Files & Partitions

BACS 371Computer Forensics

Data HierarchyComputerHard Disk DrivePartitionFile

Physical FileLogical File

ClusterSectorWordByteBit

File Collection of Information written to a

disk Generally created in an application-

specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the

next cluster in the file The final cluster contains the End of File

(EOF) marker (hex FFFF)

Files Logical File Size

Exact size of contents of file in bytes Physical File Size

Amount of space a file occupies on disc in bytes

File Slack Unused space between logical end of file and

physical end of a cluster Two types: RAM slack and Disk Slack

<- Logical File Size -> <- File Slack ->

Physical File Size

File Slack Example

File Contents:“Hello world!”12 bytes

2nd Sector

3rd Sector

RAM Slack:512 bytes – 12 bytes = 500 bytes

Disk Slack:4096 Bytes – 512 Bytes = 3584 Bytes (7 sectors)

Assumptions:• Sector Size = 512 Bytes• Cluster Size = 4KB = 8 Sectors

Partitions A partition is a logical volume within a physical

volume (i.e., disk). The Master Boot Record (MBR) of a disk defines

the partitions found on the physical disk. An MBR can define 4 primary partitions (max). These partitions can be defined as “logical

partitions.” Logical partitions are capable of being further

subdivided into smaller “extended” logical partitions.

MBR and Partitions

<- Partition 0->

Physical Disk

<- Partition 1->

Logical Volume

MBR (1 sector) Unallocated

space

There can be up to 4 primary partitions defined in the master boot record (MBR)

Partitions

Partition Table• 4 Entries• First Entry Starts at

offset 446 10

Master Boot Record (MBR)

MBR “Signature”• 0x55AA

Executable Code• Machine Language Code• Processor Specific• Decodes Partition Table• 446 bytes long

446

Decoding a Partition Table Entry• Entry #3 starting at offset 478 10

Bootable?• Offset 0• Value 0x80

means bootable

Starting Head• Offset 1• 1 Byte• 0x00 = 0 Starting Head

Starting Sector• Offset 2• 6 bits (use 6 LSB)• Decode as bits• 0xC1 = 1100|0001• 6 LSB = 000001 = Sector #1

Starting Cylinder• Offset 3• 10 bits (use remaining 2 bits

from sector as upper 2 bits)• Decode as bits• 0xFF = 1111|1111• 10 bits = 11|1111|1111 = 0x3FF

= Cylinder # 1023

File System Type• Offset 4• Decode as table entry• 0x0C = Win 95 Fat-32 LBA

Ending Head 5Ending Sector 6

Ending Cylinder 7

Relative Sectors (start of partition)• Offset 8• 4 Bytes• Decode as Number (swap)• 0x1D0D9045 =

487,428,165• # of sectors from start of

drive to start of this partition

Number of Sectors• Offset 12• 4 Bytes• Decode as Number (swap)• 0x000E37BA = 931,770• # of sectors in this partition• 477,066,240 bytes (*512)

Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

Extended Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

Extended Boot Record

446

4th partition is an extended partition

Secondary Extended Boot Record

446

Partition Boot RecordAKA File System Boot Sector

Within each partition that has a file system, a partition boot record is found.

It defines the details of the file system located in the partition.

It is 1 sector long and is the first physical sector in a logical volume. C 0, H 1, S 1 for first partition. First sector (plus

partition offset) in subsequent partitions. Contains

Code File System Specification Information

BIOS Parameter Block

Executable Code• Machine Language Code• Processor Specific• Decodes BPB • Searches for OS

PBR “Signature”• 0x55AA

Partition Boot Record (PBR)

Partition Boot Record 010 - 210 Jump Instruction (3 bytes) 310 - 1010 OEM ID (8 Bytes) 1110 - 8310 BIOS Parameter Block (BPB)

(includes all below plus additional fields)all offsets in this section are from start of the BPB counting from 0

offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes

6210 - 51110 Bootstrap Code (448 Bytes) Ends with 55 AA

NOTE: Offsets are from start of Partition, not start of Drive!

Decoding a Partition Boot Record (BIOS Parameter Block – BPB)

Jump Instruction• Offset 0 10

• 3 bytes

OEM Name• Offset 3 10• 8 bytes• Decode as ASCII• “MSDOS5.0”

Bytes Per Sector• Offset 11 10• 2 bytes• Decode as Number• (Swap “endian”)• 0x0200 = 512

Sectors Per Cluster• Offset 13 10• 1 byte• Decode as Number• 0x08 = 8• 8 * 512 = 4096 bytes/cluster

Media Type• Offset 21 10• 1 byte• Decode from Table• 0xF8 means HD

Sectors per Track• Offset 24 10• 2 bytes• Decode as Number• (Swap “endian”)• 0x003F = 63

Heads• Offset 26 10• 2 bytes• Decode as Number• (Swap “endian”)• 0x00FF = 255

Total Sectors• Offset 32 10• 4 bytes• Decode as Number• (Swap “endian”)• 0x000E37BA = 931,770• 477,066,240 Bytes

FAT Size (Sectors)• Offset 36 10• 4 bytes• Decode as Number• (Swap “endian”)• 0x0000038D = 909• 465,408 Bytes (*512)• 58,176 Entries (/4)• 238,288,896 bytes addressed (*4096)

File System Type• Offset 82 10• 8 bytes• Decode as ASCII• “FAT32 ”

Partition Boot Sector Decoded

Summary Physical disks can be subdivided into logical volumes

(partitions). Each physical disk has a single MBR (1st sector) that

defines the primary and extended logical partitions. There can be up to 4 partitions defined in the MBR.

One or more of these can be defined as extended partitions. These can further be sub-divided.

Each logical partition has a partition boot record (1st sector) that defines the structure within that partition.

The BIOS Parameter block of the partition defines the characteristics of the file system.