Professional Documents
Culture Documents
Imp HDD Structure
Imp HDD Structure
Imp HDD Structure
MBR :
Boot Sector
MFT
Bitmap
File0
Data Run
1. MBR
2. Superblock
3. Blocks
4. Every Block I nodes
5. Data Run
APFS : (Journaling) : After File delete it randomize/Flush out Offset hence data recovery not possible.
Platter
RAID Type:-
Spanned
Mirrored (RAID 1)
Stripped
RAID 5 (Striping with parity)
RAID 10 (Striping + Mirroring)
Basic ()
RAID 6 (Striping with double parity)
Drive Striping :
Drive striping refers to when individual files are stored across multiple drives. Since
these multiple drives are reading or writing a single file, disc speeds are increased
exponentially with each drive that is added. The work of a single drive is being
distributed over the attached RAID drives. Although this method is faster, it is also
riskier. If a drive fails, all data is lost since a section of every file would be missing or
corrupted.
Drive Spanning
Drive spanning allows multiple hard drives to behave as a single large drive. When
the first drive becomes full, it simply overflows into the next. This method is useful
because additional drives can be added easily without having to make major system
modifications. Additionally, if a drive experiences a failure only a portion of the
system's data is lost.
Bit-locker:
NOTES: If the Drive is bitlocker locked u can not make triage/acquired HDD
BitLocker
•TPM Only
•USB Key
•TPM + PIN
•TPM + USB
A 512-bit Full Volume Encryption Key (FVEK) is used to decrypt the volume, and is
storedencrypted on the protected volume. The first 256 bits of the FVEK are used to
decrypt data, the next256-bits are used to generate sector keys. The FVEK is
decrypted by the Volume Master Key(VMK), which is itself encrypted and stored
multiple times on the protected volume. Eachencrypted VMK is decrypted by a
separate authentication method.The FVEK is stored in RAM when a drive is mounted,
and it is possible to perform a key schedulesearch to find it. Several schedules may
be in the memory at any given time and it's important to note that keys are taken
out of the TPM and placed into RAM where they can be found.The following image,
taken from Jesse Kornblum's excellent presentation "Practical Methods for Dealing
with Full Disk Encryption", displays how the BitLocker key schedule may look in
memory: