CHFI v3 Module 07 Understanding File Systems and Hard Disks

Computer
C t HHacking
ki
Forensic Investigator
Module VII
Understanding File Systems
and Hard Disks
Module Objective
This module will familiarize you with the following:

~ Disk drive ~ Disk partition
~ Hard disk ~ Master boot record
~ Types of hard disk interfaces ~ Examining FAT disks
~ File systems ~ NTFS system files
~ Types of file systems
~ EFS recovery key agent
~ Popular Linux file systems
~ Examining registry data
~ Sun Solaris 10 file system –
~ FAT vs. NTFS
ZFS
~ Mac OS X file system ~ Windows XP system files
~ Windows file systems ~Windows boot process

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Sun Solaris 10 file system

Disk drive – ZFS NTFS system files
Hard disk Mac OS X file system EFS recovery key agent
Types of hard disk

Windows file systems Examining registry data
interfaces
File systems Disk partition FAT vs. NTFS
Types of file systems Master boot record Windows XP system files
P
Popular
l Linux
Li file
fil systems
t E
Examining
i i FAT di
disks
k Wi d
Windows boot
b t process
Disk Drive Overview - I
~ There are two types of Disk drives:

• Fixed storage drives.
• External storage drives.
~ Few of removable storage drives are:

• Floppy disks.
• Compact Disks.
• Digital Versatile Disk (DVD).
• ZIP Disks.
• r/m Drives.
Disk Drive Overview - II
~ Hard disk drive is a good example for

permanent storage device.
~ The data is recorded magnetically onto the
h d disk.
hard di k
~ Main components of hard disk are:
• Cylinders
• Head
• Platter
~ The data is stored on the tracks of the
sectors.
Hard Disk
~ A hard disk is a sealed unit

containing
i i a number b off
platters in a stack. Hard
disks mayy be mounted in a
horizontal or a vertical
position.
~ Electromagnetic
El i read/write
d/ i
heads are positioned above
and below each platter.
p
~ As the platters spin, the
drive heads move in toward
the
h center surface
f and
d out
toward the edge.
Hard Disk (cont’d)
~ The data is recorded onto the hard disk using the

zoned bit recording.
recording
~ Zoned Bit Recording:
It is the task of grouping the tracks by zones to ensure
the same size of all the tracks.
~ The densities of the data on the disk drive are of three
types namely:
l
• Track density: It is the space between tracks on a
disk.
• Areal density: It is defined as the number of bits
per square inch on a platter.
• Bit density: It is bits per unit length of track.
Hard Disk (cont’d)
Types of Hard Disk Interfaces
~ SCSI:
• Small
S ll Computer
C System
S IInterface.
f
~ IDE/EIDE:
• Integrated
g Drive Electronics// Enhanced IDE.
~ USB:
• Universal Serial Bus.
~ ATA
ATA:
• Advanced Technology Attachment.
– Serial ATA
– Parallel ATA
~ Fibre Channel:
• Fibre Channel electrical interface.
• Fibre Channel optical interface.
Types of Hard Disk Interfaces: SCSI
~ SCSI is a hardware
interface that allows for
th connection
the ti off up tto
15 peripheral devices to
a single PCI board
called a "SCSI host
adapter" that plugs into
th motherboard.
the th b d
Types of Hard Disk Interfaces: IDE/EIDE
~ With IDE,
IDE the controller electronics
are built into the drive itself.
~ IDE drives are configured as master
and slave.
slave
~ Enhanced IDE is an extension to the
IDE interface that supports the ATA-
2 and ATAPI standards.
Types of Hard Disk Interfaces: USB
~ USB is a “plug-and-play” interface, which allows a device to be added

without an adapter card and without rebooting the computer.
Types of Hard Disk Interfaces: ATA
~ SATA is based on serial signaling

technology.
technology
~ SATA transfers data in a half-duplex
channel at 1.5 Gbps in one direction.
~ PATA is based on parallel signaling
technology.
~ Parallel
P ll l ATA standards
d d onlyl allow
ll
cable lengths up to 46 centimeters
(18 inches).
~ SATA cables are more flexible,
thinner, and less massive than the
ribbon cables required
q for
conventional PATA hard drives.
Types of Hard Disk Interfaces: Fibre
Channel
~ Fibre Channel [FC] is a point-to-point serial bi-directional interface
operating up to 1.0625Gbps.
~ The Electrical Interface uses ECL signaling levels via:
• An unbalanced 75W line.
• A balanced 150W
5 line.
~ The Optical uses:
• LL: long wave laser (1300 nm).

nm)
• SL: short wave laser (780 nm).
• LE: LED (1300 nm).

nm)
Disk Platter
~ Disk Platter is an aluminum alloy used to make disk platter.
~ Glass and ceramic is used for modern day platters.
~ Magnetic media coating is done on the part where data resides.
~ Coating is done by iron oxide substance or cobalt alloy.
Disk Platter (cont’d)
Side 0 Side 1
~ Data is written on both sides of a hard disk platter.

~ Numbering
b g is done on b
both the sides as side 0 and
side 1.
Tracks
~ A circular ring on one side of the platter is

known as track.
~ Drive head can access this circular ring in
one position at a time.
~ Tracks are numbered for their
identification.
identification
~ Data exists in thin concentric bands on a
hard disk.
~ A 3.5-inch hard disk consists of more than
a thousand tracks.
Tracks Numbering
~ Tracks numbering begins from 0 at outer edge and moves

towards center reaching the value (typically) of 1023.
~ A cylinder is formed when tracks are lined up.
Sector
~ A sector is the smallest physical

storage unit
i on the
h di
disk.
k
~ It is normally 512 bytes in size.
~ Factory
F t ttrack-positioning
k iti i d data
t
determines labeling of disk
sector.
~ Data is stored on the disk in a
contiguous series.
~ For example, if the file size is
600 bytes, two 512 sectors are
allocated for the file.
Sector
Sector Addressing
~ Cylinders heads and sectors determine address of

Cylinders,
individual sectors on the disk.
~ For example
example, on formatting
formatting, a disk has 50 tracks divided
into 10 sectors each.
~ Track and sector numbers are used by operating system
and disk drive to identify the stored information.
Cluster
~ A cluster is a smallest allocation unit of a hard disk.

~ A relevant formatting scheme determines range of tracks and sectors
from 2 to 32.
~ Minimum size can be of one sector (1 sector/cluster).
~ An allocation unit can be made of two or more sectors (2 sectors/cluster).
~ Any read or write operation consumes space of at least 1 cluster.
~ A lot
l off slack
l k space or unused
d space iis wasted
d iin the
h cluster
l b
beyond
d the
h
data size in the sector.
Cluster Size
~ Cluster size can be altered for optimum disk storage.

~ Larger cluster size (greater than one sector) will
encounter:
• Minimizes fragmentation problem.
• Increases the probability for unused space in the cluster.
• Reduces disk storage area to save information.
• Reduces unused area on the disk.
Slack Space
Hello World - - - - - - - - - - - - - - - - - - - - - - - - - - - -
File Contents Slack space

p
~ Slack space is the free space on the cluster after writing data on that cluster.
~ DOS
OS and
a d Windows
do s utilize
ut e fixed
ed size
s e clusters
c uste s for
o filee syste
system.
~ If the size of stored data is less than the cluster size, the unused area remains
reserved for the file resulting in slack space.
~ DOS and FAT 16(file allocation table) file system in the Windows utilizes very
large sized clusters.
~ For example, if the partition size is 4 GB, each cluster will be 32 K. Even if a file
needs onlyy 10 K,, the entire 32
3 K will be allocated,, resulting
g in 22 K of slack
space.
Slack Space
Lost Clusters
~ Operating system marks

cluster
l as useddb but not
allocate them to any file.
Such clusters are known
as lost clusters.
~ They can be reassigned
with
i hd
data, making
ki the
h
disk space free.
~ ScanDisk utility can
identify lost clusters in
DOS and Windows
operating
i system.
Bad Sector
Bad Sector
~ A bad sector is a damaged portion of a disk on which no read/write

operation can be performed.
~ Formatting a disk enables operating system to identify unusable
sector and marks them as “bad”.
~ Special software is used to recover the data on a bad sector.
Disk Capacity Calculation
~ A disk drive which has 16,384 cylinders, 80 heads and 63 sectors

per track. Assume a sector has 512 bytes. What is the capacity of
such a disk?
~ Answer:
• The conversion factors appropriate to this hard disk are:
– 16,384 cylinders / disk
– 80 heads / cylinder
– 63 sectors / track
– 512 bytes / sector
• Total bytes = 1 disk * (16
(16,384
384 cylinders / disk) * (80 heads / cylinder) *
(1 track / head) * (63 sectors / track) * (512 bytes / sector)
• = 42,278,584,320 bytes
Disk Capacity Calculation (cont’d)
1 Kilobyte (KB) =
2 10 bytes = 1,024 bytes
1 Megabyte (MB) =
2 20 bytes = 1,048,576 bytes = 1,024 KB
1 Gigabyte (GB) =
2 30 bytes = 1,073,741,824 bytes = 1,048,576 KB = 1,024 MB
1 Terabyte
y ((TB)) =
2 40 bytes = 1,099,511,627,776 bytes = 1,073,741,824 KB = 1,048,576 MB =
1,024 GB
Using these definitions, the result would be expressed in GB as:

42,278,584,320 bytes / (1,073,741,824 bytes / GB) = 39.375 GB
Evidor: The Evidence Collector
~ Evidor allows to search text on hard disks and retrieves

the context of keyword occurrences on computer media,
not only by examining all files (the entire allocated
space, even Windows swap/paging and hibernate files),
but also currently unallocated space and slack space.
~ It can find data from files that have been deleted, if
physically still existing.
~ It is a particularly convenient way for any investigator to
find and gather digital evidence on computer media.
Evidor: Screenshot
WinHex
~ Computer Forensics & Data Recovery Software, Hex Editor & Disk
Editor.
Edi
~ Features:
• Di
Disk
k editor
dit ffor h
hard
d di
disks,
k flfloppy disks,
di k CD-ROM
CD ROM & DVD
DVD, ZIP
ZIP,
Smart Media, Compact Flash.
• Native
Nat ve support
suppo t for
o FAT,, NTFS,
N S, Ext2/3,
t /3, ReiserFS,
e se S, Reiser4,
e se 4, U
UFS,
S,
CDFS, UDF.
• Built-in interpretation of RAID systems and dynamic disks.
• RAM editor, providing access to physical RAM and other
processes' virtual memory.
• Data interpreter, knowing
k 20 data
d types.
WinHex: Screenshot
WinHex: Screenshot
WinHex: Screenshot
WinHex: Screenshot
Understanding File Systems
~ A file system is a set of data types employed

for storage, hierarchical categorization,
management, navigation, access, and
recovering data.
~ It can use storage devices such as hard disks,
CD-ROM or floppy disks.
~ Command line or graphical user interface
can be used to access the files.
~ They are arranged into tree-structured
directories and directories require access
authorization.
Types of File System
~ Disk file system:

• It is
i ddesigned
i d ffor the
h storage off fil
files on a d
data storage
device, most commonly a disk drive.
~ Network file system:
• This file system acts as a client for a remote file access
protocol, providing access to files on a server.
~ Database
atabase file
e system:
syste :
• Files are identified by their characteristics, such as type
of file, topic, author, or similar metadata.
~ S
Special
i l purpose file
fil system:
t
• Files are arranged dynamically by software, intended
for such purposes as communication between
computer
t processes or ttemporary fil
file space.
List of Disk File Systems
~ADFS – Acorn filing system, successor to DFS
~BFS – the Be File System used on BeOS
~EFS – Encrypted file system, An extension of NTFS
~EFS (IRIX) – an older block filing system under IRIX
~Ext – Extended file system, designed for Linux systems
~Ext2 – Extended file system 2, designed for Linux systems
~Ext3 – Extended file system 3, designed for Linux systems, (ext2+journalling)
~FAT – used on DOS and Microsoft Windows, 12 and 16 bit table depths
~FAT32 – FAT with 32 bit table depth
~FFS (
(Amiga)
g ) – Fast File System,
y , used on Amiga
g systems.
y Nice for floppies,
pp , but fairlyy useless
on hard drives
~FFS – Fast File System, used on *BSD systems
~Files-11 – OpenVMS
p file system
y
~HFS – Hierarchical File System, used on older Mac OS systems
List of Disk File Systems (cont’d)
~ HFS Plus – updated version of HFS used on newer Mac OS systems

~ HFSX – updated
d t d version
i off HFS Pl
Plus tto remove some b
backward
k d compatibility
tibilit
limitations.
~ HPFS – High Performance File system, used on OS/2
~ ISO 9660 – used d on CD-ROM and
d DVD-ROM discs
di (Rock
( k Ridge
id and
d Joliet
li are
extensions to this)
~ JFS – IBM Journaling File system, provided in Linux, OS/2, and AIX
~ Kfs- Ken's File System
~ LFS – Log-structured file system
~ MFS – Macintosh File System,
y used on earlyy Mac OS systems
y
~ Minix file system – used on Minix systems
~ NTFS – used on Windows NT based systems
~ OFS – Old File System,
System on Amiga
List of Disk File Systems (cont’d)
~ PFS – and PFS2, PFS3, etc. Technically interesting file system available for the Amiga,
performs very well under a lot of circumstances
~ ReiserFS – File system which uses journaling
~ Reiser4 – File system which uses journaling, newest version of ReiserFS
~ SFS – Smart File System,
System available for the Amiga
~ Sprite – The original log-structured file system
~ UDF – Packet-based file system for WORM/RW media such as CD-RW and DVD
~ UFS – Unix File system, used on older BSD systems
~ UFS2 – Unix File system, used on newer BSD systems
~ UMSDOS – FAT file system extended to store permissions and metadata, used for Linux
~ VxFS – Veritas file system, first commercial journaling file system; HP-UX, Solaris, Linux,
AIX
~ XFS – Used on SGI IRIX and Linux systems
~ ZFS – Used on Solaris 10
List of Network File Systems
~ AFS (Andrew File System)

~ AppleShare
~ CIFS (Microsoft's documented version of SMB)
~ C d
Coda
~ GFS
~ InterMezzo
~ Lustre
~ NFS
~ OpenAFS
~ SMB ((sometimes also called Samba filesystem)
y )
List of Special Purpose File Systems
~ acme (Plan 9) (text windows)
~ archfs (archive)
~ cdfs (reading and writing of CDs)
~ cfs (caching)
~ Davfs2 (WebDAV)
( )
~ DEVFS
~ ftpfs (ftp access)
~ lnfs (longg names)
~ LUFS ( replace ftpfs, ftp ssh ... access)
~ nntpfs (netnews)
~ plumber (Plan 9) (interprocess communication – pipes)
~ PROCFS
~ ROMFS
~ TMPFS
~ wikifs (wiki wiki)
Popular Linux File Systems
~ EXT (Extended File System)
• First file system for the Linux operating system to overcome certain limitations of
the Minix file system.
• Quickly replaced by the second extended file system.
~ EXT2 (Second Extended File System)

• Standard file system with improved algorithms used on the Linux operating system
for a number of years.
• Not a journaling file system.
~ EXT3 (Third Extended File System)

• Journalled file system used in the GNU/Linux operating system.
• Can be mounted and used as an Ext2 file system.
• Can use file system maintenance utilities (like fsck) for maintaining and repairing
alike Ext2 file system.
Sun Solaris 10 File System: ZFS
~ ZFS is a filesystem first used in Sun Microsystems Solaris 10
• Uses 128
128-bit
bit addressing to perform read/write operation referred to as a "giga-
giga
terabyte" (a zettabyte).
• Any modification to this filesystem will never increase its storage capacity.
~ Main Features:
• Facilitates immediate backup as the file is written.
• Introduced Logical Volume Management(LVM) features into the file system.
• File systems are portable between little-endian and big-endian systems.
• Provides data integrity to detect and correct errors.
• g feature p
HA Storage+ provides cluster/failover
/ compatibility
p y in case of anyy
interruption(only one server is empowered to perform write operation on the disk).
• Creates many copies of the single snapshot with minimum overheads.
• Deletes all the unused memoryy space
p out of files.
• Supports full range of NFSv4/Windows NT-style ACLs.
Mac OS X File System
~ HFS (Hierarchical File System)

• Developed by Apple Computer to support Mac Operating
System.
~ UFS (UNIX File System)
• Derived from the Berkeley Fast File System (FFS) that was
originally developed at Bell Laboratories from first version of
UNIX FS.
FS
• All BSD UNIX derivatives including FreeBSD, NetBSD,
OpenBSD, NeXTStep, and Solaris use a variant of UFS.
• Acts as a substitute for HFS in Mac OS X.
Windows File systems
~ FAT (File Allocation Table)
• 16-bit file system developed for MS-DOS.
MS-DOS
• Used in all the consumer versions of Microsoft Windows.
• Considered relatively uncomplicated and became popular format for devices such
ppy disks,, USB devices,, Digital
as floppy g cameras,, flash disks.
~ FAT32
• 32-bit version of FAT file system with storage capacity up to 2 GB.
~ NTFS ((New Technology
gy File System)
y )
• NTFS has three versions
– v1.2 (v4.0) found in NT 3.51 and NT 4.
– v3.0 (v5.0 ) found in Windows 2000.
– v3.1 (v5.1) found in Windows XP and Windows Server 2003.
• Newer versions added extra features like quotas introduced by Windows 2000. In
NTFS, anything such as file name, creation date, access permissions and even
contents is written down as metadata.
CD-ROM / DVD File system
~ The ISO 9660 (International Organization for Standardization)
defines a file system for CD-ROM and DVD-ROM media.
~ To exchange data it supports various computer operating
systems such as Microsoft Windows, Mac OS, and UNIX-based
systems.
~ There are some extensions to ISO 9660 to cope up its demerits.
demerits
• Longer ASCII coded names and UNIX permissions are
facilitated by Rock Ridge.
• Unicode namingg ((like non roman scripts)are
p ) also
supported by Joliet.
• Bootable CDs are facilitated by El Torito.
~ ISO 13490 is combination of ISO 9660 with multisession
support.
~ Windows supports two types of file systems on CD-ROM and
Digital Versatile Disk (DVD):
• Compact Disc File System (CDFS).
(CDFS)
• Universal Disk Format (UDF).
Comparison of File System
EC-Council Source: http://encyclopedia.laborlawtalk.com/Comparison_of_file_systems
All Rights Reserved. Reproduction is Strictly Prohibited
Disk Partition
~ Hard disk drive partitioning is the creation of logical divisions upon a hard
disk that allows one to apply operating system-specific logical formatting.
~ Primary
• A primary partition contains one file system. In MS-DOS and earlier

versions of Microsoft Windows systems, the first partition (C:) must be a
"primary partition". Other operating systems may not share this limitation.
~ Extended
• An extended partition is secondary to the primary partition(s). A hard disk

may contain only one. It is sub-divided into logical drives, each of which is
assigned
i d additional
dditi l drive
d i lletters.
tt
Master Boot Record
~ A master boot record (MBR) is the first
sector ("sector zero") of a data storage device
such
h as a hard
h d disk.
di k
~ The information regarding the files on the
disk, their location, size and other important
data is stored in the Master Boot Record file.
~ In practice, MBR almost always refers to the
512-byte boot sector, or partition sector of
a disk.
Backing
ki up the
h MBR
In UNIX/Linux dd can be used to backup and
restore the MBR.
to backup
dd if=/dev/xxx of=mbr.backup bs=512
count=1
to restore
dd if=mbr.backup of=/dev/xxx bs=512
count=1
Examining FAT
~ When a file is deleted from the operating system it replaces the first word of the
file name by a lower case Greek letter
letter. The space is made available for new files
files.
~ These files can be recovered using forensic tools.
~ Few tools which can be used for forensics are:
• WINHEX
• UNDELETE
• FILE SCAVENGER
Boot Sector
~A boot sector is the first
sector (512 bytes) of a FAT
file system.
~ Unix-like terminology
p
defines it as superblock.
NTFS
~ NTFS or New Technology File System is the standard file

system of Windows NT and its descendants Windows 2000,
2000
Windows XP, Windows Server 2003, and Windows Vista.
~ NTFS replaced Microsoft's previous FAT file system, used in
MS-DOS
MS DOS and early versions of Windows
Windows. NTFS has several
improvements over FAT such as improved support for metadata
and the use of advanced data structures to improve
performance, reliability, and disk space utilization plus
additional extensions such as security access control lists and
file system journaling.
~ NTFS has five versions:
• v1.0 , v1.1, v1.2 found in NT 3.51 and NT 4.
• v3.0 found in Windows 2000.
• v3.1 found in Windows XP, Windows Server 2003, and Windows Vista.
• Th
These final
fi l th
three versions
i are sometimes
ti referred
f d tto as v4.0, v5.0, and
d v5.1.
~ NTFS uses UNICODE data format.

NTFS System Files
File Name Description

$attrdef Contains definitions of all system and user-
defined attributes of the volume.
$badclus
$ Contains all the bad clusters.
$bitmap Contains bitmap for the entire volume.
$boot Contains the volume's bootstrap.
$logfile Used for recovery purposes.
$mft Contains a record for every file.
$mftmirr Mirror of the MFT used for recovering files.
files
$quota Indicates disk quota for each user.
$upcase Converts characters into uppercase Unicode.
$volume Contains volume name and version number.
NTFS Partition Boot Sector
~ When you format an

NTFS
S volume,
l the
h
format program
allocates the first 16
sectors for the boot
sector and the
bootstrap
p code.
~ Partition identifier
0x07 (MBR)
EBD0A0A2-B9E5-
4433-87C0-
68B6B72699C7
(GPT)
NTFS Master File Table (MFT)
~ Each file on an NTFS volume is represented by a record in a special file called the master
file table (MFT).
~ NTFS reserves the first 16 records of the table for special information.
~ The first record of this table describes the master file table itself,
itself followed by an MFT
mirror record.
~ If the first MFT record is corrupted, NTFS reads the second record to find the MFT
mirror file, whose first record is identical to the first record of the MFT.
~ The locations of the data segments for both the MFT and MFT mirror file are recorded in
the boot sector. A duplicate of the boot sector is located at the logical center of the disk.
~ The third record of the MFT is the log file, used for file recovery. The seventeenth and
following records of the master file table are for each file and directory (also viewed as a
fil b
file by NTFS) on the
h volume.
l
NTFS Master File Table (MFT)
Metadata File Table (MFT)
~ MFT is a relational database, which consists of

information regarding the files and the file attributes.
attributes
~ The rows consists of file records and the columns consists
of file attributes.
~ It has information of every file on the NTFS volume
including information about itself.
~ I has
It h 16 6 records
d reservedd for
f system fil
files.
~ For small folder, MFT is represented as follows.
File or
Standard Data or Unused
Directory
Information index p
space
Name
NTFS Attributes-I
~ Every file has unique identities such as:

• Name.
• Security information.
• It can also contain metadata of file system in the file.
~ Every attribute is identified by an attribute type code.
~ There are two categories of attributes:
• Resident attributes: These are the attributes that are
contained in the MFT.
MFT
• Non-resident attributes: These are the attributes that
are allocated one or more clusters of disk space.
NTFS Attributes-II
NTFS Data Stream-I
~ NTFS supports multiple data streams, where the stream name identifies a new
data attribute on the file.
file
~ A handle can be opened to each data stream.
~ A data stream, then, is a unique set of file attributes.
~ The
h ffollowing
ll i iis an example
l off an alternate
l stream:
~ C:\ECHO text_message > myfile.txt :stream1
~ When you copy an NTFS file to a FAT volume, such as a floppy disk, data
streams and other attributes not supported by FAT are lost.
NTFS Data Stream-II
2
NTFS Data Stream-III
4
NTFS Compressed Files
~ The compressed files present on the NTFS volume can be accessed, read
or modified
difi d b
by any Wi
Windows
d application
li i without
ih d
decompressing
i theh
file.
~ When an application like Microsoft word or operating system
commands like copy command requests to access, file is decompressed
by the filter driver.
~ NTFS compression algorithms support cluster sizes up to 4 KB.
NTFS Encrypted File Systems (EFS)
~ Encrypting File System (EFS) provides the core file encryption technology used
to store encrypted files on NTFS file system volumes.
volumes
~ Once you encrypt a file or folder, you work with the encrypted file or folder just
as you do with any other files and folders.
~ Encryption is transparent to the user who encrypted the file.
file
~ This means that you do not have to manually decrypt the encrypted file before
you can use it.
~ You can open and change the file as you normally do.
do
EFS File Structure
EFS Recovery Key Agent-I
~ A recovery policy is always associated with an

encryption policy. A recovery agent decrypts the file if
the encryption certificate of an encrypted file is lost.
~ Th recovery agent is
The i used
d under
d following
f ll i conditions:
di i
• When a user loses a private key.
• When a user leaves the company
company.
• Whenever a law enforcement agency makes a request.
EFS Recovery Key Agent -II
~ The Windows administrator can recover the

key from the Windows or from the MS-DOS
command prompt.
~ The keys can be recovered from command
prompt using the following commands:
• CIPHER
• COPY
• EFSRECVR
~ Recovery agent information of an encrypted

file can be viewed using the efsinfo tool.
EFS Key
~ The EFS key retrieves EFS-encrypted files from NTFS

partitions.
~ To retrieve the files,, the encryption
yp p
password must be
known or SAM database must be present.
~ The EFS key user interface is similar to Windows
Explorer. Users can browse disk contents, then drag and
drop files to a new location.
location
EFS Key
Deleting NTFS Files
~ Upon deletion from Windows Explorer, the file is moved into the
recycle bin.
bin
~ If the file is deleted from command prompt then recycle bin is
bypassed. You can recover it by using forensic tools.
~ When a file is deleted, the operating system performs the following
tasks in the NTFS:
• The
Th clusters
l are made
d available
il bl for
f the
h new d
data.
• MFT attribute $BITMAP is updated.
• File attribute of the MFT is marked available.
available
• Any linking inodes and VFN/LCN cluster locations are removed
from MFT.
• The list of links to the cluster locations is deleted.
Registry Data-I
~ A registry is the hierarchical database.

~ It is used to store information regarding the users,
applications, and the hardware devices.
~ Windows continuously refers to the registry
information during the execution of the application.
~ The data in the registry is saved in the form of binary
files.
Registry Data-II
The Hives
Handle key Handle key
Key Key
S bK
Sub-Key Sub-Key
Value Value
K
Key K
Key
Sub-Key Sub-Key
Value Value
Registry Data-III
Examining Registry Data
~ A registry has predefined set of keys for every folder.
~ A registry hive is defined as a set of keys, sub keys, and values

used in the windows registry, which has a group of supporting
files that contain backups of its data.
~ Registry can be examined manually using the registry editor.

editor
~ Registry can be examined using tools such as:
• Registry Monitor
• Registry Checker
FAT vs. NTFS
File Allocation Table New Technology File System

(FAT) (NTFS)
A table, which tracks all the A latest file system developed
system storage changes specially for Windows 2000
Versions available are NTFS is the only version

FAT12, FAT16, FAT32
Supported in all versions of Supports all the operating
windows
i d operating
i system systems after
f windows
i d 2000
Does not support large file Supports large file names
names
Does not support extremely Supports extremely large
large storage media storage media
Does not support file system Supports file system recovery
recoveryy
Windows XP System Files
~ Essential system files used by Windows XP:
File name Description
Ntoskrnl.exe The executable and kernel of Windows XP
Ntkrnlpa.exe Physical address support program (for>4GB)
Hal.dll Used for OS kernel to communicate with
computer’s hardware
Win32k.sys Kernel mode for Win32 subsystem
Ntdll.dll Supports internal functions and dispatches the
stubs to executive functions
Kernel32.dll
Advapi32.dll Win32 subsystem DLL files
User32 dll
User32.dll
Gdi32.dll
Windows Boot Process (XP/2003)
~ Step 1
• Power supply switched on.
~ Step 2
• The microprocessor timer chip receives the Power Good signal.
~ Step 3
• The CPU starts executing the ROM BIOS code.
~ Step 4
• The ROM BIOS performs a basic test of central hardware to verify basic functionality.
~ Step 5
• The BIOS searches for adapters that may need to load their own ROM BIOS routines.
~ Step 6
• The ROM BIOS checks to see if this is a 'cold-start' or a 'warm-start‘.
~ Step 7
• If this is a cold-start the ROM BIOS executes a full POST (Power On Self Test). If this is a
warm-start
a m sta t the memory
memo test po portion
tion of the POST is switched
s itched off
off.
~ Step 8
• The BIOS locates and reads the configuration information stored in CMOS.
~ Step 9
• If the
th first
fi t bbootable
t bl di
disk
k iis a fi
fixed
d di
disk
k th
the BIOS examines
i th
the very fi
firstt sector
t off th
the di
disk
k ffor
a Master Boot Record (MBR). For a floppy the BIOS looks for a Boot Record in the very first
sector.
(cont d)
(cont’d)
~ Step 10
• With a valid MBR loaded into memoryy the BIOS transfers control of the b
boot p
process to the
partition loader code that takes up most of the 512 bytes of the MBR.
~ Step 11
• The partition loader (or Boot Loader) examines the partition table for a partition marked as
active. The partition loader then searches the very first sector of that partition for a Boot
Record.
~ Step 12
• The active partition's boot record is checked for a valid boot signature and if found the boot
sector code is executed as a program.
program
~ Step 13
• During the initial phase NTLDR switches the processor from real-mode to protected mode
which places the processor in 32-bit memory mode and turns memory paging on. It then
loads the appropriate mini-file
mini file system drivers to allow NTLDR to load files from a partition
formatted with any of the files systems supported by XP.
~ Step 14
• If the file BOOT.INI is located in the root directory NTLDR will read it's contents into
memory. If BOOT.INI
BOOT INI contains
t i entries
t i for
f more th than one operating
ti system
t NTLDR will ill stop
t
the boot sequence at this point, display a menu of choices, and wait for a specified period of
time for the user to make a selection.
(cont d)
(cont’d)
~ Step 15
• Assuming that the operating system being loaded is Windows NT, NT 2000,
2000 or XP pressing F8 at
this stage of the boot sequence to display various boot options including "Safe Mode" and "Last
Known Good Configuration“.
~ Step 16
• If the selected operating system is XP, NTLDR will continue the boot process by locating and
loading the DOS based NTDETECT.COM program to perform hardware detection.
~ Step 17
• If this computer has more than one defined Hardware Profile the NTLDR program will stop at
this point and display the Hardware Profiles/Configuration Recovery menu.
~ Step 18
• After
f selecting
l i ah hardware
d configuration
fi i (if necessary)) NTLDR b
begins
i lloading
di the
h XP k
kernell
(NTOSKRNL.EXE).
~ Step 19
• NTLDR now loads device drivers that are marked as boot devices
devices. With the loading of these
drivers NTLDR relinquishes control of the computer.
(cont d)
(cont’d)
~ Step 20
• NTOSKRNL goes through two phases in its boot process - phase 0 and phase 1. Phase 0
initializes
l just enough
h off the
h microkernel
k l and
d Executive subsystems
b so that
h b basic services
required for the completion of initialization become available. At this point, the system
display a graphical screen with a status bar indicating load status.
~ Step 21
• The initialization of I/O Manager begins the process of loading all the systems driver files.
Picking up where NTLDR left off, it first finishes the loading of boot devices. Next it
assembles a prioritized list of drivers and attempts to load each in turn.
~ Step 22
• The last task for phase 1 initialization of the kernel is to launch the Session Manager
Subsystem (SMSS). SMSS is responsible for creating the user-mode environment that
provides the visible interface to NT.
~ Step 23
• SMSS loads the win32k.sys device driver which implements the Win32 graphics subsystem.
~ Step 24
• The XP boot process is not considered complete until a user has successfully logged onto the
system. The process is begun by the WINLOGON.EXE file which is loaded as a service by the
kernel and continued by the Local Security Authority (LSASS.EXE) which displays the logon
dialog box.
http://www.bootdisk.com
Summary
~ A hard disk is a sealed unit containing a number of platters in a stack. Hard

disks may
ma be mounted in a horizontal
hori ontal or a vertical
ertical position
position.
~ A file system is a set of data types, which is employed for storage, hierarchical
categorization, management, navigation, access, and recovery of data.
~ A registry is a hierarchical database.
~ Every disk has a master boot record that contains information about partitions
on the disk.
disk
~ EFS is the main file encryption technology used to store encrypted files in the
NTFS.
~ MFT is a relational database, which consists of information regarding the files
and file attributes.
~ Windows continuously refers the registry for information during the execution
of application.

CHFI v3 Module 07 Understanding File Systems and Hard Disks

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHFI v3 Module 07 Understanding File Systems and Hard Disks

Uploaded by

Copyright:

Available Formats

Computer

This module will familiarize you with the following:

~ Windows file systems ~Windows boot process

Sun Solaris 10 file system

Hard disk Mac OS X file system EFS recovery key agent

Types of hard disk

File systems Disk partition FAT vs. NTFS

Types of file systems Master boot record Windows XP system files

~ There are two types of Disk drives:

• External storage drives.

~ Few of removable storage drives are:

• Digital Versatile Disk (DVD).

~ Hard disk drive is a good example for

~ A hard disk is a sealed unit

~ The data is recorded onto the hard disk using the

are built into the drive itself.

~ IDE drives are configured as master

~ Enhanced IDE is an extension to the

IDE interface that supports the ATA-

2 and ATAPI standards.

~ USB is a “plug-and-play” interface, which allows a device to be added

~ SATA is based on serial signaling

~ The Electrical Interface uses ECL signaling levels via:

• An unbalanced 75W line.

~ The Optical uses:

• LL: long wave laser (1300 nm).

• SL: short wave laser (780 nm).

• LE: LED (1300 nm).

~ Disk Platter is an aluminum alloy used to make disk platter.

~ Glass and ceramic is used for modern day platters.

~ Magnetic media coating is done on the part where data resides.

~ Coating is done by iron oxide substance or cobalt alloy.

~ Data is written on both sides of a hard disk platter.

~ A circular ring on one side of the platter is

~ Tracks numbering begins from 0 at outer edge and moves

~ A sector is the smallest physical

~ Cylinders heads and sectors determine address of

~ A cluster is a smallest allocation unit of a hard disk.

~ Cluster size can be altered for optimum disk storage.

File Contents Slack space

~ Operating system marks

~ A bad sector is a damaged portion of a disk on which no read/write

~ A disk drive which has 16,384 cylinders, 80 heads and 63 sectors

Using these definitions, the result would be expressed in GB as:

~ Evidor allows to search text on hard disks and retrieves

~ A file system is a set of data types employed

~ Disk file system:

~ HFS Plus – updated version of HFS used on newer Mac OS systems

~ AFS (Andrew File System)

~ EXT2 (Second Extended File System)

~ EXT3 (Third Extended File System)

~ HFS (Hierarchical File System)

• A primary partition contains one file system. In MS-DOS and earlier

• An extended partition is secondary to the primary partition(s). A hard disk

~ NTFS or New Technology File System is the standard file

~ NTFS uses UNICODE data format.

File Name Description

~ When you format an

~ MFT is a relational database, which consists of

~ Every file has unique identities such as:

~ A recovery policy is always associated with an

~ The Windows administrator can recover the

~ Recovery agent information of an encrypted

~ The EFS key retrieves EFS-encrypted files from NTFS