COEN 252 Computer Forensics
advertisement
COEN 252 Computer Forensics Hard Drive Geometry Drive Geometry Basic Definitions: Track Sector Floppy Hard Drive Geometry Cylinder Cylinder is formed by the tracks on all the platters with fixed actuator. (Due to different temperatures and hence different arm length, it is impossible to read and write in parallel.) Hard Drive Geometry Writing and Reading on a Track Hard Drive Geometry Data is stored in the form of a magnetization pattern. Complete Disk IBM Ultrastar Z Sectors Complete Sectors are written and read. Sectors Consists of Inter-sector gap ID Information (including defective mark) (no longer used in modern drives) Synchronization fields Client Data (512B) ECC Inter-sector gap Formatting Low level format Creates “data structures” for tracks and sectors. Defective sectors and regions are remapped. There is no direct access to the disk layout. This is not the usual formatting. Interfaces Disks are getting smarter: In the history of disk drives, control function moved to the disk. Disks uses Logical Sector or Cylinder-HeadSector addressing interface SCSI: Small Computer Systems Interface Block Device (Logical Sector) SCSI 1, 2, 3 standards implement generic command language ATA (AT Attachment): PATA, SATA Interfaces ATA / IDE (Integrated Disk Electronics) Specified as family of standards ATA-1 (1994) to ATA-7 (in draft) ATA disks require a controller (“channel”) built into the motherboard. Controller controls one or two disks. Master and slave disk. Typical motherboard has two channels with up to two disks / devices. Interfaces SATA (Serial ATA) as opposed to PATA uses Advanced Host Controller Interface (AHCI) 7 pin SATA data cable 15 pin SATA power cable supported by Vista, Linux, but not XP often implemented in conjunction with Serial Attached SCSI (SAS) look like PATA at the application level but completely non-interchangeable at the device level Interfaces Addressing Distinguish Physical addresses (low level format) and Logical addresses (changed by normal formatting / repartitioning) Physical addresses Cylinder Head Sector proved to limiting: 10b cylinder, 4b head, 6b sector 16b cylinder, 4b head, 6b sector LBA (Logical Block Addresses) In older systems, the BIOS might have to do address translation. This causes a FE (forensic examiner) head-ache if disks are mounted on other systems. Interfaces Terminology is difficult to understand. http://www.pcguide.com/ref/hdd/if/ide Removable media specifications in AT Attachment Packet Interface (ATAPI) Interfaces Controller issues commands over the ribbon cable. Single bit determines whether the master or the slave executes the command. Controller writes to command register. Disk responds by writing to status register. Interfaces Hard Drive Passwords Established in ATA-3. Set through BIOS or through software. If implemented: User password Master password (for organization) High-security: both passwords unlock disk. Maximum-security: master password only unlocks after disk drive has been wiped. Interfaces Hard Drive Passwords Locked disk is usually visible to the OS. Need SECURITY_UNLOCK with the correct password before most ATA commands are executed. There are tools (hdunlock, atapwd) to unlock a drive Used mainly to circumvent IP protection in game consoles (X-box) Host Protected Area: HPA Appeared first in ATA-4 Used so that computer vendors could store data that a user cannot damage by formatting. HPA can be used to hide data. Host Protected Area: HPA Investigative Process READ_NATIVE_MAX_ADDRESS returns number of physical sectors IDENTIFY_DEVICE returns number of sectors that a user can access. Difference shows existence and extend of HPA. Creating HPA SET_MAX_ADDRESS limits user access to last sectors. Rerunning it with maximum physical address unlocks HPA. Volatility bit determines whether HPA exists after the disk is shut down and restarted. This can be used to temporarily unlock a HPA. DCO Device Configuration Overlay ATA-6 Limits the apparent maximum number of physical sectors. Use the DEVICE_CONFIGURATION_SET / RESET ATA commands. Interface PATA vs. SATA SATA has speed advantage and also smaller cable.
