Chapter 05 - Notes and Definitions
Three current versions of FAT
FAT16, FAT32, and exFAT (used for personal storage devices)
Three older FAT formats are
FATX, Virtual FAT (VFAT) and FAT12
The partition table is in the
MBR (master boot record), located at sector 0 of the disk drive.
For Fat32 file systems, cluster sizes are determined by
The OS. Clusters can range from 1 sector consisting of 512 bytes to 128 sectors of 64KB
RAM Slack
The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found primarily in older Microsoft OSs.
File Slack
The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails.
Test the feature with a
USB drive easily by copying data to t, deleting it, and then making a forensic acquisition with any acquisition tool such as OSForensics or X-Ways Forensics immediately after the data is deleted
Some instances you might need to identify the OS on an unknown disk
Use WinHex or another hexadecimal editor
Logical addresses
When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers. EXAMPLE: custer address 100 is 98 clusters from cluster address 2.
Manufacturer engineers a disk to have
a certain number of sectors per track and typically a disk drive stores 512 bytes per sector.
If data is hidden in this partition gap
a disk editor utility could be use to access it.
Microsoft OSs
allocates disk space for files by clusters, this practice results in drive slack
Wear Leveling
an internal firmware feature used in solid state drives that ensures even wear of read/writes for all memory cells
Tracks
are concentric circles on a disk platter where data is located
Other disk properties such as ZBR, track density, areal density, and head and cylinder skew
are handled at the drive's hardware or firmware level
Disk drives
are made up of one or more platters coated with magnetic material, and data is stored on platters in a particular way.
Clusters
are storage allocation units of one or more sectors. They range from 512 bytes up to 32,000 bytes each.
When OS stores data in a FAT file system it
assigns a starting cluster position to a file. Data for the file is written to the first sector of the first assigned cluster. When this first cluster is filled and runs out of room, FAT assigns the next available cluster to the file. If next cluster isn't contiguous to the current cluster, the file becomes fragmented.
Another technique to hide incriminating digital evidence at the end of a disk
by declaring a smaller number of bytes than the actual drive size. with disk editing tools, you can access these hidden or empty areas of the disk
Partitions containing unused space
can be created between the primary partitions or logical partitions
Someone who wants to hide data on a hard disk
can create hidden partitions or voids - large unused gaps between partitions on a disk drive
In Microsoft file structures, sectors are grouped to form
clusters
CMOS
computer stores system configuration and date and time information in _____
First sector of all disks
contains a system area, the boot record, and a file structure database.
BIOS & EFI
contains programs that perform input and output at the hardware level. Are designed for specific firmware.
Typically, chained clusters are
contiguous on disk. However some files are created and deleted and other files are expanded, the chan can be broken or fragmented.
It's possible to
create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
USB and other solid state drives systems are different
in that memory cells shift data at the physical level to other cells that have fewer reads and writes continuously.
All SSDS have an
internal power source for memory cells (both allocated and unallocated) so they can preserve data
Cylinders
is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom
Partition
is a logical drive on a disk. It can be the entire disk or part of the disk
Zone bit recording
is a method most manufacturers use to deal with a platter's inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data
Sector
is a section on a track, usually made up of 512 bytes.
Drive Slack
is composed of the unused space in a cluster between the end of an active file's content and the end of the cluster. It includes RAM slack(found mainly in older Microsoft OSs) and file slack.
EFI
is designed for x64 computers and GPT formatted disks
Head
is the device that reads and writes data to a drive. There are two heads per platter that read write the top and bottom sides
File Allocation Table (FAT)
is the original Microsoft file structure database designed for floppy disks. It's used to organize files on a disk so that the OS can find the files it needs. Variots are FAT12, FAT16, FAT32, VFAT, and FATX
Track density
is the space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander.
Purpose of shifting (rotating) data from one memory cell to another
is to make sure all memory cells on the flash drive wear evenly.
One way to examine a partitions physical level
is to use a disk editor; WinHex or Hex Workshop tools enable you to view file headers and other critical parts of a file. both involve analyzing key hexadecimal codes the OS use to identify and maintain file system
Partition gap
is unused space or void between the first primary partition and the first logical partition
If you make another acquisition of the USB drive a day or more later
it reveals that the previously recoverable deleted data no longer exists.
The OS assigns these cluster numbers referred to as
logical addresses
When dealing with SSD
make a full forensic copy asap as it's crucial in case you need to recover data from unallocated disk space
Subject computer starts
make sure t boots to a forensically configured CD, DVD, or USB drive because booting to the hard disk overwrites and changes evidentiary data. to do this, access CMOS setup by monitoring the computer during the bootstrap process to identify correct key/keys to use.
Combining sectors
minimizes the overhead of writing or reading files to a disk.
To determine total number of addressable bytes on a disk
multiply the number of cylinders by the number of heads (actually tracks) and by the number of sectors (groups of 512 or more bytes). this formula is is "cylinder, head, and sector (CHS) calculation"
Areal density
number of bits per square inch of a disk platter - this number includes the unused space between tracks
MBR (master boot record)
on windows and DOS computers, the boot disk file contains information about partitions on a disk and their locations, size, and other important items
The OS groups
one or more sectors into a cluster
When data is deleted on a hard drive
only references to it are removed, which leaves original data in unallocated disk space
Many hard disks are
partitioned, or divided into two or more sections
Memory cells are designed to
perform 10,000 to 100,000 reads/writes, depending on manufacturer. When that limit is reached, they can no longer retain data
Sector numbers are referred to as
physical addresses
First acquisition
produces recoverable artifacts
Geometry
refers to a disk's logical structure of platters, tracks and sectors
Safe method to verify BIOS
remove all hard drive from computer, enables you to start the computer to verify its BIOS data and time without accessing the disk drive
Clusters are numbered
sequentially, starting at 0 in NFTS and 2 in FAT
Tracks also allowing a numbering scheme
start from 0 (first value of computing). So if a disk lists 79 tracks, you actually have 80 tracks, 0 to 79.
Unintentional side effect of FAT16 allowing large clusters was
that it reduced fragmentation as cluster size increased.
When you run out of room for allocated cluster,
the OS allocates another cluster for your file. As files grow and require more disk space, assigned clusters are chained together.
Physical addresses
the actual sectors in which files are located. Sectors reside at the hardware and firmware level. They also go from address 0 (the first sector on the disk) to the last sector on the disk
In addition, when data is rotated to another memory cell
the old memory cell addresses are listed in a firmware file called a "garbage collector" some point, the flash drive's firmware erases data in unallocated cells by overwriting the value of 1 in all cells listed in the garbage collector file
Unused space between partitions is called
the partition gap
Windows OSs can have
three primary partitions followed by an extended partition that can contain one or more logical drives.
FAt16
to handle larger disks, Microsoft develop FAT16, which is still used on older MicroOSs such as MS-DOS 3.0 through 6.22, windows 95 (1st release) and Windows NT 3.5 and 4.0 FAT16 supports disk partitions with a maximum storage capacity of 4 GB
Flash memory stoage
used in USB drives, laptops, tablets, and cell phones can be a challenge because if deleted data isn't recovered immediately it might be lost forever. REASON: all flash memory devices have wear leveling
The number of sectors in aa cluster
varies according to disk size. Example: a double sided floppy disk has one sector per cluster; a hard disk has four or more sectors per cluster
FAT12
version is used for floppy disks mainly, has limited amount of storage space. Was originally designed for MS-DOS 1.0 (first Microsoft OS used for floppy disk drives and drives up to 16 MB)
If you let USB drive sit and write no additional data to it
wear leveling automatically overwrites the unallocated space
FAT32
when disk tech improved and disks larger than 2Gb were developed, Microsoft released FAt32 which can access larger drives
Clusters and their address are specific to a logical disk drive
which is a disk partition
Bookstrap process
which is contained in ROM, tells computer how to proceed
With tools such as WinHex
you can also identify file headers to determine the file types with or without an extension
In hexadecimal editor such as WinHex
you can find the first partition starting at offset 0x1BE second partition starts at 0x1CE third starts at 0x1DE fourth 0x1EE
When attempting to connect the device
you will get an access failure message, the process is controlled on the flash device's firmware
Other OSs such as Linux and Macintosh can
format, read and write to FAT storage devices such as USB drives and SD cards
Head and Cylinder Skew
A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head.
File system
gives an OS a road map to data on a disk. The type of file system an OS uses determines how data is stored on the disk.
FAT version in Microsoft DOS 6.22
had a limitation of 8 characters for filenames and three characters for extensions
Cluster sizes vary according to
hard disk size and file system.
To make sure you don't contaminate or alter data on a suspect's system you must know
how to access and modify CMOS. BIOS, EFI, and UEFI settings
Key to access CMOS
depends on computer's BIOS. Keys: Delete, Ctrl+Alt+Insert, Ctrl+A, Ctrl+S, Ctrl+F1, F2, or F10.
BIOS
designed for x86 computers and typically used on disk drives with MBRs.
UEFI
developed by Intel, defines the interface between a computer's firmware and the OS.
exFAT
developed for mobile personal storage devices such as flash memory devices, secure digital eXtended capacity (SDCX) and memory sticks. The exFat file system can store very large files such as digital images, video, and audio files.
VFAT
developed to handle files with more than 8-character filenames and three character extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems.
For mobile devices forensics
feature is important, especially if a suspect deleted relevant messages, for example, just before the device was seized and taken into evidence
