-
File System
Gives OS a road map to data on a disk. The type of file system used determines how data is stored on the disk
-
Understanding Boot Sequence
to avoid altering data you must understand how to access and modify CMOS and BIOS settings.
Computers store system configuration and date and time information in CMOS when system is powered off. BIOS contains programs that perform input and output at the hardware level
When computer starts it must boot to a forensic floppy disk or CD to avoid overwriting and changing evidentiary data
-
Booting to a Forensic Disc
Access CMOS by monitoring bootstrap process to ID correct key or keys to use.
keys depend on the BIOS system
-
Disk Drive components
Geometery: disk's structure of platters, tracks, and sectors
Head: device that reads and writes disks
Tracks: concentric circles on a disk platter where data is located
Cylinders: A cylinder is a column of tracks on two or more disk platters. Platters have a top and bottom
Sectors: A section on a track, usually made up of 512 bytes
-
CHS calculation
Calculation used to determine the total number of bytes on a disk
cylinder x head x sector
-
Zoned Bit Recording (ZBR)
How manufacturers deal with a platter's inner tracks being shorter than it's outer tracks. Grouping tracks by zone ensures all tracks hold the same amount of data
-
Track Denisty
the space between each track. the wider the space the easier to hide information in the gaps
-
Arenal Density
the number of bits in one square inch of disk platter including unused space btw tracks
-
Microsoft File Structures
- Sectors are clustered together to form Clusters.
- Clusters
are typically 512, 1024, 2048, 4096 or more bytes - Clusters are groups of one or more Sectors
- Floppy Disks have one sector per cluster
- Hard Disks have 4 or more sectors per cluster (top has 2, bottom has two)
Clusters are numbered sequentially starting at 2 because the first sector contains system area, boot record, file structure database
-
Logical addresses
OS assigns cluster numbers that point to relative cluster positions. i.e. cluster address 100 is 98 clusters from cluster 2.
-
Physical address
Sector numbers which reside at the hardware/firmware level and go from 0 (first sector on disk) to the last sector on the disk
-
Disk Partition
hard drive that is divided into two or more sections. A partition is a logical drive
-
Partition Gap
the unused space between partitions
-
Disk Editors
Examines a partitions physical level, identifies file headers to identify file types
-
Master Boot Record
stores information about partitions on a boot disk, their locations and their size and other important information
-
File Allocation Tables (FAT)
- File structure database used to organize files on a disk. Information is written to the outer most tracks and contains:
- file names
- directory names
- data and time stamps
- starting cluster number
- file attributes (hidden, archive, system, read-only)
-
4 versions of FAT
- FAT 12: Used specifically for floppy disks and drives up to 16MB
- FAT16: Used to handle large disks on Windows 95. Max 2GB info
- FAT32: for disks larger than 2 GB
- FATX: used for Xbox
-
Drive Slack/RAM slack
unused space in a cluster between the end of an active file and the end of a cluster. This includes RAM slack and file slack
|
|
