Understanding Storage Media

and File System

ISM09204

Dr. Nicodemus M. M.
Digital Storage Media

• Digital storage media refers to the

physical devices or mediums used for
storing digital data electronically.

• These storage devices are essential for

retaining digital information in various
forms, such as text, images, audio,
video, and software les.
fi
Digital Storage Media
Types

• Magnetic Storage Media: uses magnetic elds to store and retrieve data
example, Hard Disk Drives (HDD) and Magnetic Tape

• Solid-State Storage Media: uses semiconductor memory (such as ash

memory) to store and retrieve data electronically. Example, Solid-State Drives
(SSDs), USB Flash Drives, and Memory Cards.

• Optical Storage Media: uses laser technology to read and write data
optically. Example, Compact Discs (CDs), Digital Versatile Discs (DVDs), and
Blu-ray Discs.
fi
fl
Digital Storage Media
Types

• Cloud Storage: refers to online storage services that store data on remote
servers accessible via the internet. Examples include Dropbox, Google Drive,
Microsoft OneDrive, and Amazon S3.

• Network-Attached Storage (NAS): are dedicated le storage devices

connected to a network, providing centralized storage accessible to multiple
users and devices. Used for data sharing, le backup, and media streaming
within homes and businesses.

fi
fi
Magnetic Disks - HDD

• Traditional “spinning disks”

• Spinning platter with a thin Magnetic
coating

• Head moves over platter to write 1’s and

O’s

• Same head used to read of the disk

• Sometimes harder to nd/access data
that’s not sequential (seeking/
Fragmentation
fi
Magnetic Disks - HDD
Internal Structure - Low Level Formatting

• Basic elements dividing the HDD are:

• Tracks
• Sectors
• Cylinders Platters
• Tracks are numbered from 0
• Each Track is organized into sectors
numbered starting from 1 separated by
gaps
• Each sector starts with an area reserved for
system information called a pre x and
ends with an area called a su x. Cylinder
ffi
fi
Magnetic Disks - HDD
Internal Structure - High Level Formatting

• It creates a le system on the disks that will allow an operating system to

use the disk space to store and access les.

• Operating systems use di erent le systems, so the type of logical formatting

will depend on the operating system you install.

• So, if you format your disk with a single le system, this naturally limits the
number and type of operating systems that you can install

• Or you can create partitions. Each of the partitions can e ectively have its
own le system, and you can therefore install di erent types of operating
systems.
fi
fi
ff
fi
fi
fi
ff
ff
Magnetic Disks - HDD MBR is the most
common format and is
Partitioning compatible with BIOS
systems (< 4 PP, 1EP)

GPT is a newer type

• Partitioning is the process of writing the that works with UEFI
sectors that will make up the partition systems. ( > 4 P)
table

• Partition table contains information on

the partition:
- size in sectors,
- position with respect to the primary
partition,
- types of partitions present,
- operating systems installed, etc.).
GPT - GUID Partition Table (GPT), UEFI - Uni ed Extensible Firmware Interface, GUID - Globally Unique Identi ers
fi
fi
Magnetic Disks - HDD
Partition Gap

• This unused space between partitions is

called partition gap.

• It is possible to create partition, add data

to it, and then remove references to the
partition so that it can be hidden in
Windows.

• Someone who wants to hide data can

create hidden partitions or voids —large
unused gaps between partitions on a
drive (e.g., between partitions or logical
partitions)
 Magnetic Disks - HDD
Key Terms

• Slack Space: The unused space at the end of a le in a le system that uses
xed size clusters.

• Lost Cluster: A lost cluster is a series of clusters on the hard disk drive that
are not associated with a particular le.

• Bad Sector: A bad sector is a sector on a computer's disk drive or ash

memory that is either inaccessible or unwritable due to permanent damage,
such as physical damage to the disk surface or failed ash memory
transistors
fi
fi
fi
fl
fi
fl
Magnetic Disks - HDD
Key Terms

Master Boot Record (MBR): Also known as the boot sector, is the rst sector
of a hard drive (cylinder 0, head 0, sector 1), it contains the main partition table
and the code, called the boot loader, which, when loaded into memory, will
allow the system to boot up.

fi
Magnetic Disks - HDD
Explore

Follow the link below and Read about the attack

https://cyberhoot.com/cybrary/advanced-persistent-
threat/
Solid State Drives (SSD)

• No Magnets
• Flash memory to store data
• Speci cally uses NAND ash which
is persistent without power (unlike
RAM)

• Can write to a page level, erase at a

block level

• Perform garbage collection

fi
fl
Garbage Collection in SSD

• Garbage collection is an automated

process that improves the performance
of solid-state drives (SSDs) by
optimizing space and e ciency.

• It does this by moving existing data to

new locations within free memory
space, and then erasing the block so
that it's ready for use.

• This process helps SSDs maintain fast

read/write speeds.

• This process and wear-leveling a ects

deleted data in SSD
ffi
ff
VMWare Volumes

• VMware volume typically refers to a storage volume that is allocated or

assigned to a virtual machine (VM) within a VMware environment.

• Virtual Disk (VMDK)

- are created to store the operating system, applications, and data for each
virtual machine in VMware virtualization.
- is typically stored as a le with a .vmdk extension on a storage volume
accessible to the VMware host.
• We use virtual disk acquisition to acquire data in VMWare through VMWare
itself (Suspend the system > take a snapshot > analyze the .vmdk)
fi
AWS EBS Volumes

• Amazon Elastic Block Store (EBS) volumes are block-level storage devices
provided by Amazon Web Services (AWS) for use with Amazon Elastic
Compute Cloud (EC2) instances.

• EBS volumes o er durable and scalable block storage that can be attached
to EC2 instances, providing persistent storage for data and applications.

• AWS EBS volumes provide a reliable, scalable, and feature-rich storage

solution for EC2 instances, o ering exibility and durability to meet a wide
range of storage requirements in the AWS cloud environment.
ff
ff
fl
 File Systems

• File systems are methods or structures used by operating systems to

organize and store data on storage devices such as hard disk drives, solid-
state drives, USB drives, and memory cards.

• Logical formatting of a disk allows a le system to be created on the disk,

which in turn will allow an operating system to use the disk space to store and
use les.

• In reality, the choice of le system depends rst of all on the operating system
that you are using.
fi
fi
fi
fi
File Systems
Types

• FAT (File Allocation Table): A simple le system used for compatibility across
various operating systems and devices.

• NTFS (New Technology File System): A robust le system with support for
advanced features such as le permissions, encryption, and journaling,
commonly used in Windows operating systems.

• exFAT (Extended File Allocation Table): An extension of FAT designed for

large le sizes and compatibility with ash drives and external storage devices.

• HFS+ (Hierarchical File System Plus): A le system used in older versions of

macOS, o ering features like journaling and support for large le sizes.
fi
ff
fi
fl
fi
fi
fi
fi
File Systems
Types

• ext4 (Fourth Extended File System): A modern le system for Linux-based

operating systems, known for improved performance, reliability, and support
for larger le systems.

• APFS (Apple File System): The default le system for macOS and iOS
devices, o ering features like snapshots, cloning, and space sharing.

• ZFS (Zettabyte File System): A feature-rich le system with built-in data

integrity, compression, and volume management, commonly used in FreeBSD
and Solaris systems.

• NFS (Network File System): A distributed le system protocol used for

sharing les over a network, commonly used in Unix-like operating systems.
fi
fi
ff
fi
fi
fi
fi
 What is a File?

• A le is a collection of data stored on a computer or other digital device.

• It can contain various types of information, such as text, images, audio, video,
programs, or other forms of digital content.

• Files are typically organized and managed within a le system, which provides
a structure for storing and accessing data on storage devices such as hard
disk drives, solid-state drives, and memory cards.
fi
fi
 File Deletion

• When data is deleted on a hard drive, only the references to it are removed,
which leaves the original data in unallocated disk space.

• With forensic recovery tools, recovering data from magnetic media is fairly
easy; you just copy the unallocated space.

• USB drives and other solid state drives systems are di erent, in that memory
cells shift data at the physical level to other cells that had fewer reads and
writes continuously.

• The purpose of shifting data from one memory cell to another is to make sure all
memory cells on the ash drive wear evenly. This process is controlled on the
ash drive’s rmware.
fl
fi
fl
ff
Why is it Important to Understand all this?
Data Recovery

• Enables investigators to recover deleted, lost,

or corrupted data during forensic examinations.

- Including knowing that when dealing with

SSD, making a full forensic copy as soon
as possible is crucial in case you need to
recover data from unallocated disk space.

• They can use this knowledge to navigate le

systems, locate relevant data, and retrieve
evidence that may have been intentionally or
unintentionally deleted.
fi
Why is it Important to Understand all this?
Evidence Identi cation

• By understanding how data is organized

and stored on storage media,
investigators can e ectively locate and
extract relevant les, directories, and
metadata for forensic analysis.
fi
fi
ff
Why is it Important to Understand all this?
File Metadata Analysis

• File systems store metadata such as

creation dates, modi cation dates, le
sizes, and access timestamps associated
with les and directories.

• Digital forensic investigators can analyze

this metadata to establish timelines,
identify user activities, and corroborate
evidence during investigations.
fi
fi
fi
 Why is it Important to Understand all this?
File Carving

• File carving is a forensic technique used

to extract les and data fragments from
unallocated space or damaged storage
media.

• Investigators with knowledge of le

systems can employ le carving
techniques to reconstruct fragmented
les and recover valuable evidence that
may not be accessible through traditional
means.
fi
fi
fi
fi
 Why is it Important to Understand all this?
Data Integrity Veri cation

• Understanding storage volumes and le

systems helps investigators verify the
integrity and authenticity of recovered
data.

• They can compare metadata, checksums,

and le attributes to ensure that
recovered evidence has not been
tampered with or modi ed during the
investigation process.
fi
fi
fi
fi
Why is it Important to Understand all this?
File System Forensics

• File system forensics involves analyzing le

system artifacts, structures, and metadata
to reconstruct events, track user activities,
and uncover evidence of malicious
activities.

• Investigators pro cient in le systems can

conduct in-depth examinations of le
system metadata, journaling logs, and le
allocation tables to uncover evidence of le
manipulation, data tampering, or
unauthorized access.
fi
fi
fi
fi
fi
fi
Why is it Important to Understand all this?
Data Preservation

• Digital forensic investigators must adhere

to strict guidelines and procedures for
preserving evidence during investigations.

• Knowledge of storage volumes and le

systems allows investigators to properly
handle, acquire, and preserve digital
evidence without altering or
compromising its integrity. fi