COEN 252 Computer Forensics

Hard Drive Geometry

Drive Geometry

Basic Definitions: Track Sector

Floppy

Hard Drive Geometry Cylinder

Cylinder is formed by the tracks on all the platters with fixed actuator.

(Due to different temperatures and hence different arm length, it is impossible to read and write in parallel.)

Hard Drive Geometry Writing and

Reading on a Track

Hard Drive Geometry

Data is stored in the form of a magnetization pattern.

Complete Disk

IBM Ultrastar Z

Sectors

Complete Sectors are written and read.

Sectors Consists of

Inter-sector gap ID Information (including defective

mark)(no longer used in modern drives)

Synchronization fields Client Data (512B) ECC Inter-sector gap

Formatting

Low level format Creates “data structures” for tracks

and sectors. Defective sectors and regions are

remapped. There is no direct access to the disk

layout. This is not the usual formatting.

Interfaces Disks are getting smarter:

In the history of disk drives, control function moved to the disk.

Disks uses Logical Sector or Cylinder-Head-Sector addressing interface

SCSI: Small Computer Systems Interface Block Device (Logical Sector) SCSI 1, 2, 3 standards implement generic

command language ATA (AT Attachment): PATA, SATA

Interfaces ATA / IDE (Integrated Disk

Electronics) Specified as family of standards ATA-1

(1994) to ATA-7 (in draft) ATA disks require a controller

(“channel”) built into the motherboard.

Controller controls one or two disks. Master and slave disk.

Typical motherboard has two channels with up to two disks / devices.

Interfaces SATA (Serial ATA) as opposed to PATA

uses Advanced Host Controller Interface (AHCI)

supported by Vista, Linux, but not XP often implemented in conjunction with

Serial Attached SCSI (SAS) look like PATA at the application level

but completely non-interchangeable at the device level

7 pin SATA data cable

15 pin SATA power cable

Interfaces Addressing

Distinguish Physical addresses (low level format) and Logical addresses (changed by normal

formatting / repartitioning) Physical addresses

Cylinder Head Sector proved to limiting: 10b cylinder, 4b head, 6b sector 16b cylinder, 4b head, 6b sector

LBA (Logical Block Addresses) In older systems, the BIOS might have to do

address translation. This causes a FE (forensic examiner) head-ache if

disks are mounted on other systems.

Interfaces

Terminology is difficult to understand.

http://www.pcguide.com/ref/hdd/if/ide

Removable media specifications in AT Attachment Packet Interface

(ATAPI)

Interfaces Controller issues commands over

the ribbon cable. Single bit determines whether the

master or the slave executes the command.

Controller writes to command register.

Disk responds by writing to status register.

Interfaces Hard Drive Passwords

Established in ATA-3. Set through BIOS or through software. If implemented:

User password Master password (for organization) High-security: both passwords unlock

disk. Maximum-security: master password only

unlocks after disk drive has been wiped.

Interfaces Hard Drive Passwords

Locked disk is usually visible to the OS.

Need SECURITY_UNLOCK with the correct password before most ATA commands are executed.

There are tools (hdunlock, atapwd) to unlock a drive

Used mainly to circumvent IP protection in game consoles (X-box)

Host Protected Area: HPA

Appeared first in ATA-4 Used so that computer vendors

could store data that a user cannot damage by formatting.

HPA can be used to hide data.

Host Protected Area: HPA Investigative Process

READ_NATIVE_MAX_ADDRESS returns number of physical sectors

IDENTIFY_DEVICE returns number of sectors that a user can access.

Difference shows existence and extend of HPA. Creating HPA

SET_MAX_ADDRESS limits user access to last sectors. Rerunning it with maximum physical address unlocks

HPA. Volatility bit determines whether HPA exists after the

disk is shut down and restarted. This can be used to temporarily unlock a HPA.

DCODevice Configuration Overlay ATA-6 Limits the apparent maximum number

of physical sectors. Use the DEVICE_CONFIGURATION_SET /

RESET ATA commands.

Interface

PATA vs. SATA SATA has speed advantage and also

smaller cable.