Disk Structure Analysis

Slides:

Advertisements

Similar presentations

DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.

Advertisements

Chapter 4 Storing Information in a Computer Peter Nortons Introduction to Computers.

Chapter 12: File System Implementation

Windows File Systems CGS2564. Who Cares? C:\Documents\Taxes\Tax04.DOC.

Operating Systems File Management.

Chapter 4 : File Systems What is a file system?

1 Week 11 FAT32 Boot Sector, Locating Files and Dirs Classes COP4610 / CGS5765 Florida State University.

G53OPS Operating Systems Graham Kendall File Systems.

Chapter 10: File-System Interface

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

File System Analysis.

In this assignment you are going to read floppy disk. You can run ‘mdir’ Unix function to see what output your program should give. FAT-12 MS-DOS file.

Day 29 File System.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Ceng Operating Systems

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.

Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.

File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.

File Systems Dr John Cowell phones off (please). Q 1 Which of the following statements about NTFS is NOT true? a) NTFS uses 64 bit addressing. b) Supports.

1 EN0129 PC and Network Technology - 1 Sajjad Shami Adrian Robson Gerhard Fehringer School of Computing, Engineering & Information Sciences Northumbria.

The disk surface is divided into tracks. into tracks. 1.

ENGI 3655 Lab Sessions 1Richard Khoury.  Linked Allocation ◦ Section Richard Khoury2.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 15 – The Hard Drive.

Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 7 Floppy Drives.

The Functions of Operating Systems Desktop PC Operating Systems.

File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.

DISK THEORY. Disk Theory n How information is stored on disk n How we can take advantage of that when bad things happen.

1 Floppy Drive Formatting ©Richard Goldman February, 2001.

OPERATING SYSTEMS Frans Sanen.  Analyze a FAT file system manually  FAT12 first and simplest version  Still used on smaller disks (e.g. floppies) 

University of Pennsylvania 10/31/00CSE 3801 Windows File System - FAT originally invented as a method for storing data on floppy disks. later used by MS-DOS.

FAT File Allocation Table

Lecture 10 Page 1 CS 111 Summer 2013 File Systems Control Structures A file is a named collection of information Primary roles of file system: – To store.

BOOT SECTOR, RDE AND FAT ANALYSIS AND STUDY. FLOPPY CONSTRUCTION 1.Write - Protect Notch. 2.Hub. 3.Shutter. 4.Outer Jacket. 5.Protective Woolen Film.

Computer Forensics Hard Drive Format.

NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

File system and file structures

Disk storage systems Question#1 (True/False) A track is divided into multiple units called sectors.

File Systems May 12, 2000 Instructor: Gary Kimura.

File System Department of Computer Science Southern Illinois University Edwardsville Spring, 2016 Dr. Hiroshi Fujinoki CS 314.

BITS Pilani Pilani Campus Pawan Sharma Lecture ES C263 INSTR/CS/EEE F241 Microprocessor Programming and Interfacing.

Master Boot Record (MBR)

Day 28 File System.

EXT in Detail High-Performance Database Research Center

UMBC CMSC 421 Spring 2017 The FAT Filesystem.

Introduction to Kernel

CENG334 Introduction to Operating Systems

CSE451 More File Systems Autumn 2002

Today topics: File System Implementation

Day 27 File System.

A “Walk Through” Experiment

Partitioning a Hard Drive

Operation System Program 4

Project 3: An Introduction to File Systems

File Analysis with MicroSoft DEBUG

Files Management – The interfacing

Sector 25 from the Root Directory (in 32 byte chunks)

Department of Computer Science

Recap – Intro to Project 3 and FAT32

FAT File System.

Presentation transcript:

Disk Structure Analysis DAT2343 Disk Structure Analysis Project 3 © Alan T. Pinck / Algonquin College; 2003

Project 3 Requirements See the complete requirements for this project under the Projects area for this course in Blackboard Determine specific structure information from an non-standard formatted diskette using DEBUG to analyze the boot sector. Locate a deleted file in a deleted directory by tracing through directory entries.

DEBUG Sector Level Read DEBUG Command: Lmmmm d s n where mmmm is the (offset) memory address to where the sector(s) are to be copied d is the disk drive number (0=A: 1=B: …) s is the disk sector number (0 is the boot sector n is the number of sectors to read

Critical Boot Sector Entries 000B-C : bytes per sector 000D : sectors per allocation unit (file cluster) 0010h : number of copies of the FAT 0011-12h : number of root directory entries (20h bytes per entry) 0016-17h : number of sectors per copy of FAT 0018-19h : number of sectors per track 001A-1Bh : number of tracks per cylinder (number of read/write heads)

Directory Entry Components For “normal” 8.3 named files: bytes 0-7 : primary file name bytes 8-0A : extension byte 0B : attribute (see next slide) bytes 1A-1B : starting cluster bytes 1C-1F : file size (in bytes)

Directory Entries: Attributes The attribute byte, within a file’s directory entry provides the following information (reading the bits from right to left): bit 0 : Read Only (if on) bit 1 : Hidden (if on) bit 2 : System (if on) bit 3 : Volume Label, not a real file (if on) bit 4 : Subdirectory (if on) bit 5 : Archive needed (if on) Note the special value of the attribute byte for long/extended file names (next slide)

Directory Entries: Long File Names Long/Extended file names are stored in directory entries, but with a quite different format than “normal” file entries; the Attribute field for these extended file name entries is always 0F(hex) a value which would not make sense if interpreted normally. Extended file names are always followed by a “normal” (8.3) form for the same file and it is this 8.3 form which should be used for file analysis.

Directory Entries: Deleted Files When a file is deleted, the first byte of the file name in the directory entry(ies) for this file is changed to a special code: E5(hex) and its FAT table entries are zeroed (indicating that the space is “free”). No other changes are made and, provided nothing else is changed on the disk, the file can be recovered (except for the first character of its name), since its first cluster number still points to a sector of the disk which contains the contents of the (deleted) file.

End of Lecture