coen 252 computer forensics hard drive geometry. drive geometry basic definitions: track sector...
Post on 29-Mar-2015
217 Views
Preview:
TRANSCRIPT
COEN 252 Computer Forensics
Hard Drive Geometry
Drive Geometry
Basic Definitions: Track Sector
Floppy
Hard Drive Geometry Cylinder
Cylinder is formed by the tracks on all the platters with fixed actuator.
(Due to different temperatures and hence different arm length, it is impossible to read and write in parallel.)
Hard Drive Geometry Writing and
Reading on a Track
Hard Drive Geometry
Data is stored in the form of a magnetization pattern.
Complete Disk
IBM Ultrastar Z
Sectors
Complete Sectors are written and read.
Sectors Consists of
Inter-sector gap ID Information (including defective
mark)(no longer used in modern drives)
Synchronization fields Client Data (512B) ECC Inter-sector gap
Formatting
Low level format Creates “data structures” for tracks
and sectors. Defective sectors and regions are
remapped. There is no direct access to the disk
layout. This is not the usual formatting.
Interfaces Disks are getting smarter:
In the history of disk drives, control function moved to the disk.
Disks uses Logical Sector or Cylinder-Head-Sector addressing interface
SCSI: Small Computer Systems Interface Block Device (Logical Sector) SCSI 1, 2, 3 standards implement generic
command language ATA (AT Attachment): PATA, SATA
Interfaces ATA / IDE (Integrated Disk
Electronics) Specified as family of standards ATA-1
(1994) to ATA-7 (in draft) ATA disks require a controller
(“channel”) built into the motherboard.
Controller controls one or two disks. Master and slave disk.
Typical motherboard has two channels with up to two disks / devices.
Interfaces SATA (Serial ATA) as opposed to PATA
uses Advanced Host Controller Interface (AHCI)
supported by Vista, Linux, but not XP often implemented in conjunction with
Serial Attached SCSI (SAS) look like PATA at the application level
but completely non-interchangeable at the device level
7 pin SATA data cable
15 pin SATA power cable
Interfaces Addressing
Distinguish Physical addresses (low level format) and Logical addresses (changed by normal
formatting / repartitioning) Physical addresses
Cylinder Head Sector proved to limiting: 10b cylinder, 4b head, 6b sector 16b cylinder, 4b head, 6b sector
LBA (Logical Block Addresses) In older systems, the BIOS might have to do
address translation. This causes a FE (forensic examiner) head-ache if
disks are mounted on other systems.
Interfaces
Terminology is difficult to understand.
http://www.pcguide.com/ref/hdd/if/ide
Removable media specifications in AT Attachment Packet Interface
(ATAPI)
Interfaces Controller issues commands over
the ribbon cable. Single bit determines whether the
master or the slave executes the command.
Controller writes to command register.
Disk responds by writing to status register.
Interfaces Hard Drive Passwords
Established in ATA-3. Set through BIOS or through software. If implemented:
User password Master password (for organization) High-security: both passwords unlock
disk. Maximum-security: master password only
unlocks after disk drive has been wiped.
Interfaces Hard Drive Passwords
Locked disk is usually visible to the OS.
Need SECURITY_UNLOCK with the correct password before most ATA commands are executed.
There are tools (hdunlock, atapwd) to unlock a drive
Used mainly to circumvent IP protection in game consoles (X-box)
Host Protected Area: HPA
Appeared first in ATA-4 Used so that computer vendors
could store data that a user cannot damage by formatting.
HPA can be used to hide data.
Host Protected Area: HPA Investigative Process
READ_NATIVE_MAX_ADDRESS returns number of physical sectors
IDENTIFY_DEVICE returns number of sectors that a user can access.
Difference shows existence and extend of HPA. Creating HPA
SET_MAX_ADDRESS limits user access to last sectors. Rerunning it with maximum physical address unlocks
HPA. Volatility bit determines whether HPA exists after the
disk is shut down and restarted. This can be used to temporarily unlock a HPA.
DCODevice Configuration Overlay ATA-6 Limits the apparent maximum number
of physical sectors. Use the DEVICE_CONFIGURATION_SET /
RESET ATA commands.
Interface
PATA vs. SATA SATA has speed advantage and also
smaller cable.
top related