22 Logical Areas

Home , Master boot record, Volume boot record

CSC414 Formatting a Disk Computer Logical Areas of Preparing a disk for use System a Disk - Low-Level Format - Places tracks and sectors on platters Fundamentals - Partition Disk - Creates logical disks (volumes) - Hard Disk Only - High-Level Format - Creates and initializes file system for each volume Digital Forensics Center THINK BIG WE DO Department of Computer Science and Statics - Boot Record - File Allocation Table (FAT) and a copy U R I - Root Directory

http://www.forensics.cs.uri.edu - Data Area

Boot Record Boot Record

Master Boot Record (MBR) Volume Boot Record (VBR) - Physical Location - Contains bootstrap startup code for system - Cylinder 0, Side 0, Sector 1 (0, 0, 1) boot sequence - First sector, on the first track, on the first side - A very short program that reads the rest of the operating system - First sector read by BIOS/Firmware - Volume Information - Contains disk information - Partition start, end and number of sectors - Number of bytes per sector - Logical Location - Total number of sectors per disk - Sector 0 on volume or partition - Number of sectors per track - Often is Sector 63 on DOS disks - Number of heads - Partition Table - Signature >> 55AA Hex - If bootable, location of boot volume VBR - located in the last two bytes of the sector

For a floppy diskette: Master Boot Record - There is only a master boot record (MBR) - A valid MBR is required to access any diskette - either bootable or non-bootable - Attempting to boot from a bootable diskette with a missing or corrupt MBR gives a NON BOOT DISK or DISK ERROR message - An invalid MBR on a data diskette results in a GENERAL FAILURE Boot Record File Allocation Table

Master Boot Record File Allocation Table (FAT) 4 KB Cluster Size Cluster Next (8 blocks) - System for storage of files and : : myFile.docx 14 KB subdirectories in Data Area : : Clusters 4 - Maintains the clusters used by needed (16 KB) 44 0 every file on the disk 45 46 System Directory - If a file uses more than one cluster: myFile.docx 46 49 - FAT points to the next cluster File Start = 45 47 48 - "A chain of clusters" 48 - FAT marks the last cluster in a chain Unused extra space Hex: FFF 49 50 at end of cluster is - Which clusters are available for use 50 called Slack - Which clusters have bad sectors Cluster : : 47 Hex: FF7 : :

File Allocation Table File Allocation Table

File Allocation Table (FAT) File Allocation Table (FAT) - Number of entries (clusters) is limited by the number of bits used to represent cluster IDs (numbers)

FAT/FAT12 FAT16 FAT32 Maximum Number 4084 65,526 268,435,456 of Clusters Cluster size is Cluster Sizes determined by the 1 to 8 4 to 64 8 to 64 (sectors) operating system and Numbering for data clusters begins at 2 Cluster Sizes 0.5 KB to 4 KB 2 KB to 32 KB 4 KB to 32 KB file system and Clusters 0 and 1 are for system data (sectors) depends on partition Boot Record, FAT, and Root Directory Maximum Volume 16,736,256 2,147,123,200 about 241 Size (16 MB) (2 GB) size. maxVolumeSize = maxClusterSize x maxNumberofCLusters

Root Directory Root Directory

Directory of items at root level A file with Directory Entries information of volume Root Directory Subdirectories about other files - 32 bytes of information Treated similar to files - One entry for each - File Name or Subdirectory Name Can be created, modified and deleted - Root Directory File or File File Subdirectory File Subdirectory File File Consumes entire cluster Special Subdirectory entries: - Root Subdirectory - Starting Cluster . dot referred to as “self” - Total size of the root directory is fixed - the beginning of the chain of clusters .. dot-dot called “parent” File File File File File Subdirectory - Dependent on the media and format - Size in bytes - Maximum number of entries it can contain - Date and Time Groups (DTG) DTGs Attributes is fixed Creation DTG read-only? File File File File - Floppy Disk (1.44 MB) - Attributes Modification DTG hidden? Last Access DTG system? - maximum of 224 entries executable? - Most Hard Disks subdirectory? - 512 root directory entries Cluster 4 KB Data Area Data Area Size (8 blocks) myFile.docx 14 KB Clusters 4 Operating system must Remainder of the volume/partition /** apples.cpp Slack needed (16 KB) Computes the cost per apple of a box of apples allocate 2 KB more than Input: cost of box of apples Output: the input data needed for file the cost per apple if bought by the box - Unused space at end of sector or cluster - where file and subdirectory data is stored */ #include using namespace std; int main() { File Slack (Disk Slack) - can contain erased and/or hidden data const int APPLES_PER_BOX = 24; double costPerBox = 0.0;

cout << "How much does a box of apples cost? $"; University of Rhode Island - Data found in unused blocks of cluster cin >> costPerBox; - all types of digital data double costPerApple = costPerBox / APPLES_PER_BOX;CSC 414 Computer System Fundamentals Summer 2011 Syllabus cout << "\nApples per box: " << APPLES_PER_BOX << endl; Teaching Staff: Victor Fay-Wolfe ([email protected]) - Previous directories and files, previous RAM slack, previously unused space, and space cout << "Cost per box: $" << costPerBox << endl; Timothy Henry ([email protected]) cout << "Cost per apple: $" << costPerApple << endl; Sean Alvarez ([email protected]) Kevin Bryan ([email protected])

Logical Addressing of this area is return 0; Course Meets: Online May 23 ± July 29 overwritten with a disk cleaning utility. } // end main Course Web Page: https://homepage.cs.uri.edu/courses/online/woc/

by Logical Sector Number or Goals: x Learn the principles and concepts underlying computer operating systems RAM Slack x Learn to install, configure, and manipulate a modern computer operating system Cluster x Learn the principles and concepts underlying computer networks x Learn to install, configure, and manipulate modern computer networks - Data found in unused bytes of a block x Learn the basics of computer and network hardware

x Introduce digital forensics concepts and practices - First cluster referenced in FAT is 2 x Introduce OS and network tools and concepts used in digital forensics - Prior to Windows 95, RAM Slack was obtained from active RAM and could contain useful data Course Materials:

Textbooks

x The Architecture of Computer Hardware, Systems Software & Networking : An - Starting with Windows 95 RAM slack is filled with hex 00 - Cluster numbers are consecutive until the Information Technology Approach, 4th Edition, By Irv Englander, 2009 John Wiley & RAM Sons, Inc.; ISBN: 978-0471-71542-9 File Slack x (Optional) A+ Certification All-In-One Exam Guide, 7th Edition, By Mike Myers, 2010 Slack McGraw Hill Publishing; ISBN: 978-0-07-170133-4 (only if student wants to pursue A+ myFile.docx end of the Data Area certification)

Software

x WinHex Specialist (discounted academic pricing available)

x Other Forensics software (VMware, and others) 1 | Page Clusters Sectors / Blocks

Logical Areas of the Disk

Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO

U R I

http://www.forensics.cs.uri.edu