1 / 86

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

Disk Structures, Partitions, and the Boot Process. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory  Practice. Learning by Doing. Class Outline. Storage and Mobile Technologies

amy
Télécharger la présentation

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disk Structures, Partitions, and the Boot Process Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing

  2. Class Outline • Storage and Mobile Technologies • Disk Structure • Disk Capacity • Formatting • Partioning • Boot Process • Controlled Boot Environment • Lab – Data Analysis Using EnCase & FTK

  3. Learning Objectives At the end of this module you will be able to: • Understand the challenges of forensics • Describe the basics of disk structures • Explain how information is stored on a drive • Determine the storage capacity of drive using LBA or CHS

  4. Storage Technologies Floppy ZIP / JAZZ Tape CD / DVD (Optical) Hard USB Pen

  5. More Mobile Technologies

  6. Floppy Disks • Yes these still exist! • Originally single sided • Then became double sided 5.25 3.5

  7. Side View of Floppy in Disk Drive Single-sided Disk 0 Side 0 Film of Mylar with A magnetic coating Disk Drive Original floppies were single-sided

  8. FD Densities & Capacity

  9. Disk Structure • Hard disks drives are organized as a concentric stack of disks or ‘platters’ • Each platter has 2 surfaces • Platter is made from aluminum, ceramic, or class, coated with a magnetic materials such as iron oxide.

  10. Exploded View of a Hard Drive

  11. HD Internals

  12. HD Elements • 16 heads • 8 Platters

  13. Laptop HD

  14. HD Geometry • Platters: The shiny rigid disks. Multiple platters increase storage without equivalent increase in cost. • Heads: The read/write heads of a hard drive. Disk assembly must be sealed &micro-filtered. • Tracks: Lanes centered around platters. • Sectors / Clusters: Each track was divided into sectors. Several sectors form a cluster. • Cylinders: A grouping of the same tracks vertically through the stack of platters.

  15. Head Stack Assembly Head 0 CYLINDER Head 1 Head 2 Head 3 Head 4 Head 5 Track Sector Cylinders

  16. HD Head Clearance

  17. Side View of Cylinders on Disk Drive Sides or Heads Cyl = 79 Cyl = 0 Double-sided Disk 1 0 Spindle Motor Comprise Cylinder 0 Disk Drive

  18. Disk Structure Cont’d • The data is stored on concentric circles on the surfaces known as tracks • Corresponding tracks on all platter surfaces make up a cylinder • On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder • The cylinder can be written to without movement of the head assembly • Numbering starts with 0 at the outermost cylinder

  19. Sector • A sector is a continuous linear stream of magnetized bits occupying a curved section of a track. • Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data • Numbering physical sectors within a track starts with 1. Sector 2 Track 0 Sector 1 Track 0

  20. Cluster (Blocks) • 1 or more contiguous sectors • The smallest pieces of storage that an OS can place into data • The bytes in a cluster varies according to the size of the drive and the version of the OS • 65,536 sector limit in DOS Fat 16 (2^16)** • Using clusters allows for grouping multiple sectors • Total number of sectors per cluster is always a power of 2

  21. C H S • What is it? • Each storage unit on a disk can be identified by a 3-coordinate system identifying the • Cylinder (C) • Head/Side (H) • Sector (S) • A more modern method is to just refer to the sector number (used in LBA mode discussed later)

  22. Disk Structure Cont’d • On method of calculating disk capacity is to multiply the number cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: • E.g. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB

  23. Disk Structure Cont’d • Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk. • The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.

  24. Hard Drives Standards • EIDE, SCSI, SATA • IDE (Integrated Drive Electronics) supports only two devices • EIDE can support four through two channels • SCSI (Small Computer Systems Interface) supports up to 7 devices. Each of them is identified by a unique ID • SATA (Serial Advanced Technology Attachment). Each drive is a master drive.

  25. Hard Disk Addressing • Older BIOSes used in pc’s used 24 bit addressing which could only access up to 8.4 GB (2^24 * 512 bytes). • Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.

  26. LBA – Logical Block Addressing • By industry agreement large IDE disks (with more than 16514064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity • As such the BIOS must know to use the LBA capacity to calculate the actual size of the drive. This is given in the total number of accessible sectors • E.g. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB

  27. Summary • Data on a HD are stored on tracks • Corresponding tracks on all surfaces make up a cylinder • Data is stored in sectors and usually read in blocks or clusters • A storage unit can be identified by CHS • LBA is used for drives in excess of 7.8 GB

  28. Nested Data Structures on HD Hard Drive Partition File System File Record Field

  29. Partitioning and Formatting Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing

  30. Learning Objectives At the end of this module you will be able to: • Explain the function of the FDISK program • Define terms such as primary partition, extended partition, active partition, and logical drive   • Describe how logical partitions can be hidden • Articulate the necessity of understanding the suspect’s partitioning scheme

  31. Initializing a Hard Drive This represents all the available surface area on a hard drive that can be used for storage

  32. Initializing a Hard Drive The first thing to do is magnetically create a system of unique storage areas

  33. One 512-byte sector Low-level (Factory) Format Step 1: Use a low-level format program to create a magnetic structure of sectors Low-level formatting is usually done at the factory.

  34. Results of Low-level Format The sectors are organized by tracks All the sectors on one track

  35. Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record atC-0, H-0, S-1 MBR Master Boot Record containing Master Partition Table

  36. Initializing a Hard Drive with FDisk Step 2: FDISK writes partition information in the Master Boot Record atC-0, H-0, S-1 MBR Reserved Reserved Reserved The remainder of that track is “Reserved” Reserved Reserved Reserved Reserved

  37. Master Partition Table • Maximum of 4 entries • Valid entries contain essential information about the partition • Partition type/code • Active (yes or no) • Partition start and end information • Unused entries are blank

  38. Master Partition Table • Types of entries • Primary Partition(s) - up to 4 allowed • Contains a logical drive • One may be marked as “Active” * • Extended Partition (only 1 allowed) • Contains one or more logical drives • Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition Total number of entries may not exceed four!

  39. Partition Type Codes • File systems are assigned characteristic type codes that are listed in partition table entries • DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported • DOS/Windows systems will not assign a drive letter to partition types not supported

  40. Partition Table Entry Common DOS Partition type Codes: 0x00 Unused 0x01 FAT12 0x04 FAT16 (up to 32M) 0x05 Extended 0x06 BigFAT16 (up to 2 Gb) 0x0B FAT32 0x0C FAT32x (LBA) 0x0E FAT16x (LBA) 0x0F Extendedx (LBA)

  41. Partition Type Codes

  42. Initializing a Hard Drive with FDisk In this case, FDISK created one active primary partition MBR Reserved Reserved Reserved Reserved Reserved Reserved Reserved

  43. Single Primary Partition Hard drive with one active primary partition (single logical drive) Logical Drive Hub

  44. Single Primary Partition Master Partition Table - DiskEdit View “Yes” indicates “Active”

  45. Partition Table MBR Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved One Primary with Extended Partition Extended Partition Primary Partition

  46. Partition Table MBR Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Reserved Partition Tables Each partition table points to the next

  47. One Primary & One Extended Master Partition Table – DiskEdit View Primary Partition Entry

  48. One Primary & One Extended Master Partition Table – DiskEdit View Extended Partition Entry The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.

  49. Partitioning • Important Point: When examining a suspect’s hard drive, why is it necessary to know how it'spartitioned?

  50. Partitioning Reasons to examine the partition tables: • To make sure all space on the drive is accounted for. • To look for multiple operating systems. • To look for hidden partitions.

More Related