File000121

Module VIII – Understanding Hard Disks and File Systems

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Murder, His Hard Drive Wrote

Source: http://www.wired.com/



Module Objective

• Disk drive• Understanding File Systems • Disk Partitions• Windows Boot Process (XP/2003)• File Structures: FAT• File Structure: NTFS• NTFS Master File Table (MFT)• FAT vs. NTFS• File Structure: Ext2• File Structure: HFS• RAID Levels • Hard Disk Evidence Collector Tools

This module will familiarize you with:



Module Flow

Understanding File Systems

Disk Partitions File Structure: Ext2

File Structure: HFSWindows Boot

Process (XP/2003)

FAT vs. NTFS

File Structures: FAT RAID Levels

File Structure: NTFS

NTFS Master File Table (MFT)

Hard Disk Evidence Collector Tools

Disk drive



Hard Disks



Disk Drive Overview - I

• Fixed storage drives• External storage drives

There are two types of Disk drives:

• Floppy disks• Compact Disks• Digital Versatile Disk (DVD)• ZIP Disks• r/m Drives• Memory Card• Thumb drive• Personal digital assistants (PDA)• Pager• Digital camera• Mobile phone and smart phone• Dongle• Credit card skimmer

Few of removable storage drives :



Disk Drive Overview - II

Hard disk drive is a good example of permanent storage device

The data is recorded magnetically onto the hard disk

Main components of the hard disk :

• Cylinders• Head• Platter

The data is stored on the tracks of the sectors



Main Spindle

Head 0

Side 0 Platter 1(has sides 0-1)

Arm for head 1

Head 2

Head Stack Assembly

Arm for Tracking/Alignment head (head 3)

Physical Structure of a Hard Disk

A hard disk is a sealed unit containing a number of platters in a stack

They may be mounted in a horizontal or a vertical position

Electromagnetic read/write heads are positioned above and below each platter

As the platters spin, the drive heads move in towards the center surface and out towards the edge



Physical Structure of a Hard Disk (cont’d)

The data is recorded in the hard disk using the zoned bit recording

• It is the technique of grouping tracks into zones based on their distance from the center of the disk

Zoned Bit Recording:

• Track density• It is defined as the number of tracks in a hard disk

• Areal density:• It is defined as the number of bits per square inch on a platter

• Bit density:• It is bits per unit length of track

Capacity of the hard disk depends on the following:



Physical Structure of Hard Disk (cont’d)



Logical Structure of Hard Disk

Hard disk logical structure has significant influence on the performance, consistency, expandability, and compatibility of the storage subsystem of the hard disk

The logical structure depends on the type of the operating system and file system used because these factors organize and control the data access on the hard disk



Types of Hard Disk Interfaces

• Small Computer System Interface

SCSI:

• Integrated Drive Electronics/ Enhanced IDE

IDE/EIDE:

• Universal Serial Bus

USB:

• Advanced Technology Attachment• Serial ATA• Parallel ATA

ATA:

• Fibre Channel electrical interface • Fibre Channel optical interface

Fibre Channel:



SCSI host adapter

External Chain

Internal Chain

The Last device is both the internal and external chain must be terminated.A SCSI Chain

Hard disks

Types of Hard Disk Interfaces: SCSI

SCSI is a hardware interface that allows for the connection of up to 15 peripheral devices to a single PCI board called a "SCSI host adapter" that plugs into the motherboard



80-pin IDE (ATA)

40-pin IDE (ATA)

Internal IDE Cables

Types of Hard Disk Interfaces: IDE/EIDE

With IDE, the controller electronics are built into the drive itself

IDE drives are configured as master and slave

Enhanced IDE is an extension to the IDE interface that supports the ATA-2 and ATAPI standards



Types of Hard Disk Interfaces: USB

USB is a “plug-and-play” interface, which allows a device to be added without an adapter card and without rebooting the computer



Parallel ATA (PATA)

Serial ATA (SATA)

Types of Hard Disk Interfaces: ATA

SATA is based on serial signaling technology

SATA transfers data in a half-duplex channel at 1.5 Gbps in one direction

PATA is based on parallel signaling technology

Parallel ATA standards only allow cable lengths up to 46 centimeters (18 inches)

SATA cables are more flexible, thinner, and less massive than the ribbon cables required for conventional PATA hard drives



Types of Hard Disk Interfaces: Fibre Channel

• An unbalanced 75W line or• A balanced 150W lines

The Electrical Interface uses ECL signaling levels via:

• LL: long wave laser (1300 nm)• SL: short wave laser (780 nm) or• LE: LED (1300 nm)

The optical uses:

Fibre Channel [FC] is a point-to-point serial bi-directional interface operating up to 1.0625Gbps



Disk Platter

Disk platters in a hard disk are the media on which the data is stored

They are usually made from aluminum alloy, glass and ceramic

Magnetic media coating is done on the part where data resides by iron oxide substance or cobalt alloy



Disk Platter (cont’d)

Data is written on both sides of a hard disk platter

Numbering is done on both the sides as side 0 and side 1

Side 0 Side 1



Tracks

A circular ring on one side of the platter is known as track

Drive head can access this circular ring in one position at a time

Tracks are numbered for identification purpose

Data exists in thin concentric bands on a hard disk

A 3.5-inch hard disk consists of more than a thousand tracks



Tracks Numbering

Tracks numbering begins from 0 at outer edge and moves towards the center reaching the value of typically 1023

A cylinder is formed when tracks are lined up



Sector

Sector is the smallest physical storage unit on the disk

It is normally 512 bytes in size

Factory track-positioning data determines labeling of the disk sector

Data is stored on the disk in a contiguous series

For example, if the file’s size is 600 bytes, two 512 sectors are allocated for the file

Cluster of4 sectors

Sector



Sector (cont’d)

Platter

Tracks

Sector

Cylinder

Sector Track

Platters



Sector Addressing

Cylinders, heads, and sectors determine the address of the individual sectors on the disk

For example, on formatting a disk, 50 tracks are divided into 10 sectors each

Track and sector numbers are used by the operating system and disk drive to identify the stored information



Cluster

Cluster is the smallest allocation unit of a hard disk

Relevant formatting scheme determines range of tracks and sectors from 2 to 32

Minimum size can be of one sector (1 sector/cluster)

Allocation unit can be made of two or more sectors (2 sectors/cluster)

Any read or write operation consumes space of at least 1 cluster

Lot of slack space or unused space is wasted in the cluster beyond the data size in the sector



Cluster Size

Cluster size can be altered for optimum disk storage

Larger cluster size (greater than one sector):

• Minimizes the fragmentation problem • Increases the probability for unused space in the cluster• Reduces disk storage area to save information• Reduces unused area on the disk



Slack Space

Slack space is the free space on the cluster after writing data on that cluster

DOS and Windows utilize the fixed size clusters for the file’s system

If the size of the stored data is less than the cluster’s size, the unused area remains reserved for the file resulting in slack space

DOS and FAT 16(file allocation table) file system in the Windows utilizes large sized clusters

For example, if the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of slack space

Hello World - - - - - - - - - - - - - - - - - - - - - - - - - - - -

File Contents Slack space



Slack Space



Lost Clusters

Operating system marks cluster as used but does not allocate them to any file, such clusters are known as lost clusters

It can be reassigned with data, making the disk space free

ScanDisk utility can identify the lost clusters in DOS and Windows operating system



Bad Sector

Bad sector is a damaged portion of a disk on which no read/write operation can be performed

Formatting a disk enables the operating system to identify unusable sector and mark them as bad

Special software is used to recover the data on a bad sector

Bad Sector



Disk Capacity Calculation

A disk drive has 16,384 cylinders, 80 heads, and 63 sectors per track. Assume a sector has 512 bytes. What is the capacity of such a disk?

Answer:

• The conversion factors appropriate to this hard disk are: • 16,384 cylinders / disk • 80 heads / cylinder • 63 sectors / track • 512 bytes / sector

• Total bytes = 1 disk * (16,384 cylinders / disk) * (80 heads / cylinder) * (1 track / head) * (63 sectors / track) * (512 bytes / sector)

• = 42,278,584,320 bytes



Disk Capacity Calculation (cont’d)

1 Kilobyte (KB) =

2 10 bytes = 1,024 bytes

1 Megabyte (MB) =

2 20 bytes = 1,048,576 bytes = 1,024 KB

1 Gigabyte (GB) =

2 30 bytes = 1,073,741,824 bytes = 1,048,576 KB = 1,024 MB

1 Terabyte (TB) =

2 40 bytes = 1,099,511,627,776 bytes = 1,073,741,824 KB = 1,048,576 MB = 1,024 GB

Using these definitions, the result would be expressed in GB as :

42,278,584,320 bytes / (1,073,741,824 bytes / GB) = 39.375 GB



Measuring the Performance of the Hard Disk

Data is stored onto the Hard disk in the form of files

When running program requests the file, hard disk recovers the byte content of the file and sends them to the CPU one at a time for further processing

Hard disk performance is measured by the following factors:

• Data rate: It is a ratio of the number of bytes per second that hard disk sends to the CPU

• Seek time: It is the amount of time required to send the first byte of the file to the CPU when it requests the file



Disk Partitions



Disk Partitions

• A primary partition contains one file system• In MS-DOS and earlier versions of Microsoft Windows systems, the first partition

(C:) must be a "primary partition"• Other operating systems may not share this limitation

Primary

• An extended partition is secondary to the primary partition(s)• A hard disk may contain only one which is sub-divided into logical drives, each of

which is assigned additional drive letters

Extended

Hard disk drive partitioning is the creation of logical divisions upon a hard disk that allows one to apply operating system-specific logical formatting



Master Boot Record

Backing up the MBR

In UNIX/Linux, dd can be used to backup and restore the MBR

to backup

dd if=/dev/xxx of=mbr.backup bs=512 count=1

to restore

dd if=mbr.backup of=/dev/xxx bs=512 count=1

A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as a hard disk

The information regarding the files on the disk, their location, size, and other important data is stored in the Master Boot Record file

In practice, MBR almost always refers to the 512-byte boot sector, or partition sector of a disk



Master Boot Record (cont’d)



Boot Process



Windows XP System Files

Essential system files used by Windows XP:

File name Description

Ntoskrnl.exe The executable and kernel of Windows XP

Ntkrnlpa.exe Physical address support program (for>4GB)

Hal.dll Used for OS kernel to communicate with the computer’s hardware

Win32k.sys Kernel mode for Win32 subsystem

Ntdll.dll Supports internal functions and dispatches the stubs to executive functions

Kernel32.dll

Win32 subsystem DLL files

Advapi32.dll

User32.dll

Gdi32.dll



Windows Boot Process (XP/2003)

Step 1• Switch on the power supply

Step 2• The microprocessor timer chip receives the Power Good signal

Step 3• The CPU starts executing the ROM BIOS code

Step 4• The ROM BIOS performs a basic test of the central hardware to verify the basic functionality

Step 5• The BIOS searches for adapters that may need to load their own ROM BIOS routines

Step 6• The ROM BIOS checks to see if this is a 'cold-start' or a 'warm-start'



Windows Boot Process (XP/2003) (cont’d)

Step 7

• If this is a cold-start, the ROM BIOS executes a full POST (Power On Self Test). If this is a warm-start, the memory test portion of the POST is switched off

Step 8• The BIOS locates and reads the configuration information stored in CMOS

Step 9

• If the first bootable disk is a fixed disk ,the BIOS examines the first sector of the disk for a Master Boot Record (MBR). For a floppy, the BIOS looks for a Boot Record in the first sector

Step 10

• With a valid MBR loaded into memory, the BIOS transfers control of the boot process to the partition loader code that takes up most of the 512 bytes of the MBR

Step 11

• The partition loader (or Boot Loader) examines the partition table for a partition marked as active. It then searches the first sector of that partition for a Boot Record




Step 12

• The active partition's boot record is checked for a valid boot signature and if found, the boot sector code is executed as a program

Step 13

• During the initial phase, NTLDR switches the processor from the real-mode to the protected mode which places the processor in 32-bit memory mode and turns memory paging on. It then loads the appropriate mini-file system drivers to allow NTLDR to load files from a partition formatted with any of the files systems supported by XP

Step 14

• If the file BOOT.INI is located in the root directory NTLDR will read it's contents into the memory. If BOOT.INI contains entries for more than one operating system NTLDR will stop the boot sequence at this point, display a menu of choices, and wait for a specified period of time for the user to make a selection




Step 15

• Assuming that the operating system being loaded is Windows NT, 2000, or XP pressing F8 at this stage of the boot sequence to display various boot options including "Safe Mode" and "Last Known Good Configuration”

Step 16

• If the selected operating system is XP, NTLDR will continue the boot process by locating and loading the DOS based NTDETECT.COM program to perform hardware detection

Step 17

• If this computer has more than one defined Hardware Profile, the NTLDR program will stop at this point and display the Hardware Profiles/Configuration Recovery menu

Step 18

• After selecting a hardware configuration (if necessary), NTLDR begins loading the XP kernel (NTOSKRNL.EXE)




Step 19

• NTLDR now loads the device drivers that are marked as boot devices. With the loading of these drivers, NTLDR relinquishes control of the computer

Step 20

• NTOSKRNL goes through two phases in its boot process - phase 0 and phase 1. Phase 0 initializes just enough of the microkernel and executive subsystems so that the basic services required for the completion of initialization become available. At this point, the system displays a graphical screen with a status bar indicating the load status

Step 21

• The initialization of I/O Manager begins the process of loading all the systems driver files. Picking up where NTLDR left off, it first finishes the loading of boot devices. Next, it assembles a prioritized list of drivers and attempts to load each in turn




Step 22

• The last task for phase 1 initialization of the kernel is to launch the Session Manager Subsystem (SMSS). SMSS is responsible for creating the user-mode environment that provides the visible interface to NT

Step 23

• SMSS loads the win32k.sys device driver which implements the Win32 graphics subsystem

Step 24

• The XP boot process is not considered complete until a user has successfully logged onto the system. The process is begun by the WINLOGON.EXE file which is loaded as a service by the kernel and continued by the Local Security Authority (LSASS.EXE) which displays the logon dialog box



http://www.bootdisk.com



File Systems



Understanding File Systems

A file system is the way in which files are named and placed logically for storage and retrieval

It specify conventions for naming files; these conventions include the maximum number of characters in a name, which characters can be used, and, in some systems, how long the file name suffix can be

It also includes a format for specifying the path to a file through the structure of directories

Major file system include FAT, NTFS, HFS etc.



Types of File Systems

• It is designed for the storage of files on a data storage device, most commonly a disk drive

Disk file systems:

• This file system acts as a client for a remote file access protocol, providing access to files on a server

Network file systems:

• Files are identified by their characteristics, such as type of file, topic, author, or similar metadata

Database file systems:

• Files are arranged dynamically by software, intended for such purposes as communication between computer processes or temporary file space

Special purpose file systems:



List of Disk File Systems

ADFS – Acorn filing system, successor to DFS

BFS – The Be File System used on BeOS

EFS – Encrypted filesystem, An extension of NTFS

EFS (IRIX) – An older block filing system under IRIX

Ext – Extended filesystem, designed for Linux systems

Ext2 – Extended filesystem 2, designed for Linux systems

Ext3 – Extended filesystem 3, designed for Linux systems, (ext2+journalling)

FAT – Used on DOS and Microsoft Windows, 12 and 16 bit table depths



List of Disk File Systems (cont’d)

FAT32 – FAT with 32 bit table depth

FFS (Amiga) – Fast File System, used on Amiga systems. Used for floppies, but fairly useless on hard drives

FFS – Fast File System, used on *BSD systems

Files-11 – OpenVMS file system

HFS – Hierarchical File System, used on older Mac OS systems

HFS Plus – Updated version of HFS used on newer Mac OS systems

HFSX – Updated version of HFS Plus to remove some backward compatibility limitations

HPFS – High Performance Filesystem, used on OS/2




ISO 9660 – used on CD-ROM and DVD-ROM discs (Rock Ridge and Joliet are extensions to this)

JFS – IBM Journaling Filesystem, provided in Linux, OS/2, and AIX

Kfs- Ken's File System

LFS – Log-structured filesystem

MFS – Macintosh File System, used on early Mac OS systems

Minix file system – Used on Minix systems

NTFS – Used on Windows NT based systems

OFS – Old File System on Amiga




PFS and PFS2, PFS3, etc. Technically interesting filesystem available for the Amiga, performs well under a lot of circumstances

ReiserFS – Filesystem which uses journaling

Reiser4 – Filesystem which uses journaling, newest version of ReiserFS

SFS – Smart File System, available for the Amiga

Sprite – The original log-structured file system

UDF – Packet-based filesystem for WORM/RW media such as CD-RW and DVD




UFS – Unix Filesystem, used on older BSD systems

UFS2 – Unix Filesystem, used on newer BSD systems

UMSDOS – FAT filesystem extended to store permissions and metadata, used for Linux

VxFS – Veritas file system, first commercial journaling file system; HP-UX, Solaris, Linux, AIX

XFS – Used on SGI IRIX and Linux systems

ZFS – Used on Solaris 10



List of Network File Systems

AFS (Andrew File System)

AppleShare

CIFS (Microsoft's documented version of SMB)

Coda

GFS (Global File System)

InterMezzo

Lustre

NFS

OpenAFS

SMB (sometimes also called Samba file system)



List of Special Purpose File Systems

acme (Plan 9) (text windows)

archfs (archive)

cdfs (reading and writing of CDs)

cfs (caching)

Davfs2 (WebDAV)

DEVFS

ftpfs (ftp access)

lnfs (long names)

LUFS ( replace ftpfs, ftp ssh access)

nntpfs (netnews)

plumber (Plan 9) (interprocesscommunication – pipes)

PROCFS

ROMFS

TMPFS

wikifs (wiki wiki)



Popular Linux File Systems

• First filesystem for the Linux operating system to overcome certain limitations of the Minix file system

• It is replaced by the second extended file system

EXT (Extended File System)

• Standard filesystem with improved algorithms used on the Linux operating system for a number of years

• Not a journaling file system

EXT2 (Second Extended File System)

• Journalled file system used in the GNU/Linux operating system• It is mounted and used as an Ext2 filesystem• It use filesystem maintenance utilities (like fsck) for maintaining and

repairing alike Ext2 filesystem

EXT3 (Third Extended File System)



Sun Solaris 10 File System: ZFS

• Uses 128-bit addressing to perform read/write operation referred to as a "giga-terabyte" (a zettabyte)

• Any modification to this file system will never increase its storage capacity

ZFS is a first filesystem used in Sun Microsystems Solaris 10

• Facilitates immediate backup as the file is written• Introduced Logical Volume Management(LVM) features into the filesystem• File systems are portable between little-endian and big-endian systems• Provides data integrity to detect and correct errors• HA Storage+ feature provides cluster/failover compatibility in case of any

interruption(only one server is empowered to perform write operation on the disk) • Creates many copies of the single snapshot with minimum overheads• Supports full range of NFSv4/Windows NT-style ACLs

Main Features:



Mac OS X File System

• Developed by Apple Computer to support Mac operating system

HFS (Hierarchical File System)

• Derived from the Berkeley Fast File System (FFS) that was originally developed at Bell Laboratories from the first version of UNIX FS

• All BSD UNIX derivatives including FreeBSD, NetBSD, OpenBSD, NeXTStep, and Solaris use a variant of UFS

• Acts as a substitute for HFS in Mac OS X

UFS (UNIX File System)



Windows File systems

• 16-bit file system developed for MS-DOS • Used in all the consumer versions of Microsoft Windows• Considered relatively uncomplicated and became a popular format for

devices such as floppy disks, USB devices, digital cameras, and flash disks

FAT (File Allocation Table)

• 32-bit version of FAT file system with storage capacity up to 2 GB

FAT32

• NTFS has three versions:• v1.2 (v4.0) found in NT 3.51 and NT 4• v3.0 (v5.0 ) found in Windows 2000 and• v3.1 (v5.1) found in Windows XP and Windows Server 2003

• Newer versions added extra features like quotas introduced by Windows 2000. In NTFS, anything such as file name, creation date, access permissions, and even contents is written down as metadata

NTFS (New Technology File System)



CD-ROM / DVD File System

The ISO 9660 (International Organization for Standardization) defines a file system for CD-ROM and DVD-ROM media

To exchange data, it supports various computer operating systems such as Microsoft Windows, Mac OS, and UNIX-based systems

Some extensions used by ISO 9660 to cope up its demerits:

• Longer ASCII coded names and UNIX permissions are facilitated by Rock Ridge• Unicode naming (like non roman scripts)are also supported by Joliet• Bootable CDs are facilitated by El Torito

ISO 13490 is a combination of ISO 9660 with multisession support

Windows supports two types of file systems on CD-ROM and Digital Versatile Disk (DVD):

• Compact Disc File System (CDFS)• Universal Disk Format (UDF)



Comparison of File Systems



FAT32



FAT

FAT (Fill Allocation Table) is a file system designed in 1976

It is the main file system for many operating systems such as DOS, Window, OpenDOS etc.

File allocation table stores all the files and resides at the beginning of the volume

It creates two copies of the file allocation table to protect the volume from the damage

Structure of FAT volume:

PartitionBootSector

FAT1 FAT2(duplicate)

RootFolder

Other folders and files



FAT Structure

Contents of the file allocation table:

• Unused (0x0000) • Cluster in use by a file • Bad cluster (0xFFF7) • Last cluster in a file (0xFFF8-0xFFFF)

File allocation table structure:



FAT Structure (cont’d)

• Name (eight-plus-three characters) • Attribute byte (8 bits worth of information, described later in

this section) • Create time (24 bits) • Create date (16 bits) • Last access date (16 bits) • Last modified time (16 bits) • Last modified date (16 bits) • Starting cluster number in the file allocation table (16 bits) • File size (32 bits)

Folder entries in FAT system are as follows:

FAT file system have a set of 32-byte folder entries for every folder




Examining FAT

When a file is deleted from the operating system, it replaces the first word of the file’s name by a lowercase Greek letter. The space is made available for new files

These files can be recovered using forensic tools

Few tools which can be used for forensics:

• WINHEX• UNDELETE• FILE SCAVENGER




Boot Sector

Boot Sector is the first sector (512 bytes) of a FAT file system

Unix-like terminology defines it as a superblock



FAT32

FAT32 file system is derived from a FAT file system and supports drives up to 2 terabytes in size

It uses drive space efficiently and uses small cluster

It takes backup of the file allocation table instead of the default copy

Master boot record table of FAT32:

Offset Description Size

000h Executable Code (Boots Computer) 446 Bytes

1BEh 1st Position Entry 16 Bytes

1CEh 2nd Position Entry 16 Bytes

1DEh 3 rd Position Entry 16 Bytes

1EEh 4th Position Entry 16 Bytes

1FEh Boot Record Signature 2 Bytes



NTFS



NTFS

NTFS or New Technology File System is the standard file system of Windows NT and its descendants Windows 2000, Windows XP, Windows Server 2003, and Windows Vista

It replaced Microsoft's previous FAT file system, used in MS-DOS and early versions of Windows

It has several improvements over FAT such as improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk space utilization plus additional extensions such as security access control lists and file system journaling



NTFS (cont’d)

• v1.0 , v1.1, v1.2 found in NT 3.51 and NT 4

• v3.0 found in Windows 2000

• v3.1 found in Windows XP, Windows Server 2003, and Windows Vista

• These final three versions are sometimes referred to as v4.0, v5.0, and v5.1

NTFS has five versions:

NTFS uses UNICODE data format



NTFS Architecture

Hard Disk

Master Boot Record

Boot Sector

NtldrNTFS.sysNtoskrnl.exe

Operating System

Application

Kernel Mode

User Mode



NTFS System Files

File Name Description

$attrdef Contains definitions of all system and user-defined attributes of the volume

$badclus Contains all the bad clusters

$bitmap Contains bitmap for the entire volume

$boot Contains the volume's bootstrap

$logfile Used for recovery purposes

$mft Contains a record for every file

$mftmirr Mirror of the MFT used for recovering files

$quota Indicates disk quota for each user

$upcase Converts characters into uppercase Unicode

$volume Contains volume name and version number



NTFS Partition Boot Sector

When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code

Partition identifier 0x07 (MBR)EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (GPT)




Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT)

It reserves the first 16 records of the table for special information

The first record of this table describes the master file table itself, followed by an MFT mirror record

If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT

The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector, a duplicate of the boot sector is located at the logical center of the disk

The third record of the MFT is the log file, used for file recovery. The seventeenth and following records of the master file table are for each file and directory (also viewed as a file by NTFS) on the volume



NTFS Metadata File Table (MFT)

MFT is a relational database, which consists of information related to the files and the file attributes

The rows consists of file records and the columns consists of file attributes

It has information of every file on the NTFS volume including information about itself

It has 16 records reserved for system files

For small folder, MFT is represented as follows:

StandardInformation

File or Directory

Name

Data orindex

Unused space



Cluster Sizes of NTFS Volume

A cluster is the smallest allocation unit onto the hard disk used to hold a file

NTFS uses clusters of different sizes to hold the files depending on the size of the NTFS volume

List of the default cluster sizes for NTFS volume

Volume Size Sectors per Cluster Default Cluster Size

512 MB or less 1 512 bytes

513 MB -1024 MB(1GB) 2 1024 bytes(1 GB)

1024 MB-2048MB (2GB) 4 2048 bytes(2GB)

Greater than 2049 MB 8 4 KB



NTFS Files and Data Storage

NTFS file system stores the data in files according to the size of the file

Attributes are recorded when a file is stored:

• Header:• It contains the sequence number used by the NTFS and pointers to the other attributes of the file

• Standard information attribute:• It contains the date and time when the file was created, modified, and accessed

• File name attribute:• It contains the name of the file

• Data attribute:• It contains the contents of the file

• Security descriptor attribute:• It contains the security information that manages access to the file



NTFS Attributes-I

Every file has unique identities such as:

• Name• Security information and• Also metadata of file system in the file

Every attribute is identified by an attribute type code

There are two categories of attributes:

• Resident attributes: These are the attributes that are contained in the MFT

• Non-resident attributes: These are the attributes that are allocated with one or more clusters of disk space



NTFS Attributes-II



NTFS Data Stream-I

NTFS supports multiple data streams, where the stream name identifies a new data attribute on the file

A handle can be opened to each data stream

A data stream, then, is a unique set of file attributes

An example of an alternate stream is:

•C:\ECHO text_message > myfile.txt :stream1

When you copy an NTFS file to a FAT volume, such as a floppy disk, data streams, and other attributes not supported by FAT are lost



NTFS Data Stream-II

1

2



NTFS Data Stream-III

3

4



NTFS Compressed Files

The compressed files present on the NTFS volume can be accessed, read, or modified by any Windows application without decompressing the file

The file is automatically decompressed by filter driver when Windows applications requests the access

NTFS compression algorithms support cluster sizes of upto 4 KB



NTFS Encrypted File Systems (EFS)

Encrypting File System (EFS) provides the core file encryption technology to store the encrypted files on NTFS file system volumes

Encryption is transparent to the user that encrypted the file which means that you do not have to manually decrypt the encrypted file before you can use it

You can open and change the file as you normally do



EFS File Structure

File Encryption KeyEncrypted with owner’s public key

File Encryption KeyEncrypted with file recovery agent 1

File Encryption KeyEncrypted with file recovery agent 2

.

.

.

Encrypted Data

Header

DataEncryptionField

DataRecoveryFields



EFS Recovery Key Agent-I

A recovery policy is always associated with an encryption policy

A recovery agent decrypts the file if the encryption certificate of an encrypted file is lost

The recovery agent is used under the below conditions:

• When a user loses a private key• When a user leaves the company• Whenever a law enforcement agency makes a request



EFS Recovery Key Agent -II

The Windows administrator can recover the key from the Windows or from the MS-DOS command prompt

The keys can be recovered from the command prompt using the commands:

• CIPHER• COPY• EFSRECVR

Recovery agent information of an encrypted file can be viewed using the efsinfo tool



EFS Key

EFS Key retrieves the EFS-encrypted files from NTFS partitions

To retrieve the files, the encryption password must be known or SAM database must be present

EFS Key user interface is similar to Windows Explorer wherein the users can browse disk contents, then drag, and drop files to a new location



EFS Key



Deleting NTFS Files

On deletion from Windows Explorer, the file moved into the recycle bin

If the file is deleted from the command prompt then Recycle Bin is bypassed and thus can be recovered by using forensic tools

When a file is deleted, the operating system performs the below tasks in the NTFS:

• Clusters are made available for the new data• MFT attribute $BITMAP is updated• File attribute of the MFT is marked available• Any linking inodes and VFN/LCN cluster locations are removed from MFT• The list of links to the cluster locations is deleted



Registry Data-I

The Registry is the central hierarchical database used in Microsoft Windows operating systems to store information necessary to configure the system for one or more users, applications and hardware devices

Windows continuously refers the registry for the information during the execution of the application

The data in the registry is saved in the form of binary files



Registry Data-II

The Hives

Handle key

Key

Sub-Key

Value

Key

Sub-Key

Value

Handle key

Key

Sub-Key

Value

Key

Sub-Key

Value



Registry Data-III



Examining Registry Data

Registry has a predefined set of keys for every folder

A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data

It can be examined manually using the Registry Editor

It can be examined using tools such as:

• Registry Monitor• Registry Checker



FAT vs. NTFS

File Allocation Table (FAT) New Technology File System (NTFS)

A table, which tracks all the system storage changes

A latest file system developed specially for Windows 2000

Versions available are FAT12, FAT16, FAT32 NTFS is the only version

Supported in all versions of windows operating system

Supports all the operating systems after windows 2000

Does not support large file names Supports large file names

Does not support large storage media Supports large storage media

Does not support file system recovery Supports file system recovery



Ext3



Ext2

Second extended file system (Ext2) is a file system for Linux operating system

Physical layout of the EXT2 File system:

BlockGroup 0

BlockGroup N-1

BlockGroup N

Super Block

Group Descriptor

Block Bit Map

Inode Bit Map

Inode Table Data Blocks



Ext2 (cont’d)

• Inode is a basic building block of the Ext2 file system

• Each file and directory is described by a single inode

• Inodes for each file system block are placed together in an inodetable

EXT2 Inode:

Mode

Owner Info

Size

Timestamps

Direct Blocks

Indirect Blocks

Double Indirect

Triple Indirect

Data

Data

Data

Data

Data

Data

Data

Data



Ext2 (cont’d)

EXT2 Directories

• Ext2 directories are particular files that create and hold access path of the files in the file system

• These files contain the list of directory entries with the following information:

• Directory inode• Length of the file name• Name of the directory



Ext3

Third extended file system (Ext3) is a journaling file system used in the GNU/Linux operating system

It is the enhanced version of the Ext2 file system

Command to convert ext2 to ext3 file system:

• # /sbin/tune2fs -j <partition-name>



HFS and CDFS



HFS

Hierarchical File System is a file system designed by Apple in 1985 for MAC operating system

It groups file into directories and each directory also groups with other directories

It displays drives, directories, and files in groups

A:\

C:\

Temp\

Windows\

System32\

Spool\

Tasks\

Web\

Program Files\

Hierarchical File System



CDFS

CD File System (CDFS) is a file system for Linux operating system

It transfers all tracks and boot images on a CD as normal files

It unlocks the information in old ISO images

For example, suppose multisession CD contains two ISO images, mounting the CD with CDFS file system, results in two sessions as files:

•[root@k6 /root]# mount -t cdfs -o ro /dev/cdrom /mnt/cdfs•[root@k6 /root]# ls -l /mnt/cdfstotal 33389 -r--r--r-- 1 ronsse ronsse 33503232 Aug 8 19:36 sessions_1-1.iso -r--r--r-- 1 ronsse ronsse 34121728 Aug 8 1999 sessions_1-2.iso



RAID Storage System



RAID Storage System

Redundant Array of Inexpensive Disks (RAID) is a technology that uses multiple smaller disks simultaneously which function as a single large volume

This technology is developed to:

• Maintain a large amount of data storage• Achieve a greater level of input/output performance• Achieve a greater reliability through data redundancy



RAID Levels

• Data is split into blocks and written equally across multiple hard drives

• If any drive fails, data recovery is not possible• It does not provides data redundancy • It requires minimum two drives for set up

RAID Level 0: Disk striping

A

C

E

G

B

D

F

Etc.



RAID Levels (cont’d)

• Multiple copies of data are written to multiple drives at the same time• It provides data redundancy by completely duplicating the drive data to

multiple drives• If one drive fails, data recovery is possible• It requires minimum two drives for set up

RAID Level 1: Disk mirroring

A

B

C

D

A

B

C

D

E

F

G

H

E

F

G

H




• Data is striped at a byte level across multiple drives and one drive is set to store parity information

• If any drive fails, data recovery and error correction is possible through the parity drive

• Parity drive stores all the information about the data on multiple drives

RAID Level 3: Disk striping with parity

A0

B0

C0

D0

A1

B1

C1

D1

A2

B2

C2

D2

A3

B3

C3

D3

A Parity

B Parity

C Parity

D Parity

Stripe 0 Stripe 1 Stripe 2 Stripe 3 Stripes 0, 1, 2, 3 Parity

Parity Generation




• Data is striped at a byte level across multiple drive and parity information is distributed among all member drives

• Data writing process is slow• It requires minimum three drives for setup

RAID Level 5: Block interleaved distributed parity

Parity Generation



Recover Data from Unallocated Space using File Carving Process

File carving is a process used to recover files from unallocated space of the hard disk

This technique is generally used by the investigator during the digital investigation to extract the files from unallocated space

Tools used for file carving process:

• PhotoRec• EnCase



Hard Disk Evidence Collection Tools



Evidor

Evidor allows to search text on the hard disks and retrieves the context of keyword occurrences on computer media, not only by examining all files (the entire allocated space, even Windows swap/paging and hibernate files), but also currently unallocated space and slack space

It can extract data from deleted files, if disk tracks are not over written

It is a particularly convenient way for any investigator to find and gather digital evidence on the computer media



Evidor: Screenshot



WinHex

• Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash

• Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF

• Built-in interpretation of RAID systems and dynamic disks• RAM editor, providing access to physical RAM and other processes'

virtual memory• Data interpreter, knowing 20 data types

Features:

Computer Forensics and Data Recovery Software, Hex Editor and Disk Editor



WinHex: Screenshot



Logicube Tools

Logicube Echo PLUS is a portable hard drive cloning solution that clones data and operating system of the target drive

Logicube Sonix transfers data to and from a hard drive at 3.3GB/min and is capable of housing any size, brand, model, or type drive



Logicube Tools (cont’d)

OmniClone Xi supports UDMA-5 transfer speeds for cloning IDE, EIDE, UDMA, and SATA drives at up to 3.5 GB/min

Logicube OmniWipe is used to quickly wipe drives prior to using them for data capturing purposes



Logicube: CloneCard Pro

CloneCard Pro is a PCMCIA adapter that allows hard drive data recovery transfer rates up to 175 MB/Min, which is approximately 15 times faster than capturing data through the parallel port

It clones laptop or notebook computers at speeds in excess of 175 MB/min

It is designed for use with handheld hard drive duplication products

Figure: CloneCard Pro



ImageMASSter: ImageMASSter 4008i

• Transfers data at rate exceeds 2GB/min• Copies data at high speeds to 8 target drives

simultaneously• Partitions and formats target drives

automatically during the data copy process• Provides 48-bit drive support to copy hard

drives larger than 137GB

Features:

ImageMASSter 4008i is a high-Speed multiple hard drive duplicator

Figure: ImageMASSter 40008i



eDR Solutions: Hard Disk Crusher

The Hard Disk Crusher permanently destroys the confidential information from the hard disk that can never be recovered again

It destroys a disk and the data on it in just seconds without the need of a peripheral PC or workstation

Features:

• It can crash over 60 disks in an hour• It gives visual verification of destruction



Summary

A hard disk is a sealed unit containing a number of platters in a stack. Hard disks may be mounted in a horizontal or a vertical position

File system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovery of data

Every disk has Master Boot Record that contains information about partitions on the disk

EFS is the main file encryption technology used to store the encrypted files in the NTFS

MFT is a relational database, which consists of information regarding the files and file attributes

File000121

Technology

Transcript of File000121