Upload
amy
View
30
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Disk Structures, Partitions, and the Boot Process. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 [email protected]. Theory Practice. Learning by Doing. Class Outline. Storage and Mobile Technologies - PowerPoint PPT Presentation
Citation preview
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
Disk Structures, Partitions,
and the Boot Process
LearningbyDoing
Theo
ry
Practi
ce
Class OutlineClass Outline
• Storage and Mobile Technologies
• Disk Structure
• Disk Capacity
• Formatting
• Partioning
• Boot Process
• Controlled Boot Environment
• Lab – Data Analysis Using EnCase & FTK
Learning ObjectivesLearning Objectives
At the end of this module you will be able to:
• Understand the challenges of forensics
• Describe the basics of disk structures
• Explain how information is stored on a drive
• Determine the storage capacity of drive using LBA or CHS
Storage TechnologiesStorage Technologies
Floppy
HardCD / DVD(Optical)
ZIP / JAZZ Tape
USB Pen
More Mobile TechnologiesMore Mobile Technologies
Floppy DisksFloppy Disks
• Yes these still exist!
5.25 3.5
• Originally single sided
• Then became double sided
Original floppies were single-sided
Side View of Floppy in Disk DriveSide View of Floppy in Disk Drive
0 Side 0
Single-sided Disk
Disk Drive
Film of Mylar withA magnetic coating
FD Densities & CapacityFD Densities & Capacity
Disk Size DensitySectors/
TrackCapacity
5.25 Low 9 360K
5.25 High 15 1200K
3.5 Low 9 720K
3.5 High 18 1,440K
• Hard disks drives are organized as a concentric stack of disks or ‘platters’
• Each platter has 2 surfaces
• Platter is made from aluminum, ceramic, or class, coated with a magnetic materials such as iron oxide.
Disk StructureDisk Structure
Exploded View of a Hard DriveExploded View of a Hard Drive
HD InternalsHD Internals
HD ElementsHD Elements
• 16 heads
• 8 Platters
Laptop HDLaptop HD
HD GeometryHD Geometry
• Platters: The shiny rigid disks. Multiple platters increase storage without equivalent increase in cost.
• Heads: The read/write heads of a hard drive. Disk assembly must be sealed µ-filtered.
• Tracks: Lanes centered around platters.
• Sectors / Clusters: Each track was divided into sectors. Several sectors form a cluster.
• Cylinders: A grouping of the same tracks vertically through the stack of platters.
CylindersCylinders
CYLINDER
Head Stack
AssemblyHead 0
Head 1
Head 2
Head 3
Head 4
Head 5
TrackSector
HD Head ClearanceHD Head Clearance
Side View of Cylinders on Disk DriveSide View of Cylinders on Disk Drive
Double-sided Disk
0
1
Sides or Heads
Cyl = 0Cyl = 79
Comprise Cylinder 0
Spindle Motor
Disk Drive
Disk Structure Cont’dDisk Structure Cont’d
• The data is stored on concentric circles on the surfaces known as tracks
• Corresponding tracks on all platter surfaces make up a cylinder
• On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
• The cylinder can be written to without movement of the head assembly
• Numbering starts with 0 at the outermost cylinder
SectorSector
• A sector is a continuous linear stream of magnetized bits occupying a curved section of a track.
• Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data
• Numbering physical sectors within a track starts with 1.
Sector 1
Track 0
Sector 2
Track 0
Cluster (Blocks)Cluster (Blocks)
• 1 or more contiguous sectors
• The smallest pieces of storage that an OS can place into data
• The bytes in a cluster varies according to the size of the drive and the version of the OS– 65,536 sector limit in DOS Fat 16 (2^16)**
– Using clusters allows for grouping multiple sectors
– Total number of sectors per cluster is always a power of 2
C H SC H S
• What is it?
• Each storage unit on a disk can be identified by a 3-coordinate system identifying the
– Cylinder (C)
– Head/Side (H)
– Sector (S)
• A more modern method is to just refer to the sector number (used in LBA mode discussed later)
Disk Structure Cont’dDisk Structure Cont’d
• On method of calculating disk capacity is to multiply the number cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes:
• E.g. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = approx. 6GB
Disk Structure Cont’dDisk Structure Cont’d
• Most Intel based mother boards use an ATA (Advanced Technology Attachment) interface which connects to the hard disk.
• The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.
Hard Drives StandardsHard Drives Standards
• EIDE, SCSI, SATA• IDE (Integrated Drive Electronics) supports
only two devices• EIDE can support four through two channels• SCSI (Small Computer Systems Interface)
supports up to 7 devices. Each of them is identified by a unique ID
• SATA (Serial Advanced Technology Attachment). Each drive is a master drive.
Hard Disk AddressingHard Disk Addressing
• Older BIOSes used in pc’s used 24 bit addressing which could only access up to 8.4 GB (2^24 * 512 bytes).
• Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
LBA – Logical Block AddressingLBA – Logical Block Addressing
• By industry agreement large IDE disks (with more than 16514064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity
• As such the BIOS must know to use the LBA capacity to calculate the actual size of the drive. This is given in the total number of accessible sectors
• E.g. A disk with an LBA value of 156,301,488 has a capacity of 156,301,488 * 512 = 80GB
SummarySummary
• Data on a HD are stored on tracks
• Corresponding tracks on all surfaces make up a cylinder
• Data is stored in sectors and usually read in blocks or clusters
• A storage unit can be identified by CHS
• LBA is used for drives in excess of 7.8 GB
Nested Data Structures on HDNested Data Structures on HD
Hard Drive Partition File System File Record Field
Partitioning and FormattingPartitioning and Formatting
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
LearningbyDoing
Theo
ry
Practi
ce
Learning ObjectivesLearning Objectives
At the end of this module you will be able to:
• Explain the function of the FDISK program
• Define terms such as primary partition, extended partition, active partition, and logical drive
• Describe how logical partitions can be hidden
• Articulate the necessity of understanding the suspect’s partitioning scheme
This represents all the available surface area on a hard drive that can be used for storage
Initializing a Hard DriveInitializing a Hard Drive
The first thing to do is magnetically create a system of unique storage areas
Initializing a Hard DriveInitializing a Hard Drive
Step 1: Use a low-level format program to create a magnetic structure of sectors
Low-level (Factory) FormatLow-level (Factory) Format
One 512-byte sector
Low-level formatting is usually done at the factory.
The sectors are organized by tracks
All the sectors on one track
Results of Low-level FormatResults of Low-level Format
MBR
Initializing a Hard Drive with FDiskInitializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the Master Boot Record at C-0, H-0, S-1
Master Boot Record containingMaster Partition Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Initializing a Hard Drive with FDiskInitializing a Hard Drive with FDisk
Step 2: FDISK writes partition information in the Master Boot Record at C-0, H-0, S-1
The remainder of that track is “Reserved”
Master Partition TableMaster Partition Table
• Maximum of 4 entries
• Valid entries contain essential information about the partition– Partition type/code– Active (yes or no)– Partition start and end information
• Unused entries are blank
Master Partition TableMaster Partition Table
• Types of entries– Primary Partition(s) - up to 4 allowed
• Contains a logical drive
• One may be marked as “Active” *
– Extended Partition (only 1 allowed)
• Contains one or more logical drives
• Each logical drive is defined by its own partition table which may contain a second entry pointing to the next logical drive within that extended partition
Total number of entries may not exceed four!
Partition Type CodesPartition Type Codes
• File systems are assigned characteristic type codes that are listed in partition table entries
• DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported
• DOS/Windows systems will not assign a drive letter to partition types not supported
Partition Table EntryPartition Table Entry
Common DOS Partition type Codes:
0x00 Unused
0x01 FAT12
0x04 FAT16 (up to 32M)
0x05 Extended
0x06 BigFAT16 (up to 2 Gb)
0x0B FAT32
0x0C FAT32x (LBA)
0x0E FAT16x (LBA)
0x0F Extendedx (LBA)
Partition Type CodesPartition Type Codes
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Initializing a Hard Drive with FDiskInitializing a Hard Drive with FDisk
In this case, FDISK created one active primary partition
Hard drive with one active primary partition (single logical drive)
Single Primary PartitionSingle Primary Partition
Hub
Logical Drive
Master Partition Table - DiskEdit View
Single Primary PartitionSingle Primary Partition
“Yes” indicates “Active”
One Primary with Extended PartitionOne Primary with Extended Partition
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
Primary Partition Extended Partition
Each partition table points to the next
Partition TablesPartition Tables
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
Master Partition Table – DiskEdit View
One Primary & One ExtendedOne Primary & One Extended
Primary Partition Entry
Master Partition Table – DiskEdit View
One Primary & One ExtendedOne Primary & One Extended
The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.
Extended Partition Entry
PartitioningPartitioning
• Important Point: When examining a suspect’s hard drive, why is it necessary to know how it's partitioned?
PartitioningPartitioning
Reasons to examine the partition tables:
• To make sure all space on the drive is accounted for.
• To look for multiple operating systems.
• To look for hidden partitions.
Hidden PartitionsHidden Partitions
View of a hidden partition using the PART utility
DOS/Windows partitions can be “hidden” by changing the partition-type code
Hidden PartitionsHidden Partitions
This partition disappears!
SummarySummary
• Fdisk is a tool used to initialize a HD• The MBR resides at CHS 001• Master Partition Table has a maximum of 4 entries• Primary Partition (4 allowed 1 active)• Extended Partition (1 allowed)• Changing a partition type code can hide it• Understanding the partitioning is very important
The Boot ProcessThe Boot Process
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
LearningbyDoing
Theo
ry
Practi
ce
Learning ObjectivesLearning Objectives
At the end of this module you will be able to:
• Describe the boot process of DOS, Unix & Windows systems
• Explain why interrupting the boot process is a forensic necessity
• Compare and contrast the boot strapping process for various operating systems.
The Boot ProcessThe Boot Process
• Every hard disk must have a consistent ‘starting point’
• The place where this information is stored is called the master boot record (MBR) (also referred to as the master boot sector, or just boot sector)
• The MBR is always located as cylinder 0, head 0, and sector 1
The Boot Process cont’dThe Boot Process cont’d
The master boot record contains the following structures:– Master Partition Table – this small table contains
the descriptions of the partitions that are contained on the hard disk. There is only room for the information describing 4 partitions, or primary partitions (discussed more later)
The Boot Process cont’dThe Boot Process cont’d
– Master Boot Code – The MBR contains the small initial boot program that the BIOS loads and executes to start the boot process (Since the master boot code is the first program executed when you turn on your pc, this is a favorite place for virus writers to target.)
Review of HD Boot Sequence (DOSReview of HD Boot Sequence (DOS)
• POST
• OS
• MBR
• Partition Table
• DOS Boot Record – (IO.SYS)– MSDOS.SYS– COMMAND.COM.
POSTPOST
• The computer runs the Power On Self Test (POST)
• Which checks – BIOS,– CPU, – RAM, – Video,– Keyboard, – drives, etc.
Review of HD Boot SequenceReview of HD Boot Sequence
1 Master Boot RecordCHS = 0,0,1
2 Boot Record
3 IO.SYS
4 MSDOS.SYS
5 CONFIG.SYS
6 COMMAND.COM
7 AUTOEXEC.BAT
To control the boot process, you must intercept it with a controlled-boot floppy.
External DOS CommandsExternal DOS Commands
• Not loaded with COMMAND.COM• Usually installed in the WINDOWS\COMMAND
subdirectory – Our copies must be on the control boot floppy
– Are either “EXE” or “COM” files
FDISK FORMAT DELTREE CHKDSK ATTRIB UNFORMAT UNDELETE XCOPY
Writing to the hard drive, when the system is in our custody and control, means that we have altered the evidence!
Encountering Compressed DrivesEncountering Compressed Drives
DOS 6.22, Win95, Win98– IO.SYS can automatically mount Compressed
Volume Files • If a compressed drive is mounted, it will make changes
to the hard drive
• This can happen even if booting from a floppy
– IO.SYS must be hacked to eliminate these calls to the hard drive
Windows 2000/NT BootstrappingWindows 2000/NT Bootstrapping
6 Stages
• POST
• Choose OS
• Kernel Load
• Kernel Initialization
• Services Load
• Logon
Unix Boot ProcessUnix Boot Process
• The memory-resident code– Runs self-test
– Probes bus for the boot device
– Reads the boot program from the boot device
• Boot program reads in the kernel and passes control to it.
• Kernel identifies and configures the devices.
• Initializes the system and starts the system processes.
• Brings up the system in single-user mode (if necessary).
• Runs the appropriate startup scripts.
• Brings up the system for multi-user operation.
KernelKernel
• Unix systems implement a two-stage loading process. • First stage, a small boot program is read into memory from
a default or specified device. • Once the kernel is loaded, it remains in the memory during
the running of the system and is usually run in a fixed amount of memory.
• The kernel probes the bus to locate the devices specified during the configuration, and initializes the located devices.
Unix BootstrappingUnix Bootstrapping
• System Processes– The kernel identifies the root, swap, and dump devices and then
starts programs to schedule processes, manage physical memory and virtual memory, and the init process.
• Sched– The real-time scheduler.
• Swapper – It manages the physical memory by moving process from
physical memory to swap space when more physical memory is needed.
• Page Daemon– Various memory handlers run as process 2.
Unix BootstrappingUnix Bootstrapping
• init– The last step in bootstrapping the kernel starts the /etc/init
process.
• Single User Mode – Single user shell is always Bourne shell (sh) and it runs as 'root'. – It enables the system manager to perform various administrative
functions, such as setting the date, checking the consistency of the file system, reconfiguring the list of on-line terminals, and so on.
– At this stage only the root partition is usually mounted. • The file system consistency check may be performed by the
command fsck, usually found in the /etc directory.
Unix BootstrappingUnix Bootstrapping
• Startup – Shell scripts - init spawns a copy of sh to interpret them.
– The startup scripts are defined and organized differently on different systems.
– On BSD systems the startup scripts may be found in the /etc directory and their names begin with rc, e.g., /etc/rc.boot, /etc/rc.single,/etc/rc.local and so on.
– This set of processes is defined in the /etc/inittab file. Each line in the inittab file describes an action to take.
SummarySummary
• Every disk has a consistent starting point (MBR or boot sector CHS 001)
• A control boot disk (floppy/CD) allows us to control the bootstrapping process
• DOS makes a good boot environment since we understand what is happening!
Controlled Boot Controlled Boot EnvironmentEnvironment
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
LearningbyDoing
Theo
ry
Practi
ce
Learning ObjectivesLearning Objectives
At the end of this module you will be able to:
• Explain the importance of using a controlled boot environment.
• Describe the minimum files necessary to create a bootable DOS disk.
• Describe events that may complicate the forensic boot process.
Controlled Boot FloppyControlled Boot Floppy
A controlled boot floppy enables you to
• Control the environment of the operation
• Bypass possible destructive processes set by the suspect to destroy evidence
• Maintain evidence integrity by preventing any possible changes to the suspect’s hard disk
A Basic Controlled DOS Boot FloppyA Basic Controlled DOS Boot Floppy
Minimum Requirements• Will boot the computer without allowing
any writes to the Hard Disk• Will automatically install hard disk write
protection• Will ensure drive letters are assigned to all
FAT logical drives by including a LASTDRIVE=Z statement in the CONFIG.SYS file
MediaMedia
Variety of disks in every possible format
• 5¼” Low density, high density floppies
• 3½” Low density, high density floppies
• Bootable CD-ROMs
MediaMedia
New, clean media for each case– Pre-used media should be wiped
Error free and formatted– /U Format option
• Standard Format AND overwrites data area with F6h
– /S Format option • Standard Format AND copies system files to disk
after format
Files (DOS)Files (DOS)
Required system files– IO.SYS
• Altered if necessary to prevent write to disk
– MSDOS.SYS– COMMAND.COM– AUTOEXEC.BAT
• Edited to automatically load the hard drive write blocker
– CONFIG.SYS• Edited to include LASTDRIVE=Z to ensure drive
letter assignments
Boot ConsiderationsBoot Considerations
• BIOS Setting– Need to ensure that system boots from proper device
• CDROM, Floppy
– Interrupt keys (varies by manufacturers)• F12, Del, F1
• BIOS Passwords– How do we over come these?
– What are some forensic issues with defeating these?
• Power on Passwords???
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
Disk Write BlockersDisk Write Blockers
LearningbyDoing
Theo
ry
Practi
ce
Learning ObjectivesLearning Objectives
At the end of this module you will be able to:
• Explain the importance of write blockers
• Describe how write blockers work
• Compare contrast hardware and software write blocker functionality
• Explain why hardware write blockers are a better choice.
Disk Write BlockersDisk Write Blockers
• Disk Write Blockers
• Prevent data being written to the suspect drive
• Ensure the integrity of the suspect drive
• Software Write Blockers v. Hardware
Normal HD AccessNormal HD Access
• Using the interrupt 0x13 interface for hard drive An application program issues an interrupt 0x13 command.
• The interrupt transfers control to the interrupt 0x13 routine in the BIOS. The BIOS routine issues commands,
• ATA or SCSI as appropriate, directly to the hard drive controller.
• The device does the requested operation and returns the result to the BIOS and then to the application program.
Software Write BlockSoftware Write Block
Use of a SWB tool changes the normal operation of the interrupt 0x13 interface.
– The SWB tool is executed. The SWB tool saves the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine.
– The application program initiates a drive I/O operation by invoking interrupt 0x13. The replacement routine installed by the SWB tool intercepts the command.
Software Write BlockSoftware Write Block
• The SWB tool determines if the requested command should be blocked or if the command should be allowed.
• If a command is blocked, the SWB tool returns to the application program without passing any command to the BIOS I/O routines. Depending on SWB tool configuration either success or error is returned for the command status.
• If the command is allowed (not blocked), the command is passed to the BIOS and the BIOS I/O routine issues required I/O commands (ATA, SCSI or other) to the drive controller so that the desired I/O operation occurs on the hard drive.
• Results are returned to the application program.
Hardware Write BlockHardware Write Block
• A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.
• Physically, the device is connected between the computer and a storage device.
• Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
SummarySummary
• Write blockers prevent data being written to the suspect drive
• 2 basic classes:– Hardware and Software
• Software write blockers can be bypassed (sometimes unknowingly)
• Hardware write blockers are now the industry standard.
• NIST has excellent specs/standards for write blockers.