Hard Disk Drive Forensic

8/8/2019 Hard Disk Drive Forensic

http://slidepdf.com/reader/full/hard-disk-drive-forensic 1/45

Hard Disk Drive Forensic



The Important of Hard Disk Drivey HDD is the most significant method of data storage

y Relatively low internal data transfer rates

y Immature optimization algorithmsy Lifetime of data written to HDD is longer than any

other media



Understanding HDDy Physical Layer

y Volume

y File Systemy File





HDD Physical Layery Major components of HDD

y Platter

y Controllery Read/Write Head



HDD Componentsy Platter



HDD Componentsy Controller



HDD Componentsy Read/Write Head



Physical Disk Geometry



Physical Disk Geometryy One head for each surface

y All tracks at r=dn form a cylinder

y The number of sectors varies with the cylindery Each sector has 512+ octets of information

y Why 512+ ?

y Not all portions of the disk are addressable by theOS



Physical Disk Geometryy One head for each surface



Physical Disk Geometryy Cylinder



Physical Disk Geometryy Sector



MagneticMedia Storagey Data will be written from surface one to surface n

(beginning sector to end sector)

yEach platter has two surfaces

y Last surface is used for positioning andsynchronization



Low Level Format Low level formatting creates units of storage called

sectors

Most modern HDDs use 512+ octet sectors ± The + accounts for sector overhead bytes (differs by

manufacturer)

O verhead bytes provide error correction and timing

recovery functions Bad sectors are automatically remapped to redundant

sectors by the HDD controller



Some Key Issues in HDD Physical

Layer Forensicy O verwritten data can potentially be recovered

y Not all areas of a HDD can be accessed through

standard ATA commandsy E.g. sector overhead, administrative storage, excluded

storage

y Bad sectors are remapped to redundant sectors and no

longer addressable (i.e. through ATA commands)



HDD Volumesy Volumes are logical storage containers on HDD

y Volumes can contain almost any data structure

y File systemsy Databases

y Swap space

y Hidden backups

y Redundant sectors



Partitioning TheMaster Boot Record (MBR) is created and includes

theMaster Boot Code (MBC) and theMaster Partition

Table (MPT) ± Always at sector 1 on any bootable media

MBC is executed at boot if the HDD is designated asthe boot device

MPT contains information about logical volumes(partitions), including the active partition (i.e. whosethe Volume Boot Code will be executed)





The Boot Process Begin execution from R OM

Jump to BIOS power on self test

System initialization from CMOS and device BIOS

Transfer execution to master boot record (MBR) atcylinder 0, head 0, sector 1 of boot media (if it exists)

Transfer execution to boot code on active partitionindicated by the master partition table in MBR ± Hundreds of files are modified/touched

± Constant memory and HDD modification



y High level format file systems

y Flash back

y Blank media

y Low level format

HDD High Level Format

Sectors

(512 + B)Redundant Sectors

(512 + B)





y High level format creates the file systems

y Sectors are too small for most HDD (address space is

too large)y Sectors are grouped into groups of N to form clusters

y Clusters = Blocks = Fragments = Different names forthe same thing




MPT now contains file system type and cluster size

± Cluster sizes are multiple of 512 octets (sector size)

±

Cluster is file size for the operating system A file system structure is created

± FAT creates file allocation table

± NTFS creates a master file table

± Linux Ext2/3 creates a virtual file system ± Each file system behaves differently




y HDD Size = Number of platters * number of heads *number of sectors * 512

HDD Size



y The DOS file system file allocation table (FAT) wasnever designed to handle storage device with more

than 32767 units of data. 32767 is the largest numberthat can be represented with 16 bits.

y Data is written in sectors of 512 bytes (hard drives,floppy), or 2048 bytes (CD-R OM).

Disk Size



y In FAT16, maximum unit of data that can be handledis,

= (2^15) - 1 ->>>> 32767 unitIf each unit represent one sector, what is the size of the

data storage?

= 16MB

Disk size an exercise



y This set an arbitrary limit on disk storage devices of 512x32767 = 16MB.

y That simply means, the maximum hard disk size =16MB.

y If the size of the hard disk is more than 16MB, whathappened?

There will be sectors that cannot be referred or has noreference in the file allocation table

Disk Size



Disk Size

y To accommodate larger drives the concept of clusters was invented.

y Clusters are a group of sectors written as a single

atomic unit.

y The larger the drive capacity the more sectors aregrouped into clusters. (up to 128 sectors)





Disk Sizey What about FAT32?

y What about the maximum size of the disk?

Activity 1: What is the maximum size of the disk forFAT32 filesystem

= 17TB



Disk Sizey Because sectors are at the hardware level and

clusters are at the operating system level, you often

hear techie types refer to sectors as physicaladdress space and clusters as logical addressspace.



y A sector is the smallest addressable unit of a hard disk.

y A cluster is a fixed number of contiguous sectors (but not necessarily physically contiguous).

y As you use files, increase and decrease their size and create new files,formerly contiguous clusters are now scattered randomly across yourhard disk, which is referred to as fragmentation.

y Most operating systems, including Windows, have their owndefragmentation utilities.

y Periodic defragmentation of your hard disk will reduce the risk of dataloss and improve overall system performance.

Things to remember about FAT



y In Computer forensic, we are interested in category 5 of the stored data

y 5 categories of stored data:y Onliney Offliney Near-liney Backup tapesy Fragmented/hidden/deleted/encrypted

y So where to find category 5 stored data?

Where to find hidden data



y With clustering comes slack space

y What is slack space?y

Space between end of file and end of cluster

y Consider a file containing 4628 bytes

Slack Space

Sector

(512 bytes) Cluster (2*512 bytes)



y 4628 = (1024 * 4) + 532 bytes

y 4 full clusters and part of fifth cluster

y There will be (5 clusters * 1024) 4628

= 492 unused octets or slack space

Slack Space

Slack space

(492 octets



y RA M Slack

y If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the

file system will pad the data out to the end of the currentsector with RA M slack.

y RA M slack is random data that happens to be in RA M memory at the time the file is written.

y

It can contain any data that you were working on since you last booted the PC. Such as emails, worddocuments, graphics, etc.

Slack Space



y Drive Slack

y Unlike RA M slack which comes from working storage,

drive slack is data left on the drive from a previous file.y After completing the last partial sector with RA M slack,

subsequent whole sectors in the last cluster are left as is with whatever data was written there previously.

y This is possible because deleting a file only removes itfrom the FAT, the data remains on the drive until thesector it occupies is overwritten by a subsequent file.

Slack Space



` When a file is deleted, the file system puts a marker in itsfile management system to let the system know that thefile is no longer at that cluster or block.

` By doing this, the file system logically deletes the file fromits records in an efficient manner, but hasnt physically worked its way through the storage device and wiped outthe binary data.

Deleted File



` By saving itself from doing this task, the operating systemhas left behind a virtual binary archeological site that youcan sift through.

` The irony here is that as storage devices get bigger, theamount of data left over from previous deletions staysintact longer because so much more storage space isavailable to work with.

Deleted File



y Unall ocated space is space that the file system considersempty and ready for use.

y Even though the operating system thinks the area is empty, you can find quite a bit of data there.

Unallocated space



y Older file systems, such as DOS, tend to have deleted datain unallocated space more so than modern Microsoft

computers because newer operating systems essentially usea two-step process involving the Recycle Bin to delete files.

y In this case, check the Recycle Bin first and then check theunallocated space.

Unallocated space



` Y ou can also find cached data in unallocatedspace.

` For example, when youre viewing your Y ahoo! e-mail, the screen is cached to the storage device atcertain times.

` This caching is used to speed up the viewing of your Web page, but has the unintended effect of saving the Web page you were viewing even afterthe cache file has been deleted.

Unallocated space



y Provides data storage and retrieval

y Associates names with data files

y Organize files into parent directoriesy Stores file attributes

y Modify, access, creation times

y Disk blocks used for file storage

y Maintains lists of unallocated disk blocks

Role of a file system



y Several forensic tools area available to help usunderstanding hard disk structure

y Next lecture will introduce several forensic toolsrelated to hard disk investigation

Investigating Hard Disk Structure

Documents

Hard Disk Drive Forensic