Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

Disk_Structure

advertisement 
Disk Structures, Partitions,
and the Boot Process
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Class Outline
•
•
•
•
•
•
•
•
Storage and Mobile Technologies
Disk Structure
Disk Capacity
Formatting
Partioning
Boot Process
Controlled Boot Environment
Lab – Data Analysis Using EnCase & FTK
Learning Objectives
At the end of this module you will be able to:
• Understand the challenges of forensics
• Describe the basics of disk structures
• Explain how information is stored on a drive
• Determine the storage capacity of drive using
LBA or CHS
Storage Technologies
Floppy
ZIP / JAZZ
Tape
Hard
CD / DVD
(Optical)
USB Pen
More Mobile Technologies
Floppy Disks
• Yes these still exist!
• Originally
single sided
• Then became
double sided
5.25
3.5
Side View of Floppy in Disk Drive
Single-sided Disk
0 Side 0
Film of Mylar with
A magnetic coating
Disk Drive
Original floppies were single-sided
FD Densities & Capacity
Disk Size
Density
Sectors/
Track
5.25
Low
9
360K
5.25
High
15
1200K
3.5
Low
9
720K
3.5
High
18
1,440K
Capacity
Disk Structure
• Hard disks drives are
organized as a
concentric stack of
disks or ‘platters’
• Each platter has 2
surfaces
• Platter is made from
aluminum, ceramic,
or class, coated with
a magnetic materials
such as iron oxide.
Exploded View of a Hard Drive
HD Internals
HD Elements
• 16 heads
• 8 Platters
Laptop HD
HD Geometry
• Platters: The shiny rigid disks. Multiple platters
increase storage without equivalent increase in cost.
• Heads: The read/write heads of a hard drive. Disk
assembly must be sealed &micro-filtered.
• Tracks: Lanes centered around platters.
• Sectors / Clusters: Each track was divided into
sectors. Several sectors form a cluster.
• Cylinders: A grouping of the same tracks vertically
through the stack of platters.
Cylinders
Head Stack
Assembly
Head 0
C
Y
L
I
N
D
E
R
Head 1
Head 2
Head 3
Head 4
Head 5
Sector
Track
HD Head Clearance
Side View of Cylinders on Disk Drive
Double-sided Disk
Cyl = 79
Cyl = 0
Sides or
Heads
1
0
Spindle
Motor
Comprise
Cylinder 0
Disk Drive
Disk Structure Cont’d
• The data is stored on concentric
circles on the surfaces known as
tracks
• Corresponding tracks on all platter
surfaces make up a cylinder
• On a floppy diskette, the pair of
tracks that lie over/under each other
are called a cylinder
• The cylinder can be written to
without movement of the head
assembly
• Numbering starts with 0 at the
outermost cylinder
Sector
Sector 2
Track 0
Sector 1
Track 0
• A sector is a continuous
linear stream of
magnetized bits
occupying a curved
section of a track.
• Sectors are the smallest
physical storage units
on a disk- Each sector
stores 512 bytes of data
• Numbering physical
sectors within a track
starts with 1.
Cluster (Blocks)
• 1 or more contiguous sectors
• The smallest pieces of storage that an OS can
place into data
• The bytes in a cluster varies according to the
size of the drive and the version of the OS
– 65,536 sector limit in DOS Fat 16 (2^16)**
– Using clusters allows for grouping multiple sectors
– Total number of sectors per cluster is always a power
of 2
CHS
• What is it?
• Each storage unit on a disk can be identified by a 3coordinate system identifying the
– Cylinder (C)
– Head/Side (H)
– Sector (S)
• A more modern method is to just refer to the sector
number (used in LBA mode discussed later)
Disk Structure Cont’d
• On method of calculating disk capacity is
to multiply the number cylinders, heads,
and sectors (i.e. CHS) together, and then
multiply by the block size of 512 Bytes:
• E.g. 12,495 cylinders * 16 heads * 63
sectors * 512 bytes = approx. 6GB
Disk Structure Cont’d
• Most Intel based mother boards use an ATA
(Advanced Technology Attachment) interface
which connects to the hard disk.
• The BIOS will read the disk’s cylinders, heads,
and sectors through this interface, and, depending
on the size of the disk and the BIOS settings, will
use the CHS sector size to determine the size of
the disk and how it should be accessed.
Hard Drives Standards
• EIDE, SCSI, SATA
• IDE (Integrated Drive Electronics) supports
only two devices
• EIDE can support four through two channels
• SCSI (Small Computer Systems Interface)
supports up to 7 devices. Each of them is
identified by a unique ID
• SATA (Serial Advanced Technology
Attachment). Each drive is a master drive.
Hard Disk Addressing
• Older BIOSes used in pc’s used 24 bit
addressing which could only access up to 8.4
GB (2^24 * 512 bytes).
• Newer BIOSes can access 64 bits of
addressing, which equals 9.4 Tera Gigabytes,
or over a trillion times as large as an 8.4 GB
drive.
LBA – Logical Block Addressing
• By industry agreement large IDE disks (with more
than 16514064 sectors) will return c=16383,
h=16, s=63, for a total of 16514064 sectors
(7.8GB) independent of their actual size, but give
their actual size in LBA capacity
• As such the BIOS must know to use the LBA
capacity to calculate the actual size of the drive.
This is given in the total number of accessible
sectors
• E.g. A disk with an LBA value of 156,301,488 has
a capacity of 156,301,488 * 512 = 80GB
Summary
• Data on a HD are stored on tracks
• Corresponding tracks on all surfaces make
up a cylinder
• Data is stored in sectors and usually read in
blocks or clusters
• A storage unit can be identified by CHS
• LBA is used for drives in excess of 7.8 GB
Nested Data Structures on HD
Hard Drive
Partition
File System
File
Record
Field
Partitioning and Formatting
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Learning Objectives
At the end of this module you will be able to:
• Explain the function of the FDISK program
• Define terms such as primary partition,
extended partition, active partition, and logical
drive
• Describe how logical partitions can be hidden
• Articulate the necessity of understanding the
suspect’s partitioning scheme
Initializing a Hard Drive
This represents all the available surface area on
a hard drive that can be used for storage
Initializing a Hard Drive
The first thing to do is magnetically create a
system of unique storage areas
Low-level (Factory) Format
Step 1: Use a low-level format program to
create a magnetic structure of sectors
One 512-byte sector
Low-level formatting is
usually done at the factory.
Results of Low-level Format
The sectors are organized by tracks
All the sectors on one track
Initializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the
Master Boot Record at C-0, H-0, S-1
MBR
Master Boot Record
containing
Master Partition Table
Initializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the
Master Boot Record at C-0, H-0, S-1
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
The remainder of that track
is “Reserved”
Master Partition Table
• Maximum of 4 entries
• Valid entries contain essential information
about the partition
– Partition type/code
– Active (yes or no)
– Partition start and end information
• Unused entries are blank
Master Partition Table
• Types of entries
– Primary Partition(s) - up to 4 allowed
•
Contains a logical drive
•
One may be marked as “Active” *
– Extended Partition (only 1 allowed)
•
Contains one or more logical drives
•
Each logical drive is defined by its own partition table
which may contain a second entry pointing to the next
logical drive within that extended partition
Total number of entries may not exceed four!
Partition Type Codes
• File systems are assigned characteristic type
codes that are listed in partition table entries
• DOS/Windows operating systems recognize
specific type codes, and assign a drive letter to
those supported
• DOS/Windows systems will not assign a drive
letter to partition types not supported
Partition Table Entry
Common DOS Partition type Codes:
0x00 Unused
0x01 FAT12
0x04 FAT16 (up to 32M)
0x05 Extended
0x06 BigFAT16 (up to 2 Gb)
0x0B FAT32
0x0C FAT32x (LBA)
0x0E FAT16x (LBA)
0x0F Extendedx (LBA)
Partition Type Codes
Initializing a Hard Drive with FDisk
In this case, FDISK created one active
primary partition
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Single Primary Partition
Hard drive with one active primary partition
(single logical drive)
Logical Drive
Hub
Single Primary Partition
Master Partition Table - DiskEdit View
“Yes” indicates “Active”
One Primary with Extended Partition
Primary Partition
Extended Partition
MBR
Partition
Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Tables
Each partition table points to the next
MBR
Partition
Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
One Primary & One Extended
Master Partition Table – DiskEdit View
Primary
Partition
Entry
One Primary & One Extended
Master Partition Table – DiskEdit View
Extended
Partition
Entry
The Extended Partition entry points to Cyl 80,
Side/Head 0, Sector 1. This is the location of the
partition table that defines the next logical drive.
Partitioning
• Important Point: When examining a
suspect’s hard drive, why is it necessary
to know how it's partitioned?
Partitioning
Reasons to examine the partition tables:
• To make sure all space on the drive is
accounted for.
• To look for multiple operating systems.
• To look for hidden partitions.
Hidden Partitions
View of a hidden partition using the PART utility
DOS/Windows partitions can be “hidden” by
changing the partition-type code
Hidden Partitions
This partition disappears!
Summary
•
•
•
•
•
•
•
Fdisk is a tool used to initialize a HD
The MBR resides at CHS 001
Master Partition Table has a maximum of 4 entries
Primary Partition (4 allowed 1 active)
Extended Partition (1 allowed)
Changing a partition type code can hide it
Understanding the partitioning is very important
The Boot Process
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Learning Objectives
At the end of this module you will be able to:
• Describe the boot process of DOS, Unix &
Windows systems
• Explain why interrupting the boot process
is a forensic necessity
• Compare and contrast the boot strapping
process for various operating systems.
The Boot Process
• Every hard disk must have a consistent
‘starting point’
• The place where this information is stored is
called the master boot record (MBR) (also
referred to as the master boot sector, or just
boot sector)
• The MBR is always located as cylinder 0,
head 0, and sector 1
The Boot Process cont’d
The master boot record contains the following
structures:
– Master Partition Table – this small table contains
the descriptions of the partitions that are contained
on the hard disk. There is only room for the
information describing 4 partitions, or primary
partitions (discussed more later)
The Boot Process cont’d
– Master Boot Code – The MBR contains the
small initial boot program that the BIOS
loads and executes to start the boot process
(Since the master boot code is the first
program executed when you turn on your pc,
this is a favorite place for virus writers to
target.)
Review of HD Boot Sequence (DOS)
•
•
•
•
•
POST
OS
MBR
Partition Table
DOS Boot Record
– (IO.SYS)
– MSDOS.SYS
– COMMAND.COM.
POST
• The computer runs the Power On Self Test
(POST)
• Which checks
–
–
–
–
–
–
BIOS,
CPU,
RAM,
Video,
Keyboard,
drives, etc.
Review of HD Boot Sequence
1 Master Boot Record
CHS = 0,0,1
2
Boot Record
3
IO.SYS
4
MSDOS.SYS
5
CONFIG.SYS
6
COMMAND.COM
7
AUTOEXEC.BAT
To control the boot process, you must intercept it
with a controlled-boot floppy.
External DOS Commands
• Not loaded with COMMAND.COM
• Usually installed in the WINDOWS\COMMAND
subdirectory
– Our copies must be on the control boot floppy
– Are either “EXE” or “COM” files
FDISK
CHKDSK
UNDELETE
FORMAT
ATTRIB
XCOPY
DELTREE
UNFORMAT
Encountering Compressed Drives
DOS 6.22, Win95, Win98
– IO.SYS can automatically mount Compressed
Volume Files
• If a compressed drive is mounted, it will make changes
to the hard drive
• This can happen even if booting from a floppy
– IO.SYS must be hacked to eliminate these calls to
the hard drive
Writing to the hard drive, when the system is in our custody
and control, means that we have altered the evidence!
Windows 2000/NT Bootstrapping
6 Stages
• POST
• Choose OS
• Kernel Load
• Kernel Initialization
• Services Load
• Logon
Unix Boot Process
• The memory-resident code
– Runs self-test
– Probes bus for the boot device
– Reads the boot program from the boot device
•
•
•
•
•
•
Boot program reads in the kernel and passes control to it.
Kernel identifies and configures the devices.
Initializes the system and starts the system processes.
Brings up the system in single-user mode (if necessary).
Runs the appropriate startup scripts.
Brings up the system for multi-user operation.
Kernel
• Unix systems implement a two-stage loading process.
• First stage, a small boot program is read into memory from
a default or specified device.
• Once the kernel is loaded, it remains in the memory during
the running of the system and is usually run in a fixed
amount of memory.
• The kernel probes the bus to locate the devices specified
during the configuration, and initializes the located
devices.
Unix Bootstrapping
• System Processes
– The kernel identifies the root, swap, and dump devices and then
starts programs to schedule processes, manage physical memory
and virtual memory, and the init process.
• Sched
– The real-time scheduler.
• Swapper
– It manages the physical memory by moving process from
physical memory to swap space when more physical memory is
needed.
• Page Daemon
– Various memory handlers run as process 2.
Unix Bootstrapping
• init
– The last step in bootstrapping the kernel starts the /etc/init
process.
• Single User Mode
– Single user shell is always Bourne shell (sh) and it runs as 'root'.
– It enables the system manager to perform various administrative
functions, such as setting the date, checking the consistency of
the file system, reconfiguring the list of on-line terminals, and so
on.
– At this stage only the root partition is usually mounted.
• The file system consistency check may be performed by the
command fsck, usually found in the /etc directory.
Unix Bootstrapping
• Startup
– Shell scripts - init spawns a copy of sh to interpret them.
– The startup scripts are defined and organized differently on
different systems.
– On BSD systems the startup scripts may be found in the /etc
directory and their names begin with rc, e.g., /etc/rc.boot,
/etc/rc.single,/etc/rc.local and so on.
– This set of processes is defined in the /etc/inittab file. Each line
in the inittab file describes an action to take.
Summary
• Every disk has a consistent starting point
(MBR or boot sector CHS 001)
• A control boot disk (floppy/CD) allows us to
control the bootstrapping process
• DOS makes a good boot environment since we
understand what is happening!
Controlled Boot
Environment
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Learning Objectives
At the end of this module you will be able to:
• Explain the importance of using a
controlled boot environment.
• Describe the minimum files necessary to
create a bootable DOS disk.
• Describe events that may complicate the
forensic boot process.
Controlled Boot Floppy
A controlled boot floppy enables you to
• Control the environment of the operation
• Bypass possible destructive processes set
by the suspect to destroy evidence
• Maintain evidence integrity by preventing
any possible changes to the suspect’s hard
disk
A Basic Controlled DOS Boot Floppy
Minimum Requirements
• Will boot the computer without allowing
any writes to the Hard Disk
• Will automatically install hard disk write
protection
• Will ensure drive letters are assigned to all
FAT logical drives by including a
LASTDRIVE=Z statement in the
CONFIG.SYS file
Media
Variety of disks in every possible format
• 5¼” Low density, high density floppies
• 3½” Low density, high density floppies
• Bootable CD-ROMs
Media
New, clean media for each case
– Pre-used media should be wiped
Error free and formatted
– /U Format option
• Standard Format AND overwrites data area
with F6h
– /S Format option
• Standard Format AND copies system files to disk
after format
Files (DOS)
Required system files
– IO.SYS
• Altered if necessary to prevent write to disk
– MSDOS.SYS
– COMMAND.COM
– AUTOEXEC.BAT
• Edited to automatically load the hard drive
write blocker
– CONFIG.SYS
• Edited to include LASTDRIVE=Z to ensure drive
letter assignments
Boot Considerations
• BIOS Setting
– Need to ensure that system boots from proper device
• CDROM, Floppy
– Interrupt keys (varies by manufacturers)
• F12, Del, F1
• BIOS Passwords
– How do we over come these?
– What are some forensic issues with defeating these?
• Power on Passwords???
Disk Write Blockers
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Learning Objectives
At the end of this module you will be able to:
• Explain the importance of write blockers
• Describe how write blockers work
• Compare contrast hardware and software
write blocker functionality
• Explain why hardware write blockers are a
better choice.
Disk Write Blockers
•
•
•
•
Disk Write Blockers
Prevent data being written to the suspect drive
Ensure the integrity of the suspect drive
Software Write Blockers v. Hardware
Normal HD Access
• Using the interrupt 0x13 interface for hard drive An
application program issues an interrupt 0x13
command.
• The interrupt transfers control to the interrupt 0x13
routine in the BIOS. The BIOS routine issues
commands,
• ATA or SCSI as appropriate, directly to the hard drive
controller.
• The device does the requested operation and returns the
result to the BIOS and then to the application program.
Software Write Block
Use of a SWB tool changes the normal operation
of the interrupt 0x13 interface.
– The SWB tool is executed. The SWB tool saves
the current interrupt 0x13 routine entry address
and installs a new interrupt 0x13 routine.
– The application program initiates a drive I/O
operation by invoking interrupt 0x13. The
replacement routine installed by the SWB tool
intercepts the command.
Software Write Block
• The SWB tool determines if the requested command should
be blocked or if the command should be allowed.
• If a command is blocked, the SWB tool returns to the
application program without passing any command to the
BIOS I/O routines. Depending on SWB tool configuration
either success or error is returned for the command status.
• If the command is allowed (not blocked), the command is
passed to the BIOS and the BIOS I/O routine issues required
I/O commands (ATA, SCSI or other) to the drive controller
so that the desired I/O operation occurs on the hard drive.
• Results are returned to the application program.
Hardware Write Block
• A hardware write blocker (HWB) is a hardware device that
attaches to a computer system with the primary purpose of
intercepting and preventing (or ‘blocking’) any modifying
commands from ever reaching the storage device.
• Physically, the device is connected between the computer
and a storage device.
• Some of its functions include monitoring and filtering any
activity that is transmitted or received between its interface
connections to the computer and the storage device.
Summary
• Write blockers prevent data being written to the
suspect drive
• 2 basic classes:
– Hardware and Software
• Software write blockers can be bypassed (sometimes
unknowingly)
• Hardware write blockers are now the industry
standard.
• NIST has excellent specs/standards for write
blockers.
Related documents
PC Fundamentals Test Name: Date: Directions: Answer all
PC Fundamentals Test Name: Date: Directions: Answer all
partition This term is often used as a synonym for distribution and
partition This term is often used as a synonym for distribution and
Restoring the boot.ini file
Restoring the boot.ini file
Outline
Outline
For kernel - RoboSavvy
For kernel - RoboSavvy
13 Understanding BIOS assignment
13 Understanding BIOS assignment
to view the PDF file
to view the PDF file
Scenario 1: VFR flight Shoreham to Cambridge
Scenario 1: VFR flight Shoreham to Cambridge
2.1 Input Output Control System
2.1 Input Output Control System
Download
advertisement