1 File System Abstraction Model

!  File access and storage methods have a logical

progression from low level to high level

!  Disk
!  Volumes and partitions
Disk Structures !  Others (covered later)
!  File system
COMP 2555: Principles of Computer Forensics !  Data unit
Autumn 2014
http://www.cs.du.edu/2555
!  Metadata
!  File name

L3: Disk Structure

2 Disk
3 Understanding Disk Drives

!  A physical storage device !  Conventional disk drives are made up of one or more
!  SCSI or SATA hard drive platters coated with magnetic material
!  Secure Digital card from a digital camera
!  Disk drive geometry
!  Analysis requires !  Head
!  extensive specialized training and knowledge !  Tracks
!  clean room !  Cylinders
!  expensive electron microscopy equipment !  Sectors
L3: Disk Structure

L3: Disk Structure

4 Disk Structure
5 CHS Addressing

!  CHS: Cylinder – Head – Sector

a track
a sector read/write head
!  CHS addressing: method to refer to a sector of the disk
!  physical structure is usually much complicated
read/write head
!  special hardware on the drive (disk controllers) take care of
the mapping from CHS values to physical location

one side of a platter !  Only possible addressing mode in old systems

L3: Disk Structure

L3: Disk Structure

a cylinder
(collection of same tracks)

6 Disk Size from CHS

7 Logical Block Addressing (LBA)

!  Alternative to using C, H and S values to refer to a

sector
C = No. of Cylinders = 1024
H = No. of Heads = 32 !  Blocks (typically 512 byte sectors) are numbered from 0
S = No. of sectors per cylinder = 63
to max LBA
Total sectors = C x H x S = !  C=0, H=0, S=1 is LBA 0
2064384
!  C=0, H=0, S=2 is LBA 1
Size of a sector = 512 bytes !  C=0, H=2, S=1 is LBA 126 (based on previous slide)

Size of Disk = 2064384 x 512

bytes !  BIOS interrupt call (INT 0x13) function 0x08 returns
= 1.056 GB drive parameters
!  total cylinders, total heads, total sectors per track, total
sectors
L3: Disk Structure

L3: Disk Structure

8 Surplus Sectors
9 Volumes and Partitions
!deft ~ % fdisk -l

!  A disk can be divided into collections of sectors, forming
Disk /dev/sda: 21.5 GB, 21474836480 bytes
 a logical drive
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors

Units = sectors of 1 * 512 = 512 bytes
 !  A partition is a logical drive
Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00084d1c

!  Partition gap
   Device Boot      Start         End      Blocks   Id  System

/dev/sda1   *        2048    40394751    20196352   83  Linux
 !  Unused space between partitions
/dev/sda2        40396798    41940991      772097    5  Extended

/dev/sda5        40396800    41940991      772096   82  Linux swap / Solaris! !  Possibility of a hidden partition

Some older systems require aligning a partition boundary

on a cylinder; that can leave some sectors lying around
(good for hiding data)

L3: Disk Structure

L3: Disk Structure

10 Master Boot Record
11 Single OS Boot Process

!  The first sector of the disk contains special code called BIOS loads MBR into memory and executes
the Master Boot Record (MBR) Executed code on MBR loads and executes the OS related boot code

512 bytes
!  MBR stores information about partitions on a disk and
their locations, size, and other important items MBR OS dependent boot code

!  MBR code can also load elaborate GUI driven boot

loaders
HDD

Other system files and data

!  In multi-partition systems, the first sector of a bootable
partition is called a Volume Boot Record (VBR)
!  Typically holds code to load the OS
L3: Disk Structure

L3: Disk Structure

 12 Multi Partition Boot Process
13 Multi OS Boot with GRUB

BIOS loads MBR into memory and executes MBR code (GRUB) loads GRUB Stage 2 code
MBR code identifies active partition GRUB Stage 2 asks user to choose one VBR
MBR code loads VBR of active partition and transfers control
Execution proceeds as in the case of single OS method
512 bytes 512 bytes

MBR VBR OS dependent boot code MBR VBR OS dependent boot code
Partition 1

Partition 1
Other system files and data Other system files and data

VBR OS dependent boot code

Partition 2

Partition 2
Data files Other system files and data

L3: Disk Structure

L3: Disk Structure

GRUB Stage 2

14 Disk Partitions (contd.)

15 Reading Hex Dumps

!  Disk editor utility can alter information in partition table !  Hex dumps are meaningless unless you know what you
!  To hide a partition are reading
!  Can examine a partition at the physical level with an !  The structure of the stored data must be known
editor: before reading a hex dump
!  Norton DiskEdit, WinHex, Hex Workshop
!  Structures are usually specified using offsets
!  Analyze the key hexadecimal codes the OS uses to !  An offset specifies the location of a specific piece of data
relative to
identify and maintain partitions
!  the beginning of the hex dump
!  or the beginning of another structure
!  The first byte in a hex dump is at offset zero
L3: Disk Structure

L3: Disk Structure

16 Hex Dump Example
17 Hex Dump Example

!  Say we have stored a character (1 byte), followed by an !  The date bytes are 09 0F DE 07
integer (4 bytes), followed by a date (4 bytes) in a file !  If the date was stored as the number of seconds since Jan 1,
1970, then 0x07DE0F09 would be Mar 3, 1974
hex dump 4B CD 34 AB 12 09 0F DE 07
0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8
!  Say the date was stored as MM DD YY YY
offset
!  Offset 0x0 (in the date bytes): month MM
!  0x09 (September)
!  Offset 0x0: character (1 byte) !  Offset 0x1: day DD
!  0x4B (the character K in ASCII) !  0x0F (15)
!  Offset 0x1: integer (4 byte) !  Offset 0x2: year YYYY
!  0x12AB24CD (the bytes CD 34 AB 12 arranged in little- !  DE 07 (= 0x07DE = 2014)
endian format)
!  Offset 0x5: date (4 bytes)

L3: Disk Structure

L3: Disk Structure

!  but what date is stored? we need to know the structure!

18 A Typical MBR
19 Partition Table

!  First 440 bytes: bootloader code !  Each 16 byte entry tells us about a partition
!  instructions to locate bootable partition, load first sector of !  Structure
that partition (VBR) and execute !  Offset 0x0: 0x80 if bootable partition (has VBR), otherwise
!  Offset 0x1B8 0x00
!  Disk identifier – 4 bytes !  Offset 0x1: CHS values of first sector
!  Offset 0x1BE !  Offset 0x4: partition type code
!  Partition table – 16x4 = 64 bytes !  http://en.wikipedia.org/wiki/Partition_type#List_of_partition_IDs
!  Offset 0x5: CHS values of last sector
!  Offset 0x1FE
!  Offset 0x8: LBA of first sector
!  Boot record signature – 2 bytes
!  Offset 0xC: number of sectors in partition
!  0xAA55
!  Total of 512 bytes !  Little-endian format: multi-byte values are stored in last
L3: Disk Structure

L3: Disk Structure

byte to first byte order
20 References

!  http://thestarman.pcministry.com/asm/mbr/PartTables.htm
!  Has much more than what is covered here

L3: Disk Structure