What name is given to the unused space between the logical end of file and the physical end of file?

Presentation on theme: "BACS 371 Computer Forensics"— Presentation transcript:

1 BACS 371 Computer Forensics
Files, Partitions & File Systems

2 Data Hierarchy Computer Hard Disk Drive Partition File Cluster Sector
Physical File Logical File Cluster Sector Word Byte Bit

3 File Collection of Information written to a disk
Generally created in an application-specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the next cluster in the file The final cluster contains the End of File (EOF) marker

4 Files Logical File Size Physical File Size Disk Slack
Exact size of contents of file in bytes Physical File Size Amount of space a file occupies on disc in bytes Disk Slack Unused space between logical end of file and physical end of a cluster This is different from RAM slack which we will discuss next Note, sometimes the term “file slack” is used interchangeably with “disk slack”. This is not technically precise. File slack is any type of slack on the file and can also include RAM slack. Disk slack is specifically the data used to fill out the last disk cluster of a file. Physical File Size <- Logical File Size -> <- Disk Slack ->

5 Disk & Ram Slack Example
File Contents: “Hello world!” 12 bytes 3rd Sector Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes 1st Sector Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors 2nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes

6 Partitions A partition is a logical volume within a physical volume (i.e., disk). The Master Boot Record (MBR) of a disk defines the partitions found on the physical disk. An MBR can define 4 primary partitions (max). These partitions can be defined as “logical partitions.” Logical partitions are capable of being further subdivided into smaller logical partitions. The logical partition created from the MBR is called a primary extended partition. Logical partitions within this are called secondary extended partitions, etc.

7 Master Boot Record (MBR)
Executable Code Machine Language Code Processor Specific Decodes Partition Table 446 bytes long 446 Partition Table 4 Entries First Entry Starts at offset 0x01BE MBR “Signature” 0x55AA

8 Disk Partitions (Physical and extended)
Master Boot Record 3rd Partition (Extended) Unallocated space 2nd Partition (physical) PBR 1 1 2 2 3 3 4 4 A DOS based disk can have up to 4 primary partitions. Any of these can be an extended (logical) partition. Within each partition is a partition boot record for the file system. The extended partition can have up to 4 extended partitions (same layout as the MBR at byte 446). These each have their own PBR also. Extended partitions can be further divided into sub-extended (logical) partitions. There is no set limit as to how deeply this nesting can go; however, the size of the disk is a natural limit since you eventually run out of space to subdivide. Disk space that is not included in the MBR as being part of a partition is said to be “unallocated”. It may, or may not, have data in it from previous disk partition settings and is often a good source of evidence. Logical Partition #1 Logical Partition #2 PBR Logical Partition #3 Extended MBR PBR = Partition Boot Record 1st Partition (physical) PBR PBR PBR

9 Partition Layout

10 Extended Partition Layout

11 MBR with Extended Boot Record
446 Hex 05 in the file type slot (4 offset) means an extended partition. You find it’s start by using the standard start position information (offset 8 for 4 bytes).

12 Extended Boot Record 446 Once you jump to the location indicated by the MBR, you will find a sector that is very similar to the MBR in that it has it’s own local partition table. It points to the first logical partition within the extended partition. This one only has 1 extended partition and it

13 FAT File System

14 File Systems (See http://www.ntfs.com)
A method for storing and organizing computer files and the data they contain to make it easy to find and access them File System Types FAT (File Allocation Table) FAT12 FAT16 FAT32 exFAT NTFS (New Technology File System) Functions Manage “free space” Allocate clusters to file Track time (MAC – Modify, Access, Create)

15 A FAT file system is composed of four different sections.
The Boot Sector (aka Partition Boot Record, BIOS Parameter Block, Drive Parameter Block or Reserved Sector). This is always the first sector of the partition and includes some basic file system information (in particular, its type), pointers to the location of the other sections and the operating system's boot loader code. The FAT Region. This contains two copies of the File Allocation Table for the sake of redundancy, although the extra copy is rarely used, even by disk repair utilities. These are maps of the partition, indicating how the clusters are allocated. The Root Directory Region. This is a Directory Table that stores information about the files and directories in the root directory. With FAT32 it can be stored anywhere in the partition, however with earlier versions it is always located immediately after the FAT Region. The Data Region. This is where the actual file and directory data is stored and takes up most of the partition. The size of files and subdirectories can be increased arbitrarily (as long as there are free clusters) by simply adding more links to the file's chain in the FAT. Note however, that each cluster can be taken only by one file, and so if a 1KB file resides in a 32KB cluster, 31KB are wasted.

16 FAT File System Partition Boot Sector FAT 1 FAT 2 (Duplicate)
Root Directory Other folders and all files This is all contained within a partition.

17 Partition Boot Record AKA File System Boot Sector
The first physical sector in a logical volume C 0, H 1, S 1 for first partition Contains Code File System Specification Information

18 Partition Boot Record (PBR)
BIOS Parameter Block Executable Code Machine Language Code Processor Specific Decodes BPB Searches for OS PBR “Signature” 0x55AA

19 Partition Boot Record (FAT32 File system)
Jump Instruction (3 bytes) OEM ID (8 Bytes) BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes Bootstrap Code (448 Bytes) Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

20 Decoding a Partition Boot Record (BIOS Parameter Block – BPB)
Jump Instruction Offset 0 10 3 bytes OEM Name Offset 3 10 8 bytes Decode as ASCII “MSDOS5.0” Bytes Per Sector Offset 11 10 2 bytes Decode as Number (Swap “endian”) 0x0200 = 512 Sectors Per Cluster Offset 13 10 1 byte Decode as Number 0x08 = 8 8 * 512 = 4096 bytes/cluster Media Type Offset 21 10 1 byte Decode from Table 0xF8 means HD Heads Offset 26 10 2 bytes Decode as Number (Swap “endian”) 0x00FF = 255 Sectors per Track Offset 24 10 2 bytes Decode as Number (Swap “endian”) 0x003F = 63 Total Sectors Offset 32 10 4 bytes Decode as Number (Swap “endian”) 0x000E37BA = 931,770 477,066,240 Bytes FAT Size (Sectors) Offset 36 10 4 bytes Decode as Number (Swap “endian”) 0x D = 909 465,408 Bytes (*512) 58,176 Entries (/4) 238,288,896 bytes addressed (*4096) File System Type Offset 82 10 8 bytes Decode as ASCII “FAT32 ” 2008 Richard T. Turley

21 Partition Boot Sector Decoded

22 File Allocation Table A partition is divided up into identically sized clusters, small blocks of contiguous space. Cluster sizes vary depending on the type of FAT file system being used and the size of the partition, typically cluster sizes lie somewhere between 2KB and 32KB. Each file may occupy one or more of these clusters depending on its size; thus, a file is represented by a chain of these clusters (referred to as a singly linked list). However these chains are not necessarily stored adjacently on the disk's surface but are often instead fragmented throughout the Data Region. The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

23 FAT Content Database of Located on outermost track of disk File names
Directory names Date and time stamps (MAC) Modify Access Create Starting cluster number Attributes Archive Hidden System Read Only Located on outermost track of disk

24 File Allocation Table (FAT)

25 Directory table A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region. Legal characters for DOS file names include the following: Upper case letters A-Z Numbers 0-9 Space (though trailing spaces are considered to be padding and not a part of the file name)  ! # $ % & ( ) ^ _ ` { } ~ ' Values

26 Directory to FAT interaction

27 Root Directory

28 FAT32 32-bit Cluster Numbers Only 28 bits actually used
Addresses 228 Clusters (~ 268,435,438) Drive sizes ~ 1TB (228 clusters * 4096 Bytes per cluster ~ 1.1TB) WinXP limited to 32GB using FAT32 Max file size in FAT32 is bytes ~ 4GB

29 Advantages of FAT32 over FAT16
FAT32 offers smaller cluster sizes -> less wasted space FAT32 systems can reallocate and change the size of the root directory FAT32 drives can contain a copy of the boot record(s) –> less prone to failure Allow for long file names

30 Long File Names “Trick”
Phony entries are added to the Directory Tables Entries are marked with a volume label attribute Each phony entry can contain up to 13 UTF-16 characters (26 bytes)

31 Long File Names Entries
Red entries are short file name entries. Blue are for a long file name. Read the long filename entries from the bottom to the top. Note that first byte in each group of long filenames are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the last segment). Filename entries have 0F in 12th byte. Directory entries have a 10 in this position (indicating a directory).

32 FAT Root Directory Volume ID Directory Entry
Single Directory Entry for a file with a “short” filename. Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name. Designates Attribute Bits 0x08 = Volume Label 0x20 = Archive 0x0F = Long File Name

33 File System Comparisons
Criteria NTFS5 NTFS FAT32 FAT16 Operating System Windows 2000 Windows XP Vista, Win 7 Windows NT Windows 2000 Windows XP Windows 98 Windows ME Windows 2000 Windows XP DOS All versions of Microsoft Windows Limitations Max Volume Size 2TB 2GB Max Files on Volume Nearly Unlimited ~65000 Max File Size Limit Only by Volume Size 4GB Max Clusters Number 65535 Max File Name Length Up to 255 Standard Extended - up to 255

34 Criteria NTFS5 NTFS FAT32 FAT16
File System Features Criteria NTFS5 NTFS FAT32 FAT16 Unicode File Names Unicode Character Set System Character Set System Records Mirror MFT Mirror File Second Copy of  FAT Boot Sector Location First and Last Sectors First Sector File Attributes Standard and Custom Standard and Custom Standard Set Alternate Streams Yes No Compression Encryption Object Permissions Disk Quotas Sparse Files Reparse Points Volume Mount Points File Names 256 Char 8.3 Names

35 Overall Performance Criteria NTFS5 NTFS FAT32 FAT16 Built-In Security
Yes No Recoverability Performance Low on small volumes High on Large Low on small volumes  High on Large High on small volumes Low on large Highest on small volumes Low on large Disk Space Economy Max Average Minimal on large volumes Fault Tolerance Minimal

Is the unused space between the logical end of a file and the physical end of a file?

What is the unused space between clusters called?

What is the space on a drive called when a file is deleted?

Which of the following is the definition of a virus in relation to a computer?