Presentation is loading. Please wait.

Presentation is loading. Please wait.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Published byGriselda Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word."— Presentation transcript:

1 Files & Partitions BACS 371 Computer Forensics

2 Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word Byte Bit

3 File  Collection of Information written to a disk  Generally created in an application-specific format  Occupies a fixed number of clusters  Each file’s cluster has a pointer to the next cluster in the file  The final cluster contains the End of File (EOF) marker (hex FFFF)

4 Files  Logical File Size  Exact size of contents of file in bytes  Physical File Size  Amount of space a file occupies on disc in bytes  File Slack  Unused space between logical end of file and physical end of a cluster  Two types: RAM slack and Disk Slack Physical File Size

5 File Slack Example File Contents: “Hello world!” 12 bytes 2 nd Sector 3 rd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes (7 sectors) Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors

6 Partitions  A partition is a logical volume within a physical volume (i.e., disk).  The Master Boot Record (MBR) of a disk defines the partitions found on the physical disk.  An MBR can define 4 primary partitions (max).  These partitions can be defined as “logical partitions.”  Logical partitions are capable of being further subdivided into smaller “extended” logical partitions.

7 MBR and Partitions Physical Disk Logical Volume MBR (1 sector) Unallocated space There can be up to 4 primary partitions defined in the master boot record (MBR)

8 Partitions

9 Partition Table 4 Entries First Entry Starts at offset 446 10 Master Boot Record (MBR) MBR “Signature” 0x55AA Executable Code Machine Language Code Processor Specific Decodes Partition Table 446 bytes long 446

10 Decoding a Partition Table Entry Entry #3 starting at offset 478 10 Bootable? Offset 0 Value 0x80 means bootable Starting Head Offset 1 1 Byte 0x00 = 0 Starting Head Starting Sector Offset 2 6 bits (use 6 LSB) Decode as bits 0xC1 = 1100|0001 6 LSB = 000001 = Sector #1 Starting Cylinder Offset 3 10 bits (use remaining 2 bits from sector as upper 2 bits) Decode as bits 0xFF = 1111|1111 10 bits = 11|1111|1111 = 0x3FF = Cylinder # 1023 File System Type Offset 4 Decode as table entry 0x0C = Win 95 Fat-32 LBA Ending Head 5 Ending Sector 6 Ending Cylinder 7 Relative Sectors ( start of partition ) Offset 8 4 Bytes Decode as Number (swap) 0x1D0D9045 = 487,428,165 # of sectors from start of drive to start of this partition Number of Sectors Offset 12 4 Bytes Decode as Number (swap) 0x000E37BA = 931,770 # of sectors in this partition 477,066,240 bytes (*512)

11 Partition Layout http://www.microsoft.com/library/media/1033/tech net/images/prodtechnol/winxppro/reskit/ch28/f28zs 07_big.jpg

12 Extended Partition Layout http://www.microsoft.com/library/media /1033/technet/images/prodtechnol/winx ppro/reskit/ch28/f28zs07_big.jpg

13 Extended Boot Record 446 4 th partition is an extended partition

14 Secondary Extended Boot Record 446

15 Partition Boot Record AKA File System Boot Sector  Within each partition that has a file system, a partition boot record is found.  It defines the details of the file system located in the partition.  It is 1 sector long and is the first physical sector in a logical volume.  C 0, H 1, S 1 for first partition. First sector (plus partition offset) in subsequent partitions.  Contains  Code  File System Specification Information

16 BIOS Parameter Block Executable Code Machine Language Code Processor Specific Decodes BPB Searches for OS PBR “Signature” 0x55AA Partition Boot Record (PBR)

17 Partition Boot Record  0 10 - 2 10 Jump Instruction (3 bytes)  3 10 - 10 10 OEM ID (8 Bytes)  11 10 - 83 10 BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 11 10 Bytes Per Sector2 Bytes offset 13 10 Sectors Per Cluster1 Byte offset 21 10 Media Descriptor1 Byte offset 24 10 Sectors Per Track2 Bytes offset 26 10 Number of Heads2 Bytes offset 28 10 Hidden Sectors4 Bytes offset 32 10 Total Sectors4 Bytes  62 10 - 511 10 Bootstrap Code (448 Bytes)  Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

18 Decoding a Partition Boot Record (BIOS Parameter Block – BPB) Jump Instruction Offset 0 10 3 bytes OEM Name Offset 3 10 8 bytes Decode as ASCII “MSDOS5.0” Bytes Per Sector Offset 11 10 2 bytes Decode as Number (Swap “endian”) 0x0200 = 512 Sectors Per Cluster Offset 13 10 1 byte Decode as Number 0x08 = 8 8 * 512 = 4096 bytes/cluster Media Type Offset 21 10 1 byte Decode from Table 0xF8 means HD Sectors per Track Offset 24 10 2 bytes Decode as Number (Swap “endian”) 0x003F = 63 Heads Offset 26 10 2 bytes Decode as Number (Swap “endian”) 0x00FF = 255 Total Sectors Offset 32 10 4 bytes Decode as Number (Swap “endian”) 0x000E37BA = 931,770 477,066,240 Bytes FAT Size (Sectors) Offset 36 10 4 bytes Decode as Number (Swap “endian”) 0x0000038D = 909 465,408 Bytes (*512) 58,176 Entries (/4) 238,288,896 bytes addressed (*4096) File System Type Offset 82 10 8 bytes Decode as ASCII “FAT32 ”

19 Partition Boot Sector Decoded

20 Summary  Physical disks can be subdivided into logical volumes (partitions).  Each physical disk has a single MBR (1 st sector) that defines the primary and extended logical partitions.  There can be up to 4 partitions defined in the MBR. One or more of these can be defined as extended partitions. These can further be sub-divided.  Each logical partition has a partition boot record (1 st sector) that defines the structure within that partition.  The BIOS Parameter block of the partition defines the characteristics of the file system.

Download ppt "Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word."

Similar presentations

Chapter 12: File System Implementation

Chapter 12: File System Implementation
Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery

Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery
PC bootup Presented by: Rahul Garg (2003CS10183) Rajat Sahni (2003CS10184) Varun Gulshan(2003CS10191)

PC bootup Presented by: Rahul Garg (2003CS10183) Rajat Sahni (2003CS10184) Varun Gulshan(2003CS10191)
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.

BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
The ATA/IDE Interface Can we write a character-mode device driver for the hard disk?

The ATA/IDE Interface Can we write a character-mode device driver for the hard disk?
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics BACS 371

Computer Forensics BACS 371
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Day 29 File System.

Day 29 File System.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Managing Your Hard Disk and Operating System 23,26 March 2004 2:30pm - 4:00pm.

Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
Implementing Hard Drives Chapter 10

Implementing Hard Drives Chapter 10

Similar presentations

Ads by Google