Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

[email protected]

Disk Structures, Partitions,

and the Boot Process

LearningbyDoing

Theo

ry

Practi

ce

Class OutlineClass Outline

• Storage and Mobile Technologies

• Disk Structure

• Disk Capacity

• Formatting

• Partioning

• Boot Process

• Controlled Boot Environment

• Lab – Data Analysis Using EnCase & FTK

Learning ObjectivesLearning Objectives

At the end of this module you will be able to:

• Understand the challenges of forensics

• Describe the basics of disk structures

• Explain how information is stored on a drive

• Determine the storage capacity of drive using LBA or CHS

Storage TechnologiesStorage Technologies

Floppy

HardCD / DVD(Optical)

ZIP / JAZZ Tape

USB Pen

More Mobile TechnologiesMore Mobile Technologies

Floppy DisksFloppy Disks

• Yes these still exist!

5.25 3.5

• Originally single sided

• Then became double sided

Original floppies were single-sided

Side View of Floppy in Disk DriveSide View of Floppy in Disk Drive

0 Side 0

Single-sided Disk

Disk Drive

Film of Mylar withA magnetic coating

FD Densities & CapacityFD Densities & Capacity

Disk Size DensitySectors/

TrackCapacity

5.25 Low 9 360K

5.25 High 15 1200K

3.5 Low 9 720K

3.5 High 18 1,440K

• Hard disks drives are organized as a concentric stack of disks or ‘platters’

• Each platter has 2 surfaces

• Platter is made from aluminum, ceramic, or class, coated with a magnetic materials such as iron oxide.

Disk StructureDisk Structure

Exploded View of a Hard DriveExploded View of a Hard Drive

HD InternalsHD Internals

HD ElementsHD Elements

• 16 heads

• 8 Platters

Laptop HDLaptop HD

HD GeometryHD Geometry

• Platters: The shiny rigid disks. Multiple platters increase storage without equivalent increase in cost.

• Heads: The read/write heads of a hard drive. Disk assembly must be sealed &micro-filtered.

• Tracks: Lanes centered around platters.

• Sectors / Clusters: Each track was divided into sectors. Several sectors form a cluster.

• Cylinders: A grouping of the same tracks vertically through the stack of platters.

CylindersCylinders

CYLINDER

Head Stack

AssemblyHead 0

Head 1

Head 2

Head 3

Head 4

Head 5

TrackSector

HD Head ClearanceHD Head Clearance

Side View of Cylinders on Disk DriveSide View of Cylinders on Disk Drive

Double-sided Disk

0

1

Sides or Heads

Cyl = 0Cyl = 79

Comprise Cylinder 0

Spindle Motor

Disk Drive

Disk Structure Cont’dDisk Structure Cont’d

• The data is stored on concentric circles on the surfaces known as tracks

• Corresponding tracks on all platter surfaces make up a cylinder

• On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder

• The cylinder can be written to without movement of the head assembly

• Numbering starts with 0 at the outermost cylinder

SectorSector

• A sector is a continuous linear stream of magnetized bits occupying a curved section of a track.

• Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data

• Numbering physical sectors within a track starts with 1.

Sector 1

Track 0

Sector 2

Track 0

Cluster (Blocks)Cluster (Blocks)

• 1 or more contiguous sectors

• The smallest pieces of storage that an OS can place into data

• The bytes in a cluster varies according to the size of the drive and the version of the OS– 65,536 sector limit in DOS Fat 16 (2^16)**

– Using clusters allows for grouping multiple sectors

– Total number of sectors per cluster is always a power of 2

C H SC H S

• What is it?

• Each storage unit on a disk can be identified by a 3-coordinate system identifying the

– Cylinder (C)

– Head/Side (H)

– Sector (S)

• A more modern method is to just refer to the sector number (used in LBA mode discussed later)


• On method of calculating disk capacity is to multiply the number cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes:

• E.g. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB


• Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk.

• The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.

Hard Drives StandardsHard Drives Standards

• EIDE, SCSI, SATA• IDE (Integrated Drive Electronics) supports

only two devices• EIDE can support four through two channels• SCSI (Small Computer Systems Interface)

supports up to 7 devices. Each of them is identified by a unique ID

• SATA (Serial Advanced Technology Attachment). Each drive is a master drive.

Hard Disk AddressingHard Disk Addressing

• Older BIOSes used in pc’s used 24 bit addressing which could only access up to 8.4 GB (2^24 * 512 bytes).

• Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.

LBA – Logical Block AddressingLBA – Logical Block Addressing

• By industry agreement large IDE disks (with more than 16514064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity

• As such the BIOS must know to use the LBA capacity to calculate the actual size of the drive. This is given in the total number of accessible sectors

• E.g. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB

SummarySummary

• Data on a HD are stored on tracks

• Corresponding tracks on all surfaces make up a cylinder

• Data is stored in sectors and usually read in blocks or clusters

• A storage unit can be identified by CHS

• LBA is used for drives in excess of 7.8 GB

Nested Data Structures on HDNested Data Structures on HD

Hard Drive Partition File System File Record Field

Partitioning and FormattingPartitioning and Formatting



[email protected]

LearningbyDoing

Theo

ry

Practi

ce



• Explain the function of the FDISK program

• Define terms such as primary partition, extended partition, active partition, and logical drive

• Describe how logical partitions can be hidden

• Articulate the necessity of understanding the suspect’s partitioning scheme

This represents all the available surface area on a hard drive that can be used for storage

Initializing a Hard DriveInitializing a Hard Drive

The first thing to do is magnetically create a system of unique storage areas

Initializing a Hard DriveInitializing a Hard Drive

Step 1: Use a low-level format program to create a magnetic structure of sectors

Low-level (Factory) FormatLow-level (Factory) Format

One 512-byte sector

Low-level formatting is usually done at the factory.

The sectors are organized by tracks

All the sectors on one track

Results of Low-level FormatResults of Low-level Format

MBR

Initializing a Hard Drive with FDiskInitializing a Hard Drive with FDisk

Step 2: FDISK writes partition information in the Master Boot Record at C-0, H-0, S-1

Master Boot Record containingMaster Partition Table

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR


Step 2: FDISK writes partition information in the Master Boot Record at C-0, H-0, S-1

The remainder of that track is “Reserved”

Master Partition TableMaster Partition Table

• Maximum of 4 entries

• Valid entries contain essential information about the partition– Partition type/code– Active (yes or no)– Partition start and end information

• Unused entries are blank

Master Partition TableMaster Partition Table

• Types of entries– Primary Partition(s) - up to 4 allowed

• Contains a logical drive

• One may be marked as “Active” *

– Extended Partition (only 1 allowed)

• Contains one or more logical drives

• Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition

Total number of entries may not exceed four!

Partition Type CodesPartition Type Codes

• File systems are assigned characteristic type codes that are listed in partition table entries

• DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported

• DOS/Windows systems will not assign a drive letter to partition types not supported

Partition Table EntryPartition Table Entry

Common DOS Partition type Codes:

0x00 Unused

0x01 FAT12

0x04 FAT16 (up to 32M)

0x05 Extended

0x06 BigFAT16 (up to 2 Gb)

0x0B FAT32

0x0C FAT32x (LBA)

0x0E FAT16x (LBA)

0x0F Extendedx (LBA)

Partition Type CodesPartition Type Codes

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR


In this case, FDISK created one active primary partition

Hard drive with one active primary partition (single logical drive)

Single Primary PartitionSingle Primary Partition

Hub

Logical Drive

Master Partition Table - DiskEdit View

Single Primary PartitionSingle Primary Partition

“Yes” indicates “Active”

One Primary with Extended PartitionOne Primary with Extended Partition

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Partition Table

Primary Partition Extended Partition

Each partition table points to the next

Partition TablesPartition Tables

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

MBR

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Reserved

Partition Table

Master Partition Table – DiskEdit View

One Primary & One ExtendedOne Primary & One Extended

Primary Partition Entry

Master Partition Table – DiskEdit View

One Primary & One ExtendedOne Primary & One Extended

The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.

Extended Partition Entry

PartitioningPartitioning

• Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's partitioned?

PartitioningPartitioning

Reasons to examine the partition tables:

• To make sure all space on the drive is accounted for.

• To look for multiple operating systems.

• To look for hidden partitions.

Hidden PartitionsHidden Partitions

View of a hidden partition using the PART utility

DOS/Windows partitions can be “hidden” by changing the partition-type code

Hidden PartitionsHidden Partitions

This partition disappears!

SummarySummary

• Fdisk is a tool used to initialize a HD• The MBR resides at CHS 001• Master Partition Table has a maximum of 4 entries• Primary Partition (4 allowed 1 active)• Extended Partition (1 allowed)• Changing a partition type code can hide it• Understanding the partitioning is very important

The Boot ProcessThe Boot Process



[email protected]

LearningbyDoing

Theo

ry

Practi

ce



• Describe the boot process of DOS, Unix & Windows systems

• Explain why interrupting the boot process is a forensic necessity

• Compare and contrast the boot strapping process for various operating systems.

The Boot ProcessThe Boot Process

• Every hard disk must have a consistent ‘starting point’

• The place where this information is stored is called the master boot record (MBR) (also referred to as the master boot sector, or just boot sector)

• The MBR is always located as cylinder 0, head 0, and sector 1

The Boot Process cont’dThe Boot Process cont’d

The master boot record contains the following structures:– Master Partition Table – this small table contains

the descriptions of the partitions that are contained on the hard disk. There is only room for the information describing 4 partitions, or primary partitions (discussed more later)

The Boot Process cont’dThe Boot Process cont’d

– Master Boot Code – The MBR contains the small initial boot program that the BIOS loads and executes to start the boot process (Since the master boot code is the first program executed when you turn on your pc, this is a favorite place for virus writers to target.)

Review of HD Boot Sequence (DOSReview of HD Boot Sequence (DOS)

• POST

• OS

• MBR

• Partition Table

• DOS Boot Record – (IO.SYS)– MSDOS.SYS– COMMAND.COM.

POSTPOST

• The computer runs the Power On Self Test (POST)

• Which checks – BIOS,– CPU, – RAM, – Video,– Keyboard, – drives, etc.

Review of HD Boot SequenceReview of HD Boot Sequence

1 Master Boot RecordCHS = 0,0,1

2 Boot Record

3 IO.SYS

4 MSDOS.SYS

5 CONFIG.SYS

6 COMMAND.COM

7 AUTOEXEC.BAT

To control the boot process, you must intercept it with a controlled-boot floppy.

External DOS CommandsExternal DOS Commands

• Not loaded with COMMAND.COM• Usually installed in the WINDOWS\COMMAND

subdirectory – Our copies must be on the control boot floppy

– Are either “EXE” or “COM” files

FDISK FORMAT DELTREE CHKDSK ATTRIB UNFORMAT UNDELETE XCOPY

Writing to the hard drive, when the system is in our custody and control, means that we have altered the evidence!

Encountering Compressed DrivesEncountering Compressed Drives

DOS 6.22, Win95, Win98– IO.SYS can automatically mount Compressed

Volume Files • If a compressed drive is mounted, it will make changes

to the hard drive

• This can happen even if booting from a floppy

– IO.SYS must be hacked to eliminate these calls to the hard drive

Windows 2000/NT BootstrappingWindows 2000/NT Bootstrapping

6 Stages

• POST

• Choose OS

• Kernel Load

• Kernel Initialization

• Services Load

• Logon

Unix Boot ProcessUnix Boot Process

• The memory-resident code– Runs self-test

– Probes bus for the boot device

– Reads the boot program from the boot device

• Boot program reads in the kernel and passes control to it.

• Kernel identifies and configures the devices.

• Initializes the system and starts the system processes.

• Brings up the system in single-user mode (if necessary).

• Runs the appropriate startup scripts.

• Brings up the system for multi-user operation.

KernelKernel

• Unix systems implement a two-stage loading process. • First stage, a small boot program is read into memory from

a default or specified device. • Once the kernel is loaded, it remains in the memory during

the running of the system and is usually run in a fixed amount of memory.

• The kernel probes the bus to locate the devices specified during the configuration, and initializes the located devices.

Unix BootstrappingUnix Bootstrapping

• System Processes– The kernel identifies the root, swap, and dump devices and then

starts programs to schedule processes, manage physical memory and virtual memory, and the init process.

• Sched– The real-time scheduler.

• Swapper – It manages the physical memory by moving process from

physical memory to swap space when more physical memory is needed.

• Page Daemon– Various memory handlers run as process 2.


• init– The last step in bootstrapping the kernel starts the /etc/init

process.

• Single User Mode – Single user shell is always Bourne shell (sh) and it runs as 'root'. – It enables the system manager to perform various administrative

functions, such as setting the date, checking the consistency of the file system, reconfiguring the list of on-line terminals, and so on.

– At this stage only the root partition is usually mounted. • The file system consistency check may be performed by the

command fsck, usually found in the /etc directory.


• Startup – Shell scripts - init spawns a copy of sh to interpret them.

– The startup scripts are defined and organized differently on different systems.

– On BSD systems the startup scripts may be found in the /etc directory and their names begin with rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.local and so on.

– This set of processes is defined in the /etc/inittab file. Each line in the inittab file describes an action to take.

SummarySummary

• Every disk has a consistent starting point (MBR or boot sector CHS 001)

• A control boot disk (floppy/CD) allows us to control the bootstrapping process

• DOS makes a good boot environment since we understand what is happening!

Controlled Boot Controlled Boot EnvironmentEnvironment



[email protected]

LearningbyDoing

Theo

ry

Practi

ce



• Explain the importance of using a controlled boot environment.

• Describe the minimum files necessary to create a bootable DOS disk.

• Describe events that may complicate the forensic boot process.

Controlled Boot FloppyControlled Boot Floppy

A controlled boot floppy enables you to

• Control the environment of the operation

• Bypass possible destructive processes set by the suspect to destroy evidence

• Maintain evidence integrity by preventing any possible changes to the suspect’s hard disk

A Basic Controlled DOS Boot FloppyA Basic Controlled DOS Boot Floppy

Minimum Requirements• Will boot the computer without allowing

any writes to the Hard Disk• Will automatically install hard disk write

protection• Will ensure drive letters are assigned to all

FAT logical drives by including a LASTDRIVE=Z statement in the CONFIG.SYS file

MediaMedia

Variety of disks in every possible format

• 5¼” Low density, high density floppies

• 3½” Low density, high density floppies

• Bootable CD-ROMs

MediaMedia

New, clean media for each case– Pre-used media should be wiped

Error free and formatted– /U Format option

• Standard Format AND overwrites data area with F6h

– /S Format option • Standard Format AND copies system files to disk

after format

Files (DOS)Files (DOS)

Required system files– IO.SYS

• Altered if necessary to prevent write to disk

– MSDOS.SYS– COMMAND.COM– AUTOEXEC.BAT

• Edited to automatically load the hard drive write blocker

– CONFIG.SYS• Edited to include LASTDRIVE=Z to ensure drive

letter assignments

Boot ConsiderationsBoot Considerations

• BIOS Setting– Need to ensure that system boots from proper device

• CDROM, Floppy

– Interrupt keys (varies by manufacturers)• F12, Del, F1

• BIOS Passwords– How do we over come these?

– What are some forensic issues with defeating these?

• Power on Passwords???



[email protected]

Disk Write BlockersDisk Write Blockers

LearningbyDoing

Theo

ry

Practi

ce



• Explain the importance of write blockers

• Describe how write blockers work

• Compare contrast hardware and software write blocker functionality

• Explain why hardware write blockers are a better choice.

Disk Write BlockersDisk Write Blockers

• Disk Write Blockers

• Prevent data being written to the suspect drive

• Ensure the integrity of the suspect drive

• Software Write Blockers v. Hardware

Normal HD AccessNormal HD Access

• Using the interrupt 0x13 interface for hard drive An application program issues an interrupt 0x13 command.

• The interrupt transfers control to the interrupt 0x13 routine in the BIOS. The BIOS routine issues commands,

• ATA or SCSI as appropriate, directly to the hard drive controller.

• The device does the requested operation and returns the result to the BIOS and then to the application program.

Software Write BlockSoftware Write Block

Use of a SWB tool changes the normal operation of the interrupt 0x13 interface.

– The SWB tool is executed. The SWB tool saves the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine.

– The application program initiates a drive I/O operation by invoking interrupt 0x13. The replacement routine installed by the SWB tool intercepts the command.

Software Write BlockSoftware Write Block

• The SWB tool determines if the requested command should be blocked or if the command should be allowed.

• If a command is blocked, the SWB tool returns to the application program without passing any command to the BIOS I/O routines. Depending on SWB tool configuration either success or error is returned for the command status.

• If the command is allowed (not blocked), the command is passed to the BIOS and the BIOS I/O routine issues required I/O commands (ATA, SCSI or other) to the drive controller so that the desired I/O operation occurs on the hard drive.

• Results are returned to the application program.

Hardware Write BlockHardware Write Block

• A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.

• Physically, the device is connected between the computer and a storage device.

• Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

SummarySummary

• Write blockers prevent data being written to the suspect drive

• 2 basic classes:– Hardware and Software

• Software write blockers can be bypassed (sometimes unknowingly)

• Hardware write blockers are now the industry standard.

• NIST has excellent specs/standards for write blockers.

Documents

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology