~~~HERE IT IS~~~
Hard Drive
To understand how file systems work on different OSs, you must be familiar with the physical organization of the hard disk drive. A hard drive is like a record player, except that the hard drive can handle multiple stacks of records. On a hard drive, the magnetic media are called platters, and data is written on them by a read/write arm that has a head (analogous to a needle).
Hard drives consist of several platters with heads inserted between them that can read on one or both sides. The data on each platter is physically organized into tracks and sectors. A track is an individual concentric circle on the platter. A combination of tracks is called a cylinder. A sector divides a track and typically holds 512 bytes. By knowing the attributes of a hard disk drive, you can determine its maximum storage capacity.
Bytes = C/D * H/C * S/T * 512 bytes
C is the number of cylinders
T is the number of tracks (track numbering starts with 0, not 1)
S is the number of sectors
Types of Hard Drive Formatting
The two types of hard drive formatting are low and high level. Low-level formatting creates the track and sectors on the drive. These tracks and sectors form the physical blocks of storage of 512 bytes each.
High-level formatting is file system specific, including Microsoft (DOS, FAT, and NTFS) and Open Source Initiative (OSI) varieties (ext2, Reiser FS, and XFS).
Low-level formatting is done by the hard drive vendor. High-level formatting is done when the OS is installed. High-level formatting creates the hard drive’s file system and allows the OS to store files by dividing them into smaller pieces and saving them in separate clusters (a grouping of sectors) on the disk. The OS uses this file system to keep track of the placement and sequence of each piece and to identify which sectors on the disk are free and available for new files. The computer can then assemble the different pieces when a file is viewed or executed.
Why There Is a Need To Understand File Systems ?
- Different OS, Different File Systems
- Poor Documentation
- File Location
- Hidden Data
- File Deletion
Importance of File Systems
A file system has two basic functions that impact the computer’s performance:
• mapping physical spaces on the drive to logical addresses that comprise files
• read/write capability to open, change, and delete files
Understanding how these functions work on different file systems is the foundation for responding to a security incident. Most file systems are related directly to a particular OS, although some OS’s combine file systems. To discover where files are located and how they are distributed, you need to know how to access and modify system settings when necessary. This is especially important because files can be hidden. Typically when a user deletes a file, the file system does not permanently erase (wipe) the file from the hard drive. It simply creates a flag that tells the OS that the sector can be reused. Knowing how to rebuild files from the file system is one of the most important skills of the forensic examiner. The forensic examiner has access to deleted files and to files contained in swap space, which is part of the virtual memory created on the hard drive by the OS.
File Structure Of Windows
- Disk Partitioning
- Cluster Versus sector
- File allocation Table-FAT
- New Technology File System – NTFS
- Modified, accessed, Created -MAC
Understanding Windows File Structure
On a physical hard disk, more then one logical section may exist. Dividing a physical drive into separate pieces is called partitioning. The partitions of logical drives are traditionally labeled by the file system as C, D, E, and so on. Microsoft Windows is the predominate OS for user workstations, and has gained significant momentum in server applications. To understand Microsoft’s file structure, we must start by defining some storage terms: clusters, file allocation tables (FAT), and the new technology file system (NTFS). The hard drive’s sectors, as previously described, are further grouped by the Microsoft file system into clusters. Clusters contain groups of sectors. These clusters then form larger data groups to make a single larger addressable storage unit. By combining sectors into clusters, the file system reduces the overhead to write and read files to the disk as it has to keep track of fewer unique storage areas. Usually the number of sectors to a cluster can be seen below for the Windows XP OS.
A cluster (or allocation unit) is the smallest amount of disk space that can be
allocated to hold a file. All file systems used by Windows XP Professional
organize hard disks based on cluster size, which is determined by the number of
sectors that the cluster contains. For example, on a disk that uses 512-byte
sectors, a 512-byte cluster contains one sector, whereas a 4-KB cluster contains
eight sectors.
The two primary Windows file systems are FAT and NTFS. Both will be described later.FAT16, FAT32, and NTFS each use different cluster sizes depending on the size of the volume, and each file system has a maximum number of clusters it can support. When the cluster size is smaller, the disk stores information more efficiently because unused spacewithin a cluster cannot be used by other files. And when more clusters are supported, you can create and format larger volumes by using a particular file system.
NTFS: New Technology File System
NTFS is currently the primary file system used by Windows XP. It was first introduced withWindows NT.NTFS replaces the FAT and uses a master file table (MFT), which is the first file on the disk. Records within the MFT are called meta-data and this contains information on all files located on the disk, including system files. A key advancement is the way files and directories are both stored on the disk with attributes that include security information. At format the MFT assigns logical cluster numbers (LCN) to the disk’s entire partition. These LCNs allow the OS to read and write data on the disk. Each LCN is similarly linked to a virtual cluster number (VCN) which allows files to extend beyond across the free disk space area of the hard drive.
File and Folder Permissions
On NTFS volumes you can set permissions on files and folders that specify which groups and users have access, and what level of access is permitted. NTFS file and folder permissions apply to users on the local computer and to users accessing the file or folder over the network. File and folder permissions are maintained in discretionary access control lists.
Encryption
The encrypting file system (EFS) uses symmetric key encryption in conjunction with public key technology to protect files and folders. Encryption ensures that only the authorized users and designated recovery agents of that file or folder can access it. Users of EFS are issued a digital certificate with a public key and a private key pair. EFS uses the key set for the user who is logged on to the local computer where the private key is stored.
Users work with encrypted files and folders just as they do with any other filesand folders. Encryption is transparent to any authorized users; the system decrypts the file or folder when the user opens it. When the file is saved, encryption is reapplied. However, intruders who try to access the encrypted files or folders receive an "Access denied" message if they try to open, copy, move, or rename the encrypted file or folder.
Larger Volume Size The maximum NTFS volume size as implemented in Windows XP Professional is 232 clusters minus 1 cluster, which is approximately 256 terabytes with a max individual file size of about 16 terabytes. Under FAT32, the maximum volumesize was 32Gig with a 4 Gig file. This has considerable impact on storage requirement for making forensic duplications and putting together fragmented files.
Multiple Data Streams
A data stream is a sequence of bytes. An application populates the stream by writing data at specific offsets within the stream. The application can then read the data by reading the same offsets in the read path. Every file has a main, unnamed stream associated with it, regardless of the file system used. However, NTFS supports additional named data streams in which each data stream is an alternate sequence of bytes as illustrated in the figure. Applications can create additional named streams and access the streams by
Referring to their names. This feature permits related data to be managed as a single unit. For example, a graphics program can store a thumbnail image of bitmap in a named data stream within the NTFS file containing the image. A forensic examiner is particularly interested in these multiple data streams since they can hide data either intentionally or by coincidence.