File000121

Module VIII – Understanding Hard
Disks and File Systems

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Murder, His Hard Drive
Wrote
Source: http://www.wired.com/

EC-Council
Module Objective
• Disk drive
• Understanding File Systems
• Disk Partitions
• Windows Boot Process (XP/2003)
• File Structures: FAT
• File Structure: NTFS
• NTFS Master File Table (MFT)
• FAT vs. NTFS
• File Structure: Ext2
• File Structure: HFS
• RAID Levels
• Hard Disk Evidence Collector Tools
This module will familiarize you with:

EC-Council
Module Flow
Understanding
File Systems
Disk Partitions File Structure: Ext2
File Structure: HFS
Windows Boot
Process (XP/2003)
FAT vs. NTFS
File Structures: FAT RAID Levels
File Structure: NTFS
NTFS Master
File Table (MFT)
Hard Disk Evidence
Collector Tools
Disk drive

EC-Council
Hard Disks

EC-Council
Disk Drive Overview - I
• Fixed storage drives
• External storage drives
There are two types of Disk drives:
• Floppy disks
• Compact Disks
• Digital Versatile Disk (DVD)
• ZIP Disks
• r/m Drives
• Memory Card
• Thumb drive
• Personal digital assistants (PDA)
• Pager
• Digital camera
• Mobile phone and smart phone
• Dongle
• Credit card skimmer
Few of removable storage drives :

EC-Council
Disk Drive Overview - II
Hard disk drive is a good example of permanent storage
device
The data is recorded magnetically onto the hard disk
Main components of the hard disk :
• Cylinders
• Head
• Platter
The data is stored on the tracks of the sectors

EC-Council
Main Spindle
Head 0
Side 0 Platter 1
(has sides 0-1)
Arm for head 1
Head 2
Head
Stack
Assembly
Arm for
Tracking/Alignment
head (head 3)
Physical Structure of a Hard Disk
A hard disk is a sealed unit containing a number
of platters in a stack
They may be mounted in a horizontal or a vertical
position
Electromagnetic read/write heads are positioned
above and below each platter
As the platters spin, the drive heads move in
towards the center surface and out towards the
edge

EC-Council
Physical Structure of a Hard Disk
(cont’d)
The data is recorded in the hard disk using the zoned bit
recording
• It is the technique of grouping tracks into zones based on
their distance from the center of the disk
Zoned Bit Recording:
• Track density
• It is defined as the number of tracks in a hard disk
• Areal density:
• It is defined as the number of bits per square inch on a platter
• Bit density:
• It is bits per unit length of track
Capacity of the hard disk depends on the
following:

EC-Council
Physical Structure of Hard Disk
(cont’d)

EC-Council
Logical Structure of Hard Disk
Hard disk logical structure has significant influence on the performance,
consistency, expandability, and compatibility of the storage subsystem of the
hard disk
The logical structure depends on the type of the operating system and file
system used because these factors organize and control the data access on the
hard disk

EC-Council
Types of Hard Disk Interfaces
• Small Computer System Interface
SCSI:
• Integrated Drive Electronics/ Enhanced IDE
IDE/EIDE:
• Universal Serial Bus
USB:
• Advanced Technology Attachment
• Serial ATA
• Parallel ATA
ATA:
• Fibre Channel electrical interface
• Fibre Channel optical interface
Fibre Channel:

EC-Council
SCSI host adapter
External Chain
Internal
Chain
The Last device is both the internal
and external chain must be
terminated.A SCSI Chain
Hard disks
Types of Hard Disk Interfaces:
SCSI
SCSI is a hardware interface that allows for the connection of up to 15 peripheral
devices to a single PCI board called a "SCSI host adapter" that plugs into the
motherboard

EC-Council
80-pin IDE (ATA)
40-pin IDE (ATA)
Internal IDE Cables
IDE/EIDE
With IDE, the controller electronics are built
into the drive itself
IDE drives are configured as master and slave
Enhanced IDE is an extension to the IDE
interface that supports the ATA-2 and ATAPI
standards

EC-Council
USB
USB is a “plug-and-play” interface, which allows a device to be added
without an adapter card and without rebooting the computer

EC-Council
Parallel ATA (PATA)
Serial ATA (SATA)
ATA
SATA is based on serial signaling technology
SATA transfers data in a half-duplex channel at 1.5 Gbps in
one direction
PATA is based on parallel signaling technology
Parallel ATA standards only allow cable lengths up to
46 centimeters (18 inches)
SATA cables are more flexible, thinner, and less massive
than the ribbon cables required for conventional PATA
hard drives

EC-Council
Fibre Channel
• An unbalanced 75W line or
• A balanced 150W lines
The Electrical Interface uses ECL signaling levels via:
• LL: long wave laser (1300 nm)
• SL: short wave laser (780 nm) or
• LE: LED (1300 nm)
The optical uses:
Fibre Channel [FC] is a point-to-point serial bi-directional interface operating
up to 1.0625Gbps

EC-Council
Disk Platter
Disk platters in a hard disk are the media on which the data is stored
They are usually made from aluminum alloy, glass and ceramic
Magnetic media coating is done on the part where data resides by iron oxide
substance or cobalt alloy

EC-Council
Disk Platter (cont’d)
Data is written on both sides of a hard disk platter
Numbering is done on both the sides as side 0 and side 1
Side 0 Side 1

EC-Council
Tracks
A circular ring on one side of the platter is known as
track
Drive head can access this circular ring in one position
at a time
Tracks are numbered for identification purpose
Data exists in thin concentric bands on a hard disk
A 3.5-inch hard disk consists of more than a thousand
tracks

EC-Council
Tracks Numbering
Tracks numbering begins from 0 at outer edge and moves towards the center
reaching the value of typically 1023
A cylinder is formed when tracks are lined up

EC-Council
Sector
Sector is the smallest physical storage unit on
the disk
It is normally 512 bytes in size
Factory track-positioning data determines
labeling of the disk sector
Data is stored on the disk in a contiguous
series
For example, if the file’s size is 600 bytes, two
512 sectors are allocated for the file
Cluster of
4 sectors
Sector

EC-Council
Sector (cont’d)
Platter
Tracks
Sector
Cylinder
Sector
Track
Platters

EC-Council
Sector Addressing
Cylinders, heads, and sectors determine the address of the individual sectors on
the disk
For example, on formatting a disk, 50 tracks are divided into 10 sectors each
Track and sector numbers are used by the operating system and disk drive to
identify the stored information

EC-Council
Cluster
Cluster is the smallest allocation unit of a hard disk
Relevant formatting scheme determines range of tracks and sectors from 2 to 32
Minimum size can be of one sector (1 sector/cluster)
Allocation unit can be made of two or more sectors (2 sectors/cluster)
Any read or write operation consumes space of at least 1 cluster
Lot of slack space or unused space is wasted in the cluster beyond the data size in the sector

EC-Council
Cluster Size
Cluster size can be altered for optimum disk storage
Larger cluster size (greater than one sector):
• Minimizes the fragmentation problem
• Increases the probability for unused space in the cluster
• Reduces disk storage area to save information
• Reduces unused area on the disk

EC-Council
Slack Space
Slack space is the free space on the cluster after writing data on that cluster
DOS and Windows utilize the fixed size clusters for the file’s system
If the size of the stored data is less than the cluster’s size, the unused area remains reserved for
the file resulting in slack space
DOS and FAT 16(file allocation table) file system in the Windows utilizes large sized clusters
For example, if the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K,
the entire 32 K will be allocated, resulting in 22 K of slack space
Hello World - - - - - - - - - - - - - - - - - - - - - - - - - - - -
File Contents Slack space

EC-Council
Slack Space

EC-Council
Lost Clusters
Operating system marks cluster as
used but does not allocate them to
any file, such clusters are known as
lost clusters
It can be reassigned with data,
making the disk space free
ScanDisk utility can identify the lost
clusters in DOS and Windows
operating system

EC-Council
Bad Sector
Bad sector is a damaged portion of a disk on which no read/write operation
can be performed
Formatting a disk enables the operating system to identify unusable sector
and mark them as bad
Special software is used to recover the data on a bad sector
Bad Sector

EC-Council
Disk Capacity Calculation
A disk drive has 16,384 cylinders, 80 heads, and 63 sectors per track. Assume a
sector has 512 bytes. What is the capacity of such a disk?
Answer:
• The conversion factors appropriate to this hard disk are:
• 16,384 cylinders / disk
• 80 heads / cylinder
• 63 sectors / track
• 512 bytes / sector
• Total bytes = 1 disk * (16,384 cylinders / disk) * (80 heads / cylinder) * (1 track /
head) * (63 sectors / track) * (512 bytes / sector)
• = 42,278,584,320 bytes

EC-Council
Disk Capacity Calculation
(cont’d)
1 Kilobyte (KB) =
210 bytes = 1,024 bytes
1 Megabyte (MB) =
220 bytes = 1,048,576 bytes = 1,024 KB
1 Gigabyte (GB) =
230 bytes = 1,073,741,824 bytes = 1,048,576 KB = 1,024 MB
1 Terabyte (TB) =
240 bytes = 1,099,511,627,776 bytes = 1,073,741,824 KB = 1,048,576 MB =
1,024 GB
Using these definitions, the result would be expressed in GB as :
42,278,584,320 bytes / (1,073,741,824 bytes / GB) = 39.375 GB

EC-Council
Measuring the Performance of
the Hard Disk
Data is stored onto the Hard disk in the form of files
When running program requests the file, hard disk recovers the byte content
of the file and sends them to the CPU one at a time for further processing
Hard disk performance is measured by the following factors:
• Data rate: It is a ratio of the number of bytes per second that hard disk sends to the
CPU
• Seek time: It is the amount of time required to send the first byte of the file to the
CPU when it requests the file

EC-Council
Disk Partitions

EC-Council
Disk Partitions
• A primary partition contains one file system
• In MS-DOS and earlier versions of Microsoft Windows systems, the first partition
(C:) must be a "primary partition"
• Other operating systems may not share this limitation
Primary
• An extended partition is secondary to the primary partition(s)
• A hard disk may contain only one which is sub-divided into logical drives, each of
which is assigned additional drive letters
Extended
Hard disk drive partitioning is the creation of logical divisions upon a
hard disk that allows one to apply operating system-specific logical
formatting

EC-Council
Master Boot Record
Backing up the MBR
In UNIX/Linux, dd can be used to backup and restore the MBR
to backup
dd if=/dev/xxx of=mbr.backup bs=512 count=1
to restore
dd if=mbr.backup of=/dev/xxx bs=512 count=1
A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as
a hard disk
The information regarding the files on the disk, their location, size, and other important data
is stored in the Master Boot Record file
In practice, MBR almost always refers to the 512-byte boot sector, or partition sector of a
disk

EC-Council
Master Boot Record (cont’d)

EC-Council
Boot Process

EC-Council
Windows XP System Files
Essential system files used by Windows XP:
File name Description
Ntoskrnl.exe The executable and kernel of Windows XP
Ntkrnlpa.exe Physical address support program (for>4GB)
Hal.dll
Used for OS kernel to communicate with the
computer’s hardware
Win32k.sys Kernel mode for Win32 subsystem
Ntdll.dll
Supports internal functions and dispatches the stubs to
executive functions
Kernel32.dll
Win32 subsystem DLL files
Advapi32.dll
User32.dll
Gdi32.dll

EC-Council
Windows Boot Process
(XP/2003)
Step 1
• Switch on the power supply
Step 2
• The microprocessor timer chip receives the Power Good signal
Step 3
• The CPU starts executing the ROM BIOS code
Step 4
• The ROM BIOS performs a basic test of the central hardware to verify the basic functionality
Step 5
• The BIOS searches for adapters that may need to load their own ROM BIOS routines
Step 6
• The ROM BIOS checks to see if this is a 'cold-start' or a 'warm-start'

EC-Council
(XP/2003) (cont’d)
Step 7
• If this is a cold-start, the ROM BIOS executes a full POST (Power On Self Test). If this is a
warm-start, the memory test portion of the POST is switched off
Step 8
• The BIOS locates and reads the configuration information stored in CMOS
Step 9
• If the first bootable disk is a fixed disk ,the BIOS examines the first sector of the disk for a
Master Boot Record (MBR). For a floppy, the BIOS looks for a Boot Record in the first sector
Step 10
• With a valid MBR loaded into memory, the BIOS transfers control of the boot process to the
partition loader code that takes up most of the 512 bytes of the MBR
Step 11
• The partition loader (or Boot Loader) examines the partition table for a partition marked as
active. It then searches the first sector of that partition for a Boot Record

EC-Council
(XP/2003) (cont’d)
Step 12
• The active partition's boot record is checked for a valid boot signature and if found,
the boot sector code is executed as a program
Step 13
• During the initial phase, NTLDR switches the processor from the real-mode to the
protected mode which places the processor in 32-bit memory mode and turns
memory paging on. It then loads the appropriate mini-file system drivers to allow
NTLDR to load files from a partition formatted with any of the files systems supported
by XP
Step 14
• If the file BOOT.INI is located in the root directory NTLDR will read it's contents into
the memory. If BOOT.INI contains entries for more than one operating system
NTLDR will stop the boot sequence at this point, display a menu of choices, and wait
for a specified period of time for the user to make a selection

EC-Council
(XP/2003) (cont’d)
Step 15
• Assuming that the operating system being loaded is Windows NT, 2000, or XP pressing F8
at this stage of the boot sequence to display various boot options including "Safe Mode" and
"Last Known Good Configuration”
Step 16
• If the selected operating system is XP, NTLDR will continue the boot process by locating
and loading the DOS based NTDETECT.COM program to perform hardware detection
Step 17
• If this computer has more than one defined Hardware Profile, the NTLDR program will stop
at this point and display the Hardware Profiles/Configuration Recovery menu
Step 18
• After selecting a hardware configuration (if necessary), NTLDR begins loading the XP
kernel (NTOSKRNL.EXE)

EC-Council
(XP/2003) (cont’d)
Step 19
• NTLDR now loads the device drivers that are marked as boot devices. With the
loading of these drivers, NTLDR relinquishes control of the computer
Step 20
• NTOSKRNL goes through two phases in its boot process - phase 0 and phase 1. Phase
0 initializes just enough of the microkernel and executive subsystems so that the
basic services required for the completion of initialization become available. At this
point, the system displays a graphical screen with a status bar indicating the load
status
Step 21
• The initialization of I/O Manager begins the process of loading all the systems driver
files. Picking up where NTLDR left off, it first finishes the loading of boot devices.
Next, it assembles a prioritized list of drivers and attempts to load each in turn

EC-Council
(XP/2003) (cont’d)
Step 22
• The last task for phase 1 initialization of the kernel is to launch the Session
Manager Subsystem (SMSS). SMSS is responsible for creating the user-mode
environment that provides the visible interface to NT
Step 23
• SMSS loads the win32k.sys device driver which implements the Win32 graphics
subsystem
Step 24
• The XP boot process is not considered complete until a user has successfully logged
onto the system. The process is begun by the WINLOGON.EXE file which is loaded
as a service by the kernel and continued by the Local Security Authority
(LSASS.EXE) which displays the logon dialog box

EC-Council
http://www.bootdisk.com

EC-Council
File Systems

EC-Council
Understanding File Systems
A file system is the way in which files are named and placed
logically for storage and retrieval
It specify conventions for naming files; these conventions
include the maximum number of characters in a name, which
characters can be used, and, in some systems, how long the
file name suffix can be
It also includes a format for specifying the path to a file
through the structure of directories
Major file system include FAT, NTFS, HFS etc.

EC-Council
Types of File Systems
• It is designed for the storage of files on a data storage device, most commonly a disk
drive
Disk file systems:
• This file system acts as a client for a remote file access protocol, providing access to
files on a server
Network file systems:
• Files are identified by their characteristics, such as type of file, topic, author, or
similar metadata
Database file systems:
• Files are arranged dynamically by software, intended for such purposes as
communication between computer processes or temporary file space
Special purpose file systems:

EC-Council
List of Disk File Systems
ADFS – Acorn filing system, successor to DFS
BFS – The Be File System used on BeOS
EFS – Encrypted filesystem, An extension of NTFS
EFS (IRIX) – An older block filing system under IRIX
Ext – Extended filesystem, designed for Linux systems
Ext2 – Extended filesystem 2, designed for Linux systems
Ext3 – Extended filesystem 3, designed for Linux systems, (ext2+journalling)
FAT – Used on DOS and Microsoft Windows, 12 and 16 bit table depths

EC-Council
List of Disk File Systems (cont’d)
FAT32 – FAT with 32 bit table depth
FFS (Amiga) – Fast File System, used on Amiga systems. Used for floppies, but fairly useless on hard
drives
FFS – Fast File System, used on *BSD systems
Files-11 – OpenVMS file system
HFS – Hierarchical File System, used on older Mac OS systems
HFS Plus – Updated version of HFS used on newer Mac OS systems
HFSX – Updated version of HFS Plus to remove some backward compatibility limitations
HPFS – High Performance Filesystem, used on OS/2

EC-Council
ISO 9660 – used on CD-ROM and DVD-ROM discs (Rock Ridge and Joliet are extensions to this)
JFS – IBM Journaling Filesystem, provided in Linux, OS/2, and AIX
Kfs- Ken's File System
LFS – Log-structured filesystem
MFS – Macintosh File System, used on early Mac OS systems
Minix file system – Used on Minix systems
NTFS – Used on Windows NT based systems
OFS – Old File System on Amiga

EC-Council
PFS and PFS2, PFS3, etc. Technically interesting filesystem available for the Amiga,
performs well under a lot of circumstances
ReiserFS – Filesystem which uses journaling
Reiser4 – Filesystem which uses journaling, newest version of ReiserFS
SFS – Smart File System, available for the Amiga
Sprite – The original log-structured file system
UDF – Packet-based filesystem for WORM/RW media such as CD-RW and DVD

EC-Council
UFS – Unix Filesystem, used on older BSD systems
UFS2 – Unix Filesystem, used on newer BSD systems
UMSDOS – FAT filesystem extended to store permissions and metadata, used for Linux
VxFS – Veritas file system, first commercial journaling file system; HP-UX, Solaris,
Linux, AIX
XFS – Used on SGI IRIX and Linux systems
ZFS – Used on Solaris 10

EC-Council
List of Network File Systems
AFS (Andrew File System)
AppleShare
CIFS (Microsoft's documented
version of SMB)
Coda
GFS (Global File System)
InterMezzo
Lustre
NFS
OpenAFS
SMB (sometimes also called Samba
file system)

EC-Council
List of Special Purpose File
Systems
acme (Plan 9) (text windows)
archfs (archive)
cdfs (reading and writing of CDs)
cfs (caching)
Davfs2 (WebDAV)
DEVFS
ftpfs (ftp access)
lnfs (long names)
LUFS ( replace ftpfs, ftp ssh access)
nntpfs (netnews)
plumber (Plan 9) (interprocess
communication – pipes)
PROCFS
ROMFS
TMPFS
wikifs (wiki wiki)

EC-Council
Popular Linux File Systems
• First filesystem for the Linux operating system to overcome certain
limitations of the Minix file system
• It is replaced by the second extended file system
EXT (Extended File System)
• Standard filesystem with improved algorithms used on the Linux
operating system for a number of years
• Not a journaling file system
EXT2 (Second Extended File System)
• Journalled file system used in the GNU/Linux operating system
• It is mounted and used as an Ext2 filesystem
• It use filesystem maintenance utilities (like fsck) for maintaining and
repairing alike Ext2 filesystem
EXT3 (Third Extended File System)

EC-Council
Sun Solaris 10 File System: ZFS
• Uses 128-bit addressing to perform read/write operation referred to as a "giga-
terabyte" (a zettabyte)
• Any modification to this file system will never increase its storage capacity
ZFS is a first filesystem used in Sun Microsystems Solaris 10
• Facilitates immediate backup as the file is written
• Introduced Logical Volume Management(LVM) features into the filesystem
• File systems are portable between little-endian and big-endian systems
• Provides data integrity to detect and correct errors
• HA Storage+ feature provides cluster/failover compatibility in case of any
interruption(only one server is empowered to perform write operation on the disk)
• Creates many copies of the single snapshot with minimum overheads
• Supports full range of NFSv4/Windows NT-style ACLs
Main Features:

EC-Council
Mac OS X File System
• Developed by Apple Computer to support Mac operating system
HFS (Hierarchical File System)
• Derived from the Berkeley Fast File System (FFS) that was
originally developed at Bell Laboratories from the first version of
UNIX FS
• All BSD UNIX derivatives including FreeBSD, NetBSD,
OpenBSD, NeXTStep, and Solaris use a variant of UFS
• Acts as a substitute for HFS in Mac OS X
UFS (UNIX File System)

EC-Council
Windows File systems
• 16-bit file system developed for MS-DOS
• Used in all the consumer versions of Microsoft Windows
• Considered relatively uncomplicated and became a popular format for
devices such as floppy disks, USB devices, digital cameras, and flash
disks
FAT (File Allocation Table)
• 32-bit version of FAT file system with storage capacity up to 2 GB
FAT32
• NTFS has three versions:
• v1.2 (v4.0) found in NT 3.51 and NT 4
• v3.0 (v5.0 ) found in Windows 2000 and
• v3.1 (v5.1) found in Windows XP and Windows Server 2003
• Newer versions added extra features like quotas introduced by Windows
2000. In NTFS, anything such as file name, creation date, access
permissions, and even contents is written down as metadata
NTFS (New Technology File System)

EC-Council
CD-ROM / DVD File System
The ISO 9660 (International Organization for Standardization) defines a file system for CD-ROM and
DVD-ROM media
To exchange data, it supports various computer operating systems such as Microsoft Windows, Mac OS,
and UNIX-based systems
Some extensions used by ISO 9660 to cope up its demerits:
• Longer ASCII coded names and UNIX permissions are facilitated by Rock Ridge
• Unicode naming (like non roman scripts)are also supported by Joliet
• Bootable CDs are facilitated by El Torito
ISO 13490 is a combination of ISO 9660 with multisession support
Windows supports two types of file systems on CD-ROM and Digital Versatile Disk (DVD):
• Compact Disc File System (CDFS)
• Universal Disk Format (UDF)

EC-Council
Comparison of File Systems

EC-Council
FAT32

EC-Council
FAT
FAT (Fill Allocation Table) is a file system designed in 1976
It is the main file system for many operating systems such as DOS, Window, OpenDOS etc.
File allocation table stores all the files and resides at the beginning of the volume
It creates two copies of the file allocation table to protect the volume from the damage
Structure of FAT volume:
Partition
Boot
Sector
FAT1 FAT2
(duplicate)
Root
Folder
Other folders and files

EC-Council
FAT Structure
Contents of the file allocation table:
• Unused (0x0000)
• Cluster in use by a file
• Bad cluster (0xFFF7)
• Last cluster in a file (0xFFF8-0xFFFF)
File allocation table structure:

EC-Council
FAT Structure (cont’d)
• Name (eight-plus-three characters)
• Attribute byte (8 bits worth of information, described later in
this section)
• Create time (24 bits)
• Create date (16 bits)
• Last access date (16 bits)
• Last modified time (16 bits)
• Last modified date (16 bits)
• Starting cluster number in the file allocation table (16 bits)
• File size (32 bits)
Folder entries in FAT system are as follows:
FAT file system have a set of 32-byte folder entries for every folder

EC-Council
Examining FAT
When a file is deleted from the operating system, it replaces the first
word of the file’s name by a lowercase Greek letter. The space is made
available for new files
These files can be recovered using forensic tools
Few tools which can be used for forensics:
• WINHEX
• UNDELETE
• FILE SCAVENGER

EC-Council
Boot Sector
Boot Sector is the first sector (512
bytes) of a FAT file system
Unix-like terminology defines it as a
superblock

EC-Council
FAT32
FAT32 file system is derived from a FAT file system and supports drives up to 2 terabytes
in size
It uses drive space efficiently and uses small cluster
It takes backup of the file allocation table instead of the default copy
Master boot record table of FAT32:
Offset Description Size
000h Executable Code (Boots Computer) 446 Bytes
1BEh 1st Position Entry 16 Bytes
1CEh 2nd Position Entry 16 Bytes
1DEh 3 rd Position Entry 16 Bytes
1EEh 4th Position Entry 16 Bytes
1FEh Boot Record Signature 2 Bytes

EC-Council
NTFS

EC-Council
NTFS
NTFS or New Technology File System is the standard file system of Windows NT and
its descendants Windows 2000, Windows XP, Windows Server 2003, and Windows Vista
It replaced Microsoft's previous FAT file system, used in MS-DOS and early versions of
Windows
It has several improvements over FAT such as improved support for metadata and the use
of advanced data structures to improve performance, reliability, and disk space utilization
plus additional extensions such as security access control lists and file system journaling

EC-Council
NTFS (cont’d)
• v1.0 , v1.1, v1.2 found in NT
3.51 and NT 4
• v3.0 found in Windows
2000
• v3.1 found in Windows XP,
Windows Server 2003, and
Windows Vista
• These final three versions
are sometimes referred to
as v4.0, v5.0, and v5.1
NTFS has five
versions:
NTFS uses UNICODE data
format

EC-Council
NTFS Architecture
Hard Disk
Master Boot
Record
Boot Sector
Ntldr
NTFS.sys
Ntoskrnl.exe
Operating
System
Application
Kernel Mode
User Mode

EC-Council
NTFS System Files
File Name Description
$attrdef
Contains definitions of all system and user-defined
attributes of the volume
$badclus Contains all the bad clusters
$bitmap Contains bitmap for the entire volume
$boot Contains the volume's bootstrap
$logfile Used for recovery purposes
$mft Contains a record for every file
$mftmirr Mirror of the MFT used for recovering files
$quota Indicates disk quota for each user
$upcase Converts characters into uppercase Unicode
$volume Contains volume name and version number

EC-Council
NTFS Partition Boot Sector
When you format an NTFS
volume, the format program
allocates the first 16 sectors
for the boot sector and the
bootstrap code
Partition identifier
0x07 (MBR)
EBD0A0A2-B9E5-4433-
87C0-68B6B72699C7
(GPT)

EC-Council
NTFS Master File Table (MFT)
Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT)
It reserves the first 16 records of the table for special information
The first record of this table describes the master file table itself, followed by an MFT mirror record
If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first
record is identical to the first record of the MFT
The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector, a
duplicate of the boot sector is located at the logical center of the disk
The third record of the MFT is the log file, used for file recovery. The seventeenth and following records of
the master file table are for each file and directory (also viewed as a file by NTFS) on the volume

EC-Council
NTFS Master File Table (MFT)

EC-Council
NTFS Metadata File Table (MFT)
MFT is a relational database, which consists of information related to the files and the file
attributes
The rows consists of file records and the columns consists of file attributes
It has information of every file on the NTFS volume including information about itself
It has 16 records reserved for system files
For small folder, MFT is represented as follows:
Standard
Information
File or
Directory
Name
Data or
index
Unused
space

EC-Council
Cluster Sizes of NTFS Volume
A cluster is the smallest allocation unit onto the hard disk used to hold a file
NTFS uses clusters of different sizes to hold the files depending on the size of the NTFS
volume
List of the default cluster sizes for NTFS volume
Volume Size Sectors per Cluster Default Cluster Size
512 MB or less 1 512 bytes
513 MB -1024 MB(1GB) 2 1024 bytes(1 GB)
1024 MB-2048MB (2GB) 4 2048 bytes(2GB)
Greater than 2049 MB 8 4 KB

EC-Council
NTFS Files and Data Storage
NTFS file system stores the data in files according to the size of the file
Attributes are recorded when a file is stored:
• Header:
• It contains the sequence number used by the NTFS and pointers to the other attributes of the file
• Standard information attribute:
• It contains the date and time when the file was created, modified, and accessed
• File name attribute:
• It contains the name of the file
• Data attribute:
• It contains the contents of the file
• Security descriptor attribute:
• It contains the security information that manages access to the file

EC-Council
NTFS Attributes-I
Every file has unique identities such as:
• Name
• Security information and
• Also metadata of file system in the file
Every attribute is identified by an attribute type code
There are two categories of attributes:
• Resident attributes: These are the attributes that are contained in the
MFT
• Non-resident attributes: These are the attributes that are allocated
with one or more clusters of disk space

EC-Council
NTFS Attributes-II

EC-Council
NTFS Data Stream-I
NTFS supports multiple data streams, where the stream name identifies a new data
attribute on the file
A handle can be opened to each data stream
A data stream, then, is a unique set of file attributes
An example of an alternate stream is:
•C:ECHO text_message > myfile.txt :stream1
When you copy an NTFS file to a FAT volume, such as a floppy disk, data streams, and
other attributes not supported by FAT are lost

EC-Council
NTFS Data Stream-II
1
2

EC-Council
NTFS Data Stream-III
3
4

EC-Council
NTFS Compressed Files
The compressed files present on the NTFS volume can be accessed, read, or
modified by any Windows application without decompressing the file
The file is automatically decompressed by filter driver when Windows
applications requests the access
NTFS compression algorithms support cluster sizes of upto 4 KB

EC-Council
NTFS Encrypted File Systems
(EFS)
Encrypting File System (EFS) provides the core file encryption technology to store the
encrypted files on NTFS file system volumes
Encryption is transparent to the user that encrypted the file which means that you do not
have to manually decrypt the encrypted file before you can use it
You can open and change the file as you normally do

EC-Council
EFS File Structure
File Encryption Key
Encrypted with owner’s public key
File Encryption Key
Encrypted with file recovery agent 1
File Encryption Key
Encrypted with file recovery agent 2
.
.
.
Encrypted Data
Header
Data
Encryption
Field
Data
Recovery
Fields

EC-Council
EFS Recovery Key Agent-I
A recovery policy is always associated with an encryption policy
A recovery agent decrypts the file if the encryption certificate of an encrypted
file is lost
The recovery agent is used under the below conditions:
• When a user loses a private key
• When a user leaves the company
• Whenever a law enforcement agency makes a request

EC-Council
EFS Recovery Key Agent -II
The Windows administrator can recover the key from the
Windows or from the MS-DOS command prompt
The keys can be recovered from the command prompt using the
commands:
• CIPHER
• COPY
• EFSRECVR
Recovery agent information of an encrypted file can be viewed
using the efsinfo tool

EC-Council
EFS Key
EFS Key retrieves the EFS-encrypted files from NTFS partitions
To retrieve the files, the encryption password must be known or SAM database
must be present
EFS Key user interface is similar to Windows Explorer wherein the users can
browse disk contents, then drag, and drop files to a new location

EC-Council
EFS Key

EC-Council
Deleting NTFS Files
On deletion from Windows Explorer, the file moved into the recycle bin
If the file is deleted from the command prompt then Recycle Bin is bypassed and thus
can be recovered by using forensic tools
When a file is deleted, the operating system performs the below tasks in the NTFS:
• Clusters are made available for the new data
• MFT attribute $BITMAP is updated
• File attribute of the MFT is marked available
• Any linking inodes and VFN/LCN cluster locations are removed from MFT
• The list of links to the cluster locations is deleted

EC-Council
Registry Data-I
The Registry is the central hierarchical database used in Microsoft Windows
operating systems to store information necessary to configure the system for one
or more users, applications and hardware devices
Windows continuously refers the registry for the information during the
execution of the application
The data in the registry is saved in the form of binary files

EC-Council
Registry Data-II
The
Hives
Handle
key
Key
Sub-
Key
Value
Key
Sub-
Key
Value
Handle
key
Key
Sub-
Key
Value
Key
Sub-
Key
Value

EC-Council
Registry Data-III

EC-Council
Examining Registry Data
Registry has a predefined set of keys for every folder
A registry hive is a group of keys, subkeys, and values in the registry that
has a set of supporting files that contain backups of its data
It can be examined manually using the Registry Editor
It can be examined using tools such as:
• Registry Monitor
• Registry Checker

EC-Council
FAT vs. NTFS
File Allocation Table (FAT) New Technology File System (NTFS)
A table, which tracks all the system storage
changes
A latest file system developed specially for
Windows 2000
Versions available are FAT12, FAT16, FAT32 NTFS is the only version
Supported in all versions of windows operating
system
Supports all the operating systems after windows
2000
Does not support large file names Supports large file names
Does not support large storage media Supports large storage media
Does not support file system recovery Supports file system recovery

EC-Council
Ext3

EC-Council
Ext2
Second extended file system (Ext2) is a file system for Linux operating system
Physical layout of the EXT2 File system:
Block
Group 0
Block
Group N-1
Block
Group N
Super
Block
Group
Descriptor
Block
Bit Map
Inode
Bit Map
Inode Table Data Blocks

EC-Council
Ext2 (cont’d)
• Inode is a basic building block of
the Ext2 file system
• Each file and directory is
described by a single inode
• Inodes for each file system block
are placed together in an inode
table
EXT2 Inode:
Mode
Owner Info
Size
Timestamps
Direct Blocks
Indirect Blocks
Double Indirect
Triple Indirect
Data
Data
Data
Data
Data
Data
Data
Data

EC-Council
Ext2 (cont’d)
EXT2 Directories
• Ext2 directories are particular files that
create and hold access path of the files
in the file system
• These files contain the list of directory
entries with the following information:
• Directory inode
• Length of the file name
• Name of the directory

EC-Council
Ext3
Third extended file system (Ext3) is a journaling file system used in the
GNU/Linux operating system
It is the enhanced version of the Ext2 file system
Command to convert ext2 to ext3 file system:
• # /sbin/tune2fs -j <partition-name>

EC-Council
HFS and CDFS

EC-Council
HFS
Hierarchical File System is a file system designed
by Apple in 1985 for MAC operating system
It groups file into directories and each directory
also groups with other directories
It displays drives, directories, and files in groups
A:
C:
Temp
Windows
System32
Spool
Tasks
Web
Program Files
Hierarchical File System

EC-Council
CDFS
CD File System (CDFS) is a file system for Linux operating system
It transfers all tracks and boot images on a CD as normal files
It unlocks the information in old ISO images
For example, suppose multisession CD contains two ISO images, mounting the
CD with CDFS file system, results in two sessions as files:
•[root@k6 /root]# mount -t cdfs -o ro /dev/cdrom /mnt/cdfs
•[root@k6 /root]# ls -l /mnt/cdfs
total 33389
-r--r--r-- 1 ronsse ronsse 33503232 Aug 8 19:36 sessions_1-1.iso
-r--r--r-- 1 ronsse ronsse 34121728 Aug 8 1999 sessions_1-2.iso

EC-Council
RAID Storage System

EC-Council
RAID Storage System
Redundant Array of Inexpensive Disks (RAID) is a technology that uses
multiple smaller disks simultaneously which function as a single large
volume
This technology is developed to:
• Maintain a large amount of data storage
• Achieve a greater level of input/output performance
• Achieve a greater reliability through data redundancy

EC-Council
RAID Levels
• Data is split into blocks and written equally across multiple hard
drives
• If any drive fails, data recovery is not possible
• It does not provides data redundancy
• It requires minimum two drives for set up
RAID Level 0: Disk striping
A
C
E
G
B
D
F
Etc.

EC-Council
RAID Levels (cont’d)
• Multiple copies of data are written to multiple drives at the same time
• It provides data redundancy by completely duplicating the drive data to
multiple drives
• If one drive fails, data recovery is possible
• It requires minimum two drives for set up
RAID Level 1: Disk mirroring
A
B
C
D
A
B
C
D
E
F
G
H
E
F
G
H

EC-Council
• Data is striped at a byte level across multiple drives and one drive is set
to store parity information
• If any drive fails, data recovery and error correction is possible through
the parity drive
• Parity drive stores all the information about the data on multiple drives
RAID Level 3: Disk striping with parity
A0
B0
C0
D0
A1
B1
C1
D1
A2
B2
C2
D2
A3
B3
C3
D3
A Parity
B Parity
C Parity
D Parity
Stripe 0 Stripe 1 Stripe 2 Stripe 3 Stripes 0, 1, 2, 3 Parity
Parity Generation

EC-Council
• Data is striped at a byte level across multiple drive and parity
information is distributed among all member drives
• Data writing process is slow
• It requires minimum three drives for setup
RAID Level 5: Block interleaved distributed parity
Parity Generation

EC-Council
Recover Data from Unallocated
Space using File Carving Process
File carving is a process used to recover files from unallocated space of the
hard disk
This technique is generally used by the investigator during the digital
investigation to extract the files from unallocated space
Tools used for file carving process:
• PhotoRec
• EnCase

EC-Council
Hard Disk Evidence Collection Tools

EC-Council
Evidor
Evidor allows to search text on the hard disks and retrieves the context of
keyword occurrences on computer media, not only by examining all files (the
entire allocated space, even Windows swap/paging and hibernate files), but also
currently unallocated space and slack space
It can extract data from deleted files, if disk tracks are not over written
It is a particularly convenient way for any investigator to find and gather digital
evidence on the computer media

EC-Council
Evidor: Screenshot

EC-Council
WinHex
• Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart
Media, Compact Flash
• Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS,
UDF
• Built-in interpretation of RAID systems and dynamic disks
• RAM editor, providing access to physical RAM and other processes'
virtual memory
• Data interpreter, knowing 20 data types
Features:
Computer Forensics and Data Recovery Software, Hex Editor and Disk Editor

EC-Council
WinHex: Screenshot

EC-Council
Logicube Tools
Logicube Echo PLUS is a
portable hard drive cloning solution
that clones data and operating
system of the target drive
Logicube Sonix transfers data to
and from a hard drive at 3.3GB/min
and is capable of housing any size,
brand, model, or type drive

EC-Council
Logicube Tools (cont’d)
OmniClone Xi supports UDMA-5
transfer speeds for cloning IDE,
EIDE, UDMA, and SATA drives at
up to 3.5 GB/min
Logicube OmniWipe is used to
quickly wipe drives prior to using
them for data capturing purposes

EC-Council
Logicube: CloneCard Pro
CloneCard Pro is a PCMCIA adapter that allows hard drive
data recovery transfer rates up to 175 MB/Min, which is
approximately 15 times faster than capturing data through
the parallel port
It clones laptop or notebook computers at speeds in excess
of 175 MB/min
It is designed for use with handheld hard drive duplication
products
Figure: CloneCard Pro

EC-Council
ImageMASSter: ImageMASSter
4008i
• Transfers data at rate exceeds 2GB/min
• Copies data at high speeds to 8 target drives
simultaneously
• Partitions and formats target drives
automatically during the data copy process
• Provides 48-bit drive support to copy hard
drives larger than 137GB
Features:
ImageMASSter 4008i is a high-Speed multiple hard drive duplicator
Figure: ImageMASSter 40008i

EC-Council
eDR Solutions: Hard Disk Crusher
The Hard Disk Crusher permanently destroys the confidential information
from the hard disk that can never be recovered again
It destroys a disk and the data on it in just seconds without the need of a
peripheral PC or workstation
Features:
• It can crash over 60 disks in an hour
• It gives visual verification of destruction

EC-Council
Summary
A hard disk is a sealed unit containing a number of platters in a stack. Hard disks
may be mounted in a horizontal or a vertical position
File system is a set of data types, which is employed for storage, hierarchical
categorization, management, navigation, access, and recovery of data
Every disk has Master Boot Record that contains information about partitions on
the disk
EFS is the main file encryption technology used to store the encrypted files in the
NTFS
MFT is a relational database, which consists of information regarding the files
and file attributes

EC-Council

File000121

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to File000121

Similar to File000121 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000121