Logical Structure of Disk

Exif Data Structure:

Main AIM : Find Start of data i.e., Data Run

NTFS (MFT IS windows proprietary ) :-

MBR :

Boot Sector
MFT
Bitmap
File0
Data Run

* File0: Parent Directory/Orphan File, Present/Deleted File

* Bitmap: Cluster Allocated/ Unallocated
* MFT: Entry Table
* Boot Sector: Sector Count
* MBR: 446 Bytes OEM reserved
64 Bytes Partition Table
2 Bytes Signature = 512 Bytes
* LBA: Sector Count Numbers
*Offset: Bytes Numbers
*Data Run: Start of Data

16*32= 512 Sector (USE Winhex)

32 Offset Byte No 1C2 Hex, 450 Dec

Row 1C 0 1 2
16 Column

What MBR Give:

1. Partition Info 2. File Type 3. Reserved Sector 4. Size

* Journaling : Create Log File

( If the MBR Change/Deleted boot sector access is not possible )

ExFAT / FAT / HFS+ : (No Journaling)

1. MBR
2. Superblock
3. Blocks
4. Every Block I nodes
5. Data Run

APFS : (Journaling) : After File delete it randomize/Flush out Offset hence data recovery not possible.

Platter

GPT : Guid Partition Table

RAID : Acquisition (Maximum Case Logical Partition)
(Find in BOOT Menu or Disk Partition)

RAID 0: Logical partition stripping 2TB size show by 1 TB 2 HDD

RAID 1: MIRROR Fault tolerance High 1TB size show by 1 TB 2 HDD

Software : UFS explorer, disk internals, virtualy rebuilt RAID Partition.

Offset:- NTFS win10 1tb desire offset :

RAID Type:-
Spanned
Mirrored (RAID 1)
Stripped
RAID 5 (Striping with parity)
RAID 10 (Striping + Mirroring)
Basic ()
RAID 6 (Striping with double parity)

Drive Striping :
Drive striping refers to when individual files are stored across multiple drives. Since
these multiple drives are reading or writing a single file, disc speeds are increased
exponentially with each drive that is added. The work of a single drive is being
distributed over the attached RAID drives. Although this method is faster, it is also
riskier. If a drive fails, all data is lost since a section of every file would be missing or
corrupted.

Drive Spanning
Drive spanning allows multiple hard drives to behave as a single large drive. When
the first drive becomes full, it simply overflows into the next. This method is useful
because additional drives can be added easily without having to make major system
modifications. Additionally, if a drive experiences a failure only a portion of the
system's data is lost.
Bit-locker:

Dell bitlocker : EFS

NOTES: If the Drive is bitlocker locked u can not make triage/acquired HDD

Encase give warning to enter bitlocker key

FTK Does not give warning.

BitLocker

BitLocker is included in the Ultimate/Enterprise editions of Windows Vista, Windows

7, and withPro/Enterprise editions of Windows 8. BitLocker employs OTFE to provide
at rest encryption. It isintended to be used with a hardware Trusted Platform Module
(TPM) to provide protection for dataat rest. By default, BitLocker will store the key in
the TPM and automatically allow access to thedisk once Windows has booted.It has a
number of authentication options:

•TPM Only

•USB Key

•TPM + PIN

•TPM + USB

•TPM + PIN + USB

A 512-bit Full Volume Encryption Key (FVEK) is used to decrypt the volume, and is
storedencrypted on the protected volume. The first 256 bits of the FVEK are used to
decrypt data, the next256-bits are used to generate sector keys. The FVEK is
decrypted by the Volume Master Key(VMK), which is itself encrypted and stored
multiple times on the protected volume. Eachencrypted VMK is decrypted by a
separate authentication method.The FVEK is stored in RAM when a drive is mounted,
and it is possible to perform a key schedulesearch to find it. Several schedules may
be in the memory at any given time and it's important to note that keys are taken
out of the TPM and placed into RAM where they can be found.The following image,
taken from Jesse Kornblum's excellent presentation "Practical Methods for Dealing
with Full Disk Encryption", displays how the BitLocker key schedule may look in
memory: