Files & Partitions

BACS 371Computer Forensics

Data Hierarchy

ComputerHard Disk DrivePartitionFile

Physical FileLogical File

ClusterSectorWordByteBit

File

Collection of Information written to a disk

Generally created in an application-specific format

Occupies a fixed number of clusters Each file’s cluster has a pointer to the

next cluster in the file The final cluster contains the End of File

(EOF) marker

Files

Logical File Size Exact size of contents of file in bytes

Physical File Size Amount of space a file occupies on disc in

bytes File Slack

Unused space between logical end of file and physical end of a cluster

Two types: RAM slack and Disk Slack

<- Logical File Size -> <- File Slack ->

Physical File Size

File Slack

What does File Slack Contain? Who knows??!! Old data that was deleted but not

overwritten yet May contain remnants of older files, or

other evidence including Passwords Old directory structures Miscellaneous information

File Slack Example

Hello World!

Has 12 Characters in the file

But occupies 4096 bytes on the disk!

File Slack Example

File Slack Example

File Contents:“Hello world!”12 bytes

2nd Sector

3rd Sector

RAM Slack:512 bytes – 12 bytes = 500 bytes

Disk Slack:4096 Bytes – 512 Bytes = 3584 Bytes

Assumptions:• Sector Size = 512 Bytes• Cluster Size = 4KB = 8 Sectors

File Slack Example

RAM Slack The file has only 12 characters, but must write

a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time

Disk Slack The file system must always write in multiples

of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

RAM Slack

Unused space at the end of a sector Contains information adjacent to the

stored information from Main Memory (RAM)

Partitions

Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

Partition Table• 4 Entries• First Entry Starts at

offset 0x01BE

Master Boot Record (MBR)

MBR “Signature”• 0x55AA

Executable Code• Machine Language Code• Processor Specific• Decodes Partition Table• 446 bytes long

Partition Table

A partition is a logical drive or volume Describes every logical volume on disk Master Partition Table

Contains descriptions of partitions on disk Room to describe 4 primary partitions One partition is marked as active and is used

for booting Partition Gap

Unused space between partitions

Partition Boot Sector

0x00-0x02 Jump Instruction (3 bytes) 0x03-0x0A OEM ID (8 Bytes) 0x0B-0x53 BIOS Parameter Block (BPB)

(includes all below plus additional fields) 0x0B Bytes Per Sector 2 Bytes 0x0D Sectors Per Cluster 1 Byte 0x15 Media Descriptor 1 Byte 0x18 Sectors Per Track 2 Bytes 0x1A Number of Heads 2 Bytes 0x1C Hidden Sectors 4 Bytes 0x20 Total Sectors 4 Bytes

0x3E-0x1FF Bootstrap Code (448 Bytes) Ends with 55 AA

NOTE: Offsets are from start of Partition, not start of Drive!

BIOS Parameter Block

Executable Code• Machine Language Code• Processor Specific• Decodes BPB • Searches for OS

PBR “Signature”• 0x55AA

Partition Boot Record (PBR)

Partition Boot SectorAKA File System Boot Sector

The first physical sector in a logical volume C 0, H 1, S 1 for first partition

Contains Code File System Specification Information

Partition Boot Sector Decoded

Extended Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

Computer Boot Process

Power-on Signal CPU Reset ROM BIOS/bootstrap POST (Power On Self Test)

Memory test Support circuitry

Major Peripherals (ROM) Boot

Drive A: CDROM Hard Drive

Master Boot Record (Volume) Boot Record

Computer Boot Details1. Power Switch Activated2. Power Supply performs self-test (PowerGood signal to Motherboard)3. Microprocessor executes BIOS code starting at 0xFFFF0000 – tests

hardware4. Power On Self Test (POST) executed – checks CPU, ROM, RAM, support

circuitry, peripherals5. BIOS searches for MBR at C 0, H 0, S1 on default boot drive6. MBR loaded into memory and tested/executed7. MBR code locates first bootable partition8. Partition Boot Record is loaded into memory and tested/executed9. Operating System is loaded based upon command in PBR

NTLDR IOSYS

10. On NTFS volumes NTLDR loads the $MFT; The NT volume is mounted11. NTDETECT.COM detects computerID, bus adapter, video adapter, …12. NTLDR loads NTOSKRNL.EXE (kernel) and HAL.DLL (hardware abstraction

layer)13. The kernel initiates the OS