CSC414ComputerSystemFundamentals

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

Logical Areas of a Disk

Logical Areas of a Disk

Formatting a DiskPreparing a disk for use- Low-Level Format- Places tracks and sectors on platters

- Partition Disk- Creates logical disks (volumes)- Hard Disk Only

- High-Level Format- Creates and initializes file system for each volume- Boot Record - File Allocation Table (FAT) and a copy- Root Directory- Data Area

Boot RecordMaster Boot Record (MBR)- Physical Location- Cylinder 0, Side 0, Sector 1 (0, 0, 1)- First sector, on the first track, on the first side- First sector read by BIOS/Firmware

- Contains disk information- Number of bytes per sector- Total number of sectors per disk- Number of sectors per track- Number of heads- Partition Table- If bootable, location of boot volume VBR

Volume Boot Record (VBR)- Contains bootstrap startup code for system

boot sequence - A very short program that reads the rest of the

operating system

- Volume Information- Partition start, end and number of sectors

- Logical Location- Sector 0 on volume or partition

- Often is Sector 63 on DOS disks

- Signature >> 55AA Hex- located in the last two bytes of the sector

Boot Record

For a floppy diskette:

- There is only a master boot record (MBR)

- A valid MBR is required to access any diskette- either bootable or non-bootable

- Attempting to boot from a bootable diskette with a missing or corrupt MBR gives a NON BOOT DISK or DISK ERROR message

- An invalid MBR on a data diskette results in a GENERAL FAILURE

Boot RecordMaster Boot Record

Boot Record

Boot RecordMaster Boot Record

File Allocation TableFile Allocation Table (FAT)- System for storage of files and

subdirectories in Data Area- Maintains the clusters used by

every file on the disk- If a file uses more than one cluster:- FAT points to the next cluster- "A chain of clusters"- FAT marks the last cluster in a chain <EOF> Hex: FFF

- Which clusters are available for use- Which clusters have bad sectors

<BAD> Hex: FF7

Cluster Size 4 KB (8 blocks)

myFile.docx 14 KB

Clusters needed

4 (16 KB)

Cluster Next

::

::

44 0

45 46

46 49

47 48

48 <EOF>

49 50

50 <EOF>

::

::

Cluster47

System DirectorymyFile.docx

File Start = 45

Unused extra space at end of cluster is

called Slack

File Allocation Table (FAT)

File Allocation Table

Numbering for data clusters begins at 2Clusters 0 and 1 are for system data

Boot Record, FAT, and Root Directory

File Allocation TableFile Allocation Table (FAT)

- Number of entries (clusters) is limited by the number of bits used to represent cluster IDs (numbers)

FAT/FAT12 FAT16 FAT32Maximum Number of Clusters 4084 65,526 268,435,456

Cluster Sizes(sectors) 1 to 8 4 to 64 8 to 64

Cluster Sizes(sectors) 0.5 KB to 4 KB 2 KB to 32 KB 4 KB to 32 KB

Maximum Volume Size

16,736,256(16 MB)

2,147,123,200(2 GB)

about 241

maxVolumeSize = maxClusterSize x maxNumberofCLustersmaxVolumeSize = maxClusterSize x maxNumberofCLustersmaxVolumeSize = maxClusterSize x maxNumberofCLustersmaxVolumeSize = maxClusterSize x maxNumberofCLusters

Cluster size is determined by the

operating system and file system and

depends on partition size.

Root DirectoryDirectory of items at root level of volume- One entry for each - Root Directory File or - Root Subdirectory

- Total size of the root directory is fixed- Dependent on the media and format- Maximum number of entries it can contain

is fixed- Floppy Disk (1.44 MB) - maximum of 224 entries- Most Hard Disks - 512 root directory entries

Root Directory

SubdirectoryFile FileFileSubdirectoryFile

SubdirectoryFile FileFileFileFile

File FileFileFile

File

A file with information about other files

Root DirectoryDirectory Entries

- 32 bytes of information

- File Name or Subdirectory Name

- Starting Cluster- the beginning of the chain of clusters

- Size in bytes

- Date and Time Groups (DTG)

- Attributes

Attributesread-only? hidden? system?executable? subdirectory?

DTGsCreation DTG Modification DTGLast Access DTG

SubdirectoriesTreated similar to filesCan be created, modified and deletedConsumes entire clusterSpecial Subdirectory entries:. dot referred to as “self”.. dot-dot called “parent”

Data AreaRemainder of the volume/partition

- where file and subdirectory data is stored

- can contain erased and/or hidden data

- all types of digital data

Logical Addressing of this area is by Logical Sector Number or Cluster

- First cluster referenced in FAT is 2

- Cluster numbers are consecutive until the end of the Data Area

/** apples.cpp Computes the cost per apple of a box of apples Input: cost of box of apples Output: the input data the cost per apple if bought by the box */ #include <iostream>using namespace std;

int main() { const int APPLES_PER_BOX = 24; double costPerBox = 0.0; cout << "How much does a box of apples cost? $"; cin >> costPerBox; double costPerApple = costPerBox / APPLES_PER_BOX; cout << "\nApples per box: " << APPLES_PER_BOX << endl; cout << "Cost per box: $" << costPerBox << endl; cout << "Cost per apple: $" << costPerApple << endl; return 0;} // end main

1 | P a g e

University of Rhode Island

CSC 414 Computer System Fundamentals

Summer 2011 Syllabus Teaching Staff: Victor Fay-Wolfe (wolfe@cs.uri.edu) Timothy Henry (tmh@cs.uri.edu) Sean Alvarez (salvarez@cs.uri.edu) Kevin Bryan (bryank@cs.uri.edu) Course Meets: Online May 23 July 29

Course Web Page: https://homepage.cs.uri.edu/courses/online/woc/ Goals:

Learn the principles and concepts underlying computer operating systems

Learn to install, configure, and manipulate a modern computer operating system

Learn the principles and concepts underlying computer networks

Learn to install, configure, and manipulate modern computer networks

Learn the basics of computer and network hardware

Introduce digital forensics concepts and practices

Introduce OS and network tools and concepts used in digital forensics

Course Materials:

Textbooks The Architecture of Computer Hardware, Systems Software & Networking : An

Information Technology Approach, 4th Edition, By Irv Englander, 2009 John Wiley & Sons, Inc.; ISBN: 978-0471-71542-9

(Optional) A+ Certification All-In-One Exam Guide, 7th Edition, By Mike Myers, 2010

McGraw Hill Publishing; ISBN: 978-0-07-170133-4 (only if student wants to pursue A+ certification)

Software

WinH ex Specialist (discounted academic pricing available) Other Forensics software (VMware, and others)

Slack- Unused space at end of sector or clusterFile Slack (Disk Slack)- Data found in unused blocks of cluster- Previous directories and files, previous RAM slack, previously unused space, and space

overwritten with a disk cleaning utility.

RAM Slack- Data found in unused bytes of a block- Prior to Windows 95, RAM Slack was obtained from active RAM and could contain useful data- Starting with Windows 95 RAM slack is filled with hex 00

Data Area Cluster Size

4 KB (8 blocks)

myFile.docx 14 KB

Clusters needed

4 (16 KB)

Operating system must allocate 2 KB more than needed for file

myFile.docxFile Slack

Clusters

RAM Slack

Sectors / Blocks

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

Logical Areas of the Disk

Logical Areas of the Disk