a Partition Table Entry
• Entry #3 starting at offset 0x01DE
Starting Sector
Starting Cylinder
• Offset 2
• 6 bits (use 6 LSB)
• Decode as bits
• 0xC1 = 1100|0001
• 6 LSB = 000001 = Sector #1
• Offset 3
• 10 bits (use remaining 2 bits from
sector as upper 2 bits)
• Decode as bits
• 0xFF = 1111|1111
• 10 bits = 11|1111|1111 = 0x3FF =
Cylinder # 1023
Bootable?
Starting Head
• Offset 0
• Value 0x80
means bootable
• Offset 1
• 1 Byte
• 0x00 = 0 Starting Head
File System Type
• Offset 4
• Decode as table entry
• 0x0C = Win 95 Fat-32 LBA
Ending Head 5
Ending Sector 6
Ending Cylinder 7
Number of Sectors
Relative Sectors
(start of partition)
• Offset 8
• 4 Bytes
• Decode as Number (swap)
• 0x1D0D9045 = 487,428,165
• # of sectors from start of
drive to start of this partition
• Offset 12
• 4 Bytes
• Decode as Number (swap)
• 0x000E37BA = 931,770
• # of sectors in this partition
• 477,066,240 bytes (*512)
Partition Layout
http://www.microsoft.com/library/media/1033/tech
net/images/prodtechnol/winxppro/reskit/ch28/f28zs
07_big.jpg
Extended
Partition Layout
http://www.microsoft.com/library/media
/1033/technet/images/prodtechnol/winx
ppro/reskit/ch28/f28zs07_big.jpg
File Systems



Each partition can contain an independent file
system.
A file system is merely a structure for storing and
organizing computer files and data on a disk
partition to make it easy to find.
The main files systems currently used are:
 FAT
– (FAT12, FAT16, FAT32., exFAT_
 NTFS
 EXT (Ext2, Ext3, Ext4)
 HFS