Volume Analysis. What is a volume?  Carrier defines a volume: “… a collection of addressable sectors that an Operating System (OS) or application can.

Slides:



Advertisements
Similar presentations
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Advertisements

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Chapter 6 File Systems 6.1 Files 6.2 Directories
Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Storage Management Lecture 7.
Tasks in Setting Up a Hard Disk
Chapter 12: File System Implementation
File and Disk Maintenance
Hard Disk Drives Chapter 7.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
File Management.
Lecture 13 storage management
Storing Data Chapter 4.
Test on Input, Output, Processing, & Storage Devices
1 Overview Assignment 11: hints File systems Assignment 10: solution Deadlocks & Scheduling.
© S Haughton more than 3?
Chapter 6 File Systems 6.1 Files 6.2 Directories
COMP091 – Operating Systems 1
Operating Systems File Management.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
Disk Fundamentals. More than one platter (round cylinders)
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
BACS 371 Computer Forensics
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
1 Web Server Administration Chapter 3 Installing the Server.
1 File Management in Representative Operating Systems.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
FDISK Partitioning Hard Disks. History We bought our new hard disk drive –Right size for BIOS and OS –Right connections (PATA/SATA) We installed our new.
Computer Forensics DOS Partitioning. Partitioning Practices  We separate partition practices into those used by Personal Computers:  DOS  Apple Servers.
1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 8 Understanding and Installing Hard Drives.
Using Large Hard Drives in Linux Presented by Kevin McGregor Manitoba UNIX User Group March 12, 2013.
FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.
CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows NTFS Introduction to Operating Systems: Module 15.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
Lecture 27. Extended Read Service used for extended read is int 13h/42h On Entry AH=42H DL=drive # DS:SI= far address of Disk address packet On Exit If.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
FAT File Allocation Table
Chapter 7 Volume versus Partition. Cylinder, Head, and Sector (CHS) Hard or fixed disks store information on a revolving platter of metal or glass coated.
File system and file structures
Disk storage systems Question#1 (True/False) A track is divided into multiple units called sectors.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
Windows 10 vs. 7 – Disk Drives NORTH TEXAS PC USER GROUP WINDOWS INSIDE-OUT SIG GLYNN BROOKS FEBRUARY 20, 2016.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Introduction to Computers
Partitioning a Hard Drive
Booting Up 15-Nov-18 boot.ppt.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Presentation transcript:

Volume Analysis

What is a volume?  Carrier defines a volume: “… a collection of addressable sectors that an Operating System (OS) or application can use for data storage.”  Sectors in a volume need not be consecutive on one drive, i.e., RAID systems They should give that impression though  An example of a Volume with consecutive sectors is a single hard drive when you look at the entire drive as the volume.  May be made up of smaller volumes. 2

Partitions  A partition is a collection of consecutive sectors.  A partition is also a volume, but a volume is not necessarily a partition.  Partitions are used for: If a particular file system has a maximum size limit for its partition. Hibernation record keeping Backup partitions Different partitions for different operating systems or even different file systems. 3

Example 4 Figure 4.1, Carrier Partition 1Partition 2Partition 3 Hard Disk Volume C: VolumeD: VolumeE: Volume

Partition Tables StartEndType 099FAT NTFS NTFS 5 Figure 4.2, Carrier

Partitions in General Purpose of a partition system is to organize the layout of a volume. It is essential to know the starting and ending location of a partition.  Book describes them like property lines. If you don’t know where they are, it is kind of difficult to decide whose land you are on. Partition system is dependent on the operating system and not the Hard Drive interface.  SCSI or ATA/IDE does not matter. 6

UnixWindows Typical Windows vs. Unix 7 Volume 1 CD-ROM Volume 2 CD-ROM Volume 1 C: D: E: \Program Files\ \Windows\ /etc/ /mnt/cdrom/ /tmp/ /usr/ Figure 4.3, Carrier

Sector Addressing  Physical Address Exactly where is it on the disk?  Logical Disk Volume Address If there are multiple disks, where is it on the disk volume that you are on?  Logical Partition Address What is its location relative to the start of the partition? 8

Sector Addressing 9 Partition 1 Starting Address: 0 Partition 2 Starting Address: 864 Physical Address: 100 Logical Disk Volume Address: 100 Logical Partition Volume Address: 100 Physical Address: 964 Logical Disk Volume Address: 964 Logical Partition Volume Address: 100 Physical Address: 569 Logical Disk Volume Address: 569 Logical Partition Volume Address: N/A Figure 4.5, Carrier

Volume Analysis  Volume analysis starts with knowing where the partitions are, so the partition tables have to be located and analyzed to see the layout.  Once you have the layout, determine where the partitions start and stop, and if there are any parts of the volume that are not in a partition.  If there are merged volumes, you will need to access the data structures with the merging information to determine which volumes are merged. 10

Consistency Checking  This step is used to determine where the partitions are relative to the other partitions.  This allows the analyst to determine if there is potential evidence outside of the partitions.  A series of sanity checks is used for this. 11

Sanity Checks  Look to see if the last partition ends with the last sector of the volume. If it does not, you have this: 12 Partition 1Partition 2 Carrier, Fig. 4.6

Sanity Checks  Next, check to see where the consecutive partitions end and begin: 13 Carrier, Fig. 4.6 Partition 1Partition 2 Partition 1Partition 2 Partition 1Partition 2 Partition 1 Partition 2

Extracting Partition Data  dd can be used to extract exactly which sectors you want from a disk: dd if=disk1 of=part1 bs=512 skip=63 count= if – input file (original disk) of – output file (file to contain recovered partition) bs – block size (default is 512) skip – number of blocks of size bs to skip over at the beginning count – number of blocks to copy 14

DOS Partitions  Most common style  Master Boot Record Systems Contains boot code, partition table, and a signature value (1 st 446 bytes) Boot code contains boot instructions and points to the partition table. Partition Table 15

Data Structures Byte Range DescriptionEssenti al 0-445Boot CodeNo Partition Table Entry #1Yes Partition Table Entry #2Yes Partition Table Entry #3Yes Partition Table Entry #4Yes Signature Value (AA55)No 16 Carrier, Table 5.1

Data Structures for Partition Entries 17 Carrier, Table 5.2 Byte Range DescriptionEssenti al 0-0Bootable FlagNo 1-3Starting CHS AddressYes 4-4Partition Type (See Table 5.3)No 5-7Ending CHS AddressYes 8-11Starting LBA AddressYes 12-15Size in SectorsYes

Partition Table  Four entries (4 partitions)  Each entry has the following fields: Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags 18

Partitions  Primary Partitions  Extended Partitions 19

Other Partition Systems  Apple Partitions  BSD Partitions  Solaris Slices  … 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.