COEN 252 Computer Forensics - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

COEN 252 Computer Forensics

Description:

COEN 252 Computer Forensics ... Disks uses Logical Sector or Cylinder-Head-Sector addressing interface SCSI: ... SATA cables can also reach up to one meter ... – PowerPoint PPT presentation

Number of Views:163
Avg rating:3.0/5.0
Slides: 21
Provided by: Thomas1324
Category:

less

Transcript and Presenter's Notes

Title: COEN 252 Computer Forensics


1
COEN 252 Computer Forensics
  • Hard Drive Geometry

2
Drive Geometry
  • Basic Definitions
  • Track
  • Sector

Floppy
3
Hard Drive Geometry
  • Cylinder

Cylinder is formed by the tracks on all the
platters with fixed actuator. (Due to different
temperatures and hence different arm length, it
is impossible to read and write in parallel.)
4
Hard Drive Geometry
  • Writing and Reading on a Track

5
Hard Drive Geometry
Data is stored in the form of a magnetization
pattern.
6
Complete Disk
IBM Ultrastar Z
7
Sectors
  • Complete Sectors are written and read.
  • Consists of
  • Inter-sector gap
  • ID Information (including defective mark)
  • (no longer used in modern drives)
  • Synchronization fields
  • Client Data (512B)
  • ECC (Error Correcting Code)

8
Formatting
  • Low level format
  • Creates data structures for tracks and sectors.
  • Defective sectors and regions are remapped.
  • There is no direct access to the disk layout.
  • This is not the usual formatting.

9
Interfaces
  • Disks are getting smarter
  • In the history of disk drives, control function
    moved to the disk.
  • Disks uses Logical Sector or Cylinder-Head-Sector
    addressing interface
  • SCSI Small Computer Systems Interface
  • Block Device (Logical Sector)
  • SCSI 1, 2, 3 standards implement generic command
    language
  • ATA (AT Attachment) PATA, SATA

10
Interfaces
  • ATA / IDE (Integrated Disk Electronics)
  • Specified as family of standards ATA-1 (1994) to
    ATA-7 (in draft)
  • ATA disks require a controller (channel) built
    into the motherboard.
  • Controller controls one or two disks.
  • Master and slave disk.
  • Typical motherboard has two channels with up to
    two disks / devices.

11
Interfaces
  • SATA (Serial ATA) as opposed to PATA
  • uses Advanced Host Controller Interface (AHCI)
  • supported by Vista, Linux, but not XP
  • often implemented in conjunction with Serial
    Attached SCSI (SAS)
  • look like PATA at the application level but
    completely non-interchangeable at the device level

7 pin SATA data cable
15 pin SATA power cable
12
Interfaces
  • Addressing
  • Distinguish
  • Physical addresses (low level format) and
  • Logical addresses (changed by normal formatting /
    repartitioning)
  • Physical addresses
  • Cylinder Head Sector proved to limiting
  • 10b cylinder, 4b head, 6b sector
  • 16b cylinder, 4b head, 6b sector
  • LBA (Logical Block Addresses)
  • In older systems, the BIOS might have to do
    address translation.
  • This causes a FE (forensic examiner) head-ache if
    disks are mounted on other systems.

13
Interfaces
  • Terminology is difficult to understand.
  • http//www.pcguide.com/ref/hdd/if/ide
  • Removable media specifications in
  • AT Attachment Packet Interface (ATAPI)

14
Interfaces
  • Controller issues commands over the ribbon cable.
  • Single bit determines whether the master or the
    slave executes the command.
  • Controller writes to command register.
  • Disk responds by writing to status register.

15
Interfaces
  • Hard Drive Passwords
  • Established in ATA-3.
  • Set through BIOS or through software.
  • If implemented
  • User password
  • Master password (for organization)
  • High-security both passwords unlock disk.
  • Maximum-security master password only unlocks
    after disk drive has been wiped.

16
Interfaces
  • Hard Drive Passwords
  • Locked disk is usually visible to the OS.
  • Need SECURITY_UNLOCK with the correct password
    before most ATA commands are executed.
  • There are tools (hdunlock, atapwd) to unlock a
    drive
  • Used mainly to circumvent IP protection in game
    consoles (X-box)

17
Host Protected Area HPA
  • Appeared first in ATA-4
  • Used so that computer vendors could store data
    that a user cannot damage by formatting.
  • HPA can be used to hide data.
  • Ref International Journal of Digital Evidence -
    Hidden Disk Areas HPA and DCO

18
Host Protected Area HPA
  • Investigative Process
  • READ_NATIVE_MAX_ADDRESS returns number of
    physical sectors
  • IDENTIFY_DEVICE returns number of sectors that a
    user can access.
  • Difference shows existence and extent of HPA.
  • Creating HPA
  • SET_MAX_ADDRESS limits user access to last
    sectors.
  • Rerunning it with maximum physical address
    unlocks HPA.
  • Volatility bit determines whether HPA exists
    after the disk is shut down and restarted.
  • This can be used to temporarily unlock a HPA.

19
DCODevice Configuration Overlay
  • ATA-6
  • Limits the apparent maximum number of physical
    sectors.
  • Use the DEVICE_CONFIGURATION_SET / RESET ATA
    commands.

20
Interface
  • PATA vs. SATA
  • SATA has speed advantage and also smaller cable.
  • PATA has a max burst speed of only 133MB/sec.
    SATA I has speeds of about 150MB/sec, not much
    faster, but SATA II has speeds of close to
    300MB/sec.
  • No tiny jumpers.  SATA has no master/slave
    configuration.
  • SATA cables can also reach up to one meter
    (3ft.), which gives builders a lot more freedom
    for cable management and drive placement.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "COEN 252 Computer Forensics" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!