Book Two- Chapter One-File Systems & Hard Disks Flashcards
Explain the difference between fixed and removable disk drives, and give at least one example of each.
A disk drive is a mechanism that reads data from a disk and writes data onto a disk. The disk in the disk drive rotates at very high speeds, and head in the disk drive are used to read and write data.
Disk drives are catagorized into the following types:
Fixed: These are drives like hard disks, which use media that are not removable.
-OR-
Removable: These are drives that use media that are removable.
Examples of removable storage devices:
Floppy disk: Type of drive uses media that are portable magnetic disks on which data and programs can be stored. Floppy disks- Disks that are made of either flexible or rigid plastic material. The storage capacity of a floppy disk varies but typically floppies can hold very little.
CD-ROM: This type of drive uses optical discs. These discs are sturdier than floppy disks, and they can hold more data. Lasers are used to write data to the disc and reat data from it. Although CD-ROM discs can only be written to once, other varieties of this optical format can be written to multiple times.
DVD: DVD is an acronym for digital versatile disc. It is type of optical disc that holds far more information than a CD-ROM. A DVD can hold a minimum of 4.7 GB of data to a max of 17 GB.
Zip disk: Zip disks are used to hold data that requires more storage than a floppy disk can provide. Zip disks are used to back up disks and larger documents. Like floppy disks, zip disks can be written to multiple times.
Explain zoned bit recording:
AKA multiple zone reccording: in this technique, tracks are combined together into zones, depending on their distance from the center of the disk. Each zone is assigned a number of sectors per track.
There are 3 types of data densities on a hard disk:
Track density: Space between tracks on a disk
Area density: Number of bits per square inch on a platter
Bit density: The bits per unit length of track
Explain types of hard disk interfaces:
SCSI- Small computer system interface (SCSI): Allows a user to connect 15 peripheral devices (hard drives, CD ROM drives, and scanners) to one (slot) PCI board known as a SCSI host adapter, which is plugged into the motherboard. SCSI’s almost obsolete, the ones in use are parallel interfaces. Supports high-speed data transfers. the Ultra-2 SCSI for a 16-bit us can trasfer data up to 80 Mbps. SCSI’s are supported by Linux, Mac OS, and Windows.
IDE/EIDE- Integrated drive electronics/enhanced IDE (IDE/EIDE): Connects hard disk drives, optical disc drives, and tape drives to personal computers. With this type of interface, the drive controller is built into the drive itself. Standard electronic interface used between a computer motherboard’s data paths or bus and the computer’s disk storage devices. IDE interface is based upon IBM’s PC Industy Standard Archetecture (ISA) 16- bit standard, but it is also used in computers that use other bus standards. Most computers today use either an enhanced version of IDE called enhanced integrated drive electronics (EIDE) or serial ATA (SATA). IDE drives are connected to PC’s with the help of IDE host adapter cards. In today’s computers, the IDE and SATA controllers are often built into motherboards.
2 types of IDE sockets are built into motherboards. Each socket connects 2 drives: 40-pin ribbon cables connect CD-ROM drives and older hard disks to computers, and 80-pin cables connect fast hard disks to computers. IDE drives are configured as master and slave. Jumper pins on the drive itself are used to set up the first drive on the cable as the master and the second one, if present as the slave.
*The DupliDisk PCI card provides fault tolerance for IDE drives. An IDE cable connects the card to the motherboard, and 2 other cables connect the card to primary and secondary drives. When the computer tries to write data to a drive, the DupliDisk card passes the command to both drives, In this way, the 2 drives contain the exact same information.
USB- Universal Serial Bus (USB): Connects peripheral devices such as hard disks, modems, printers, digitizers, and data gloves to a computer. Intel developed USB in 1995 with a max speed of 12 Mbps. Currently available USB supports data transfer speeds up to 480 Mbps. Some features of the USB are:
- Ease of use
- Expandability
- Speed for the end user
- High performance and ubiquity
- Easy connection of peripherals outside the PC
- Automatic configuration of devices by most operating systems
- Usefulness in PC telephony and videoconferencing
-ATA- Advance technology attachment (ATA): This type of interface comes in 2 forms:
-Serial ATA (SATA): This provides a point-to-point channel between the motherboard and the drive. SATA cables are shorter in length when compared to PATA cables with a max length of one meter. The cables consist of four wires and are shielded. SATA connectors are smaller in size when compared to PATA connectors.
Some of the features of SATA:
*Fast operating speed
*Upgradable storage devices
*Ease of configuration
*Original transfer speeds of 1.5 Gbits/second, with newer systems supporting 3 Gbits/second and 6 Gbits/second of transfer speed
*Low cost when compared to other systems
- Parallel ATA: This provides a communications channel between the drive and the computer on which data can travel only one way at a time. Provides a controller on the disk drive itself and thereby eliminates the need for a separate adapter card. Some of the features of PATA are:
- Low relative cost
- Ease of configuration
- Look-ahead caching
Fiber Channel: A point-to-point bidirectional serial interface that supports up to 1.0625 Gbps transfer rates. The ANSI American National Standards Institute developed this interface. Some of the features of Fiber Channel are:
*Low Costs
Support of higher data transfer rates between workstations, mainframes, supercomputers, desktop computers, storage devices, displays, and other peripherals.
The protocols that support Fiber Channel:
- SCSI
- IP
- ATM
- HIPPI
- IEEE 802.2
This interface comes in 2 forms:
-Fiber Channel electrical interface: This uses ECL (emitter-coupled logic) signaling levels over an unbalanced 75 W or balanced 150 W line.
-Fiber Channel optical interface: This uses a long-wave laser light source that can carry data a 1 Gbps over a distance of up to 10 km. It uses a long-wave laser (LL), a short-wave laser (SL), and a light-emitting diode (LED).
LL: 1300 nm
SL: 780 nm
LED: 1300 nm
*Most popular is SATA, IDE is expensive and has been completely superseded by SATA. SCSI is almost obsolete, but an understanding of each system is necessary for the forensic investigator.
Hard disks Characteristics:
Data is organized on a hard disk in a method similar to that of a filing cabinet. The user can easily access the data and programs.
When a computer uses a program or data, the program or data is copied from its location to a temporary location. When a user makes changes to a file, the computer saves tha file by replacing the older file with the new file. Data are recorded magnetically onto a hard disk. A repidly spinning platter is used as the recording medium. Heads just above the surgace of the platter are used to read data from and write data to the platter. A standard interface connects a hard disk to a computer. Two common interfaces are IDE and SCSI.
Characteristics: Some characteristics that people use to differentiate the various kands of hard sisks include:
- Capacity of the hard disk
- Interface used
- Speed in rotations per minute
- Seek time
- Access time
- Transfer time
Once damaged, a hard disk ususally cannot be repaired. When a disk fails, recovering data from it is possible only after installing a new hard disk and accessing the damaged disk as a secondary drive.
Physical make-up
A hard disk is a sealed unit containing a number of platters in a stack. It can be mounted in a horizontal or vertical position. Electromagnetic read/write heads are positioned above and below each platter. As the platters spin, the drie heads move in toward the center surface and out toard the edge. In this way, the drive heads reach the entire surface of every platter.
On every hard disk, data is stored in thin, concentric bands, called tracks. A drive head reads from or writes to a circular ring called a track. On a 3.5 inch hard disk, there could be a thousand tracks. Tracks consist of sectors, the smallest physical storage units on a hard disk. A sector is almost always 512 bytes (0.5 kilobyte) in size.
Describe the composition of a hard disk platter:
Disk platters are the round, flat, magnetic metal or ceramic disks in a hard disk that hold the actual data. They are made of 2 components: a substrate material and a magnetic media coating.
Substrate material- gives the platter structure and rigidity. The platters must be extremely smooth and flat, as they spin with the read/write head very close to them. The gap etween the heads and platters is minimized so that the heads can speedily read and write data. If the surface is uneven, a head crash can result. Previously, an alluminum alloy was used as the sustrate material. To lower the chance of an uneven surface, manufacturers now use glass, glass composites, and magnesium alloys.
Magnetic Media Coating- Platters are coated with magnetic media that holds the magnetic impulses that represent the data. They are coated with iron oxide or a cobalt alloy. These are inexpensive to use. Various techniques are used to deposit the media material on the patters. One of the techniques used is electroplating, in which the material is deposited on the platters using electrlysis. The other process is vapor deposition, in which a very thin magnetic layer is deposted on the surface using a technique called sputtering. Vapor deposition provides a more uniform coating and thus results in a flatter surface than electropating does. **The amt of data that can be stored on a given amt of a hard disk platter is called area density- AKA bit density.
Platter Organization: For the organized storage and retrieval of data, platters are divided into specific structures. Both sides of a platter can hold lare chunks of data that allow for easier and faster access to information. Each platter has 2 read/write heads, ten surfaces and ten total heads. Platters are further divided into tracks. Tracks are concentric circles that logically partition platters. Tracks are dividedd up into sectors.
Each sector is 512 bytes of information.
Platter Size: The size of the platters is one of the important factors in determining the structure of a hard disk. This is called the drive’s form factor. Hard disks are generally referred to by their size, such as a 5.25-inch or 3.5-inch hard disk. The platters in a particular disk are usually the same in diameter. For instance, the diameter of a platter in a 5.25 inch disk is usually 5.12 inches and the diameter of a platter in a 3.5- inch disk is usually 3.74 inches. As technology improves, manufacturers are able to make smaller and smaller hard disks with greater capacities.
of Platters- The # of platters in a hard disk may vary from one to dozens. As the number of platters increases, storage capacity rises, but the space between each platter becomes smaller. This makes hard disks with a large number of platters more sensitive to vibrations, flaws in the surface of a platter, and head misalignment. Therefore, the trend is to increase the area density of a hard drive and thus require a smaller number of platters.
Tracks: Tracks are the concentric circles on platters where all the information is stored. A modern hard disk contains tens of thousands of tracks on each platter. Every platter in a hard disk has the same track density. The track density refers to the compactness of the track circles. Manufacturers try to increase track density so that the max # of bits can be place within each unit area on the surface of a platter. Track density determines the amt of information that can be placed on a hard disk. it is a component of area density.
Track Numbering: Tracks are typically numbered from 0 at the outer edge to 1023 at the center. The read/write heads on both surfaces of a platter are tightly packed and locked together on an assembly of head arms. The arms move in and out together so that all heads remain physically located at the same track number. Therefore, a track location is often referred to by a cylinder number rather than a track number. A cylinder is the set of tracks that can be accessed by all the heads when the heads are in a particular position. One cylinder represents a set of tracks on all the platters in a hard disk.
Sectors: Tracks are divided into sectors. A sector is the basic physical unit of hard drive data storage. Each sector holds 512 bytes of data and some additional bytes used for internal drive control, drive management, error detection and correction, and sector identification.
The contents of a sector are:
- ID information- this contains the sector number and location that identify the sector on the disk. It also contains status information about the sector.
- Synchronization fields: This helps the drive controller guide the read process.
- Data- These are the actual data in the sector
- ECC- This is error-correcting code that ensures data integrity
- Gaps- Spaces are provided to give the drive controller time to continue the read process.
Sector Organization and Overhead- The contents of a sector that aren’t user data constitute sector overhead. This overhead must be minimized for greater efficiency. Data is stored on a disk in a contiguous series of sectors. Ex: a 900-byte file is stored in two 512-byte sectors. The track number and the sector number can be used to refer to the address of any data on a hard disk.
Bad Sectors- areas of a disk that have become unusable. Can be caused by configuration problems or physical disturbances. Some of the most common causes are excessive read/write operations, sudden voltage surges, certain viruses, and correputed boot records. If data in a sector becomes bad, then they might not be recoverable. Users can try to recover the data using software tools such as ScnDisk and Chkdsk. Once a bad sector is identified, it is marked as bad and cannot be used agian. This is called defact mapping. Modern hard disks contain reserve sectors that are used in place of ba sectors. When the drive controller receives a read/write command for a bad sector, it substitues one of the sectors from the pool of reserves. The is called spare sectoring. Bad sectors are cleverly hidden and are never seen by the operating system.
Clusters- are the smallest logical storage units on a hard disk. The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage and performance. These chunks are clusters. A file is allocated a certain number of clusters.
Cluster organization- Cluster entries are maintained by the file system running on the computer. In the FAT file system, an entry is made in the FAT (file allocation table). Clusters are chained to each other and are ordered on a disk using continous numbers, so an entire file does not have to be stored in one continuous block on the disk. This cluster chaining is invisible to the operating system.
Cluster Size- The size of a cluster is determined when the disk volume is partitioned. Larger volumes use larger cluster sizes. For hard sik volues, each cluster ranges in size from 4 sectors (2048 bytes) to 64 sectors (32768 bytes). In some situations, 128-sector clusters may be used (65536) bytes per cluster. The sectors in a cluster are continuous, so each cluster is a continuous block of space on a disk. In a cluster, any remaining space is wated. This is known as slack space. If the cluster size is large, there will be less fragmentation, but there will be more wasted space.
Slack Space- the area of a disk cluster between the end of the file and the end of the cluster. If the size of a file is less than the cluster size, a full cluster is still assigned to that file. The remaining space remains unused and is called slack space.
Lost Clusters- this is a FAT file system error that results from how the FAT file system allocates space and chains files together. it is mainly the result of a logical structure error and not a physical disk error. They usually occur because of interrupted file activities; thus, the clusters involved never get correctly linked to a file. Operating systems mark these cluster as being used in the FAT, even though they are not assigned to any file. Disk checking programs can scan an entire disk volume for lost clusters. The programs can then either clear the lost clusters or save them as files. In the latter case, artificial files are generated and lined to these clusters. These newly formed files are considered damaged, but some orphaned data can be seen and recovered.
Disk-checking prgrams, such as ScanDisk, can find lost clusters using the following procedure:
- Create a memory copy of the FAT, noting all of the clusters marked as being in use.
- Trace the clusters starting from the root directory, and mark each cluster used by the file as being accounted for. Continue through all of the directories on the disk.
- When the scanning process is finished, any clusters that are in use but not accounted for are orphans, or lost clusters.
Explain what a partition is, including the different types of partitions:
Partitioning is the creation of logical drives on a disk. A partition is a logical drive that holds data.
Can be one of 2 types:
- Primary partition: This type of partition holds information regarding the operating system and system area, as well as other information required for booting.
- Extended partition: This partition holds the data and files that are stored on the disk.
Data can be hidden on a hard disk by creating hidden partitions on the disk drive. That is, a partition can be created from the unused space between the primary partition and the first logical partition. The space between the primary partition and the secondary partition is known as the interpartition gap. If data are hidden in the interpartition gap investigators can find the data using disk editor utilites like Norton Disk Edit.
There are various tools for examining disk partitions. A few of the disk editor tools are Disk Edit, WinHexx, and Hex Workshop. a user can use these tools to view the file headers and other important information about the file.
What is a Master Boot Record?
Master Boot Record (MBR) is the first sector of a data storage device such as a hard disk. AKA partition sector or master partition table because it includes a table that contains information about each partition that the hard disk has been formatted into. MBR also includes a program that reads the boot sector reord of the partition containing the operating system into RAM.
Information about the files present on the disk, their locations, and their size is contained in the master boot record file.
-In DOS and Windows systems, a user can create the : fdisk/mbr command.
MBR contains:
- bootstrap OS
- Hold disk partition tables
The boot sector is the sector of a storage device that contains the code for bootstrapping a system.
Bootstrapping- the process by which a small program actually initializes the operating system installed on a computer.
*Many products replace the MBR file that is provided by Microsoft OS, 3-rd party tools, such as PartitionMagic allow a user to install 2 or more operating systems on a disk.
Backing up the MBR. In UNIX and Linux:
dd can be used to backup and restore the MBR.
To back-up, the command is dd if=/dev/xxx of= mbr.backup bs= 512 count=1
To restore the MBR, the command is dd if=mbr.backup of=/dev/xxx bs= 512 count=1
Understanding File Systems:
A file system is a type of system that is used to most effectively store, organize, and access data on a computer.
Data storage devices like hard disks, CD-ROMs, flash memory devices, and floppy disks use file systems to store data.
A file system provides:
- Storage
- Hierarchical categorization
- Management
- Navigation
- Access
- Data recovery features
Users can access the files using a graphical user inferface (GUI) or a command line inerface (CLI). File systems are organized in the form of tree-structured directories that generally require access authorization.
File systems are catagorized into the following 4 catagories:
- Disk file system- used for storing and recovering the files on a storage device, such as a hard disk, that is directly or indirectly connected to a computer. Ex of isk file systems: FAT 16, FAT 32, NTFS, ext 2, ISO 9660, ODS-5, and UDF.
- Network file system- Type of file system that provides access to files on other computers on a network. The file system is transparent to the user. A few examples of network file systems are NFS, CIFS, aand GFS.
- Database file systems- Earlier file systems use a hierarchial management structure, but in the database file system, files are identified by their characteristics, like the name, type, topic, and author of the file, or similar metadata. Therefore file can be easily searched using SQL queries or test searches. EX: if a user needs to find the documents written by ABC, then the search string “documents written by ABC” will show the results.
- Special Purpose file system- A file system where the files are organized by software during runtime. This type of file system is used for various purposes, such as communication between computer processes or temporary file space. Special purpose file systems are used by file-centric operating systems such as UNIX. One example in UNIX is the /proc file system, which can be used to access information about processes, and other OS features.
List and describe the file systems most commonly used on Linux:
The Linux OS is a single hierarchical tree structure that represents the file system as one single entity. It supports many different file systems. It implements a basic set of common concepts that were actually developed for UNIX. Some of the linux file system types are: Minix, ISO 9660, UMSDOS, NFS, SMB, HPFS. Minix was Linux’s first file system.
Some of the more popular file systems used with Linux are as followed:
- EXT (Extended File System)- Was released in April 1992. It’s an elaborate extension of the Minix file system. It has a maximum partition size of 2 GB and a maximum file name size of 255 characters. The ext file system removes the 2 major Minix limitations of a 64 MB partition size and short file names. The major limitation of this file system is that it doesn’t support separate access, inode modifation, and data modification time stamps. it keeps an unsorted list of free blocks and inodes, and the file system is also fragmented. It was soon replaced by the second extended file system.
- An inode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data. A data structure is a way of storing data so that it can be used efficiently.
EXT2 (Second Extended File System)- was introduced in January 1993. Extends the features of ext. It uses improved algorithms, which greatly enhances its speed, and maintains additional time stamps. it maintains a special filed in the superblock that keeps track of the status of the file system and identifies it as either clean or dirty. A dirty file system will automatically scan itself for error. The max file size in the ext 2 file system is 4 TB (1 terabyte is 1024 gigabytes). It is portable to other OS because drivers and other tools exist for accessing ext 2 data. It’s major shortcomings are that there is a risk of file system corruption when writing to ext 2 and that it is not a journaling file system.
EXT3 (Third Extended File Systems)- a journaling version of the ext 2 file system and is greatly used with the Linux OS. It adds a journal, without which the file system is a valid ext2 file system. It can be mounted and used as an ext2 file system, and all the utilities of ext2 can be used on it.
Explain the Master File Table (MFT) and its contents:
NTFS- New Technology File System- is one of the lastest file systems supported by Windows. It’s a high-performance file system that repairs itself. it supports several advanced features, such as file-level security, compression, and auditing. It also supports large and powerful volume storage solutions such as self-recovering disks. Windows has a newer proprietary file system, Resilient File System (ReFS), that is still in it’s early stages of developent, this will be the successor to NTS released in 1993.
NTFS provides data security, as it has the capability to encrypt or decrypt data, files, or folders. Uses a 16-bit Unicode character set to name files and folders. This attribute allows users around the world manage their files in their native languages. It is a fault-tolerant file system. NTFS makes a note of modification in a special log file. If a system crashes, NTS can examine the log file and use it to restore the disk to a consistent state with minimal data loss.
NTFS volumes also contain a Master File Table (MFT)- this table contains a record for every file and folder on the volume. The first 16 bytes of the table are reserved for metadata used to implement and maintain the file system structure. This metadata is stored in a set of system files.
NTFS Master File Table (MFT)- MFT is a relational database that consists of information regarding files and file attributes.
NTFS volumes have at least one entry stored in the MFT. Information regarding file attributes like size, time, and date stamps, and permissions is saved either with the MFT entries or in memory allocated outside the MFT that is described by MFT entries. When the number of files on an NFT’s volume increases, the size of the MFT increases. When a file is deleted from an NTFS volume, the values in the MFT are marked as free, and what space can be reused.
The utilities that defragment NTFS volumes on Windows systems cannot move MFT entries, and as unneccessary fragmentation of the MFT breaks down the performance of the file system, NTFS reserves space for the MFT to maintain performance as it expands. The average file size and other variables are considered when allocating memory to the reserved MFT zone or the unreserved memory on the disk as the disk fills to its capacity.
NTFS Attributes- The file attributes stored within an MFT record are called resident attributes, and those that lie outside the MFT are non-resident attributes. If the data attributes are small in size, then they can be stored within the MFT without the need for additional sotrage space on the NTFS volume. But if the attributes do not fit in the MFT, they are moved out of the MFT record as non-resident attributes.
NTFS Data Streams- A data stream is a unique set of file attributes. NTFS supports multiple data streams per file. A data stream can be created in an exsisting file on an NTFS volume using a command like the following:
C:\ECHO text_message>my file.txt:stream1.
To display the contents of the data stream, the following command must be used:
C:\MRE.
Describe the function of the EFS recovery key agent:
NTFS Encrypting File System (EFS): EFS is the main file encryption technology used to store encrypted files in NTFS. To protect files from mishandling and to ensure their security, the files are encrypted. The Encrypting File System (EFS) was first introduced in NTFS. EFS uses symmetric key encryption technology with public key technology for encryption. The user is supplied with a digital certificate with a public key pair. A private key is not used for the users who are logged into the local systems. Instead, an EFS key is used for users who are logged ito the local system.
This encryption technology maintains a level of transparency to the user who encrypted the file. There is no need for users to decrypt the file when they access it to make changes. After a user is done with the file, the encryption policy is automatically restored. When any authorized user tries to access an encrypted file, he/she is denied access.
To enable the encryption and decryption facilities, a user has to set the encryption attributes of the file and folder that he/she wants to encrypt or decrypt.
All of the files and subfolders in a folder are automatically encrypted. To take the best advantage of the encryption capability, expert recommend that encryption should be done at the folder level. This means a particular encrypted file should not be kept in the same folder as other files that are not encrypted.
Encryption is done using the graphical user interface (GUI) in Windows, but a file or a folder can also be encrypted using a command line tool like Cipher.
A file encryption certificate is issued whenever a file is encrypted. if the person who encrypted the file loses that certificate and the associated private key, data recovery is performed through the recovery key agent.***
In case of a Windows 2000 server-based network, which uses the Active Directory, the recovery agent is assigned by default to the domain administrator. The recovery agent holds a special certificate and related private key. The recovery certificate is issued by a certification authority (CA). Using the recovery certificate and its related private key, the agent can recover the data.
EFS Recovery Key Agent If there is a need to perform a recovery operation, the recovery certificate is first restored and associated with the private key in the agent’s personal store by using the IMPORT Command in the Certificates snap-in.
After the data is recovered, it is deleted from the recovery certificate in the agent’s personal store. The recovery agent’s certificate is then deleted from the computer.
Stand-alone computers locally configure the default recovery policy. For computers on a network, the recovery policy can be configured at the domain, organization unit, or individual computer level.
A Windows administrator can recover a lost key or encrypted data from the command prompt using the following tools:
***CIPHER: This tool is used to make changes to the encryption of directories or files on an NTFS partition.
Syntax:
CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [….]]
CIPHER/W:directory
CIPHER /X[:efsfile] [filename]
Where:
/E Encrypts the specified directories
/D Decrypts the specified directories
/S Performs operation on a given directory and all subdirectories
/H Displays files with hidden or sysstem attributes
/W Removes data from available unused disk space on the entire volume.
/X Backs up EFS certificate and keys into file name
**COPY: This command is used to copy one or more files to other locations.
Syntax:
COPY [/V] [/N] [/Y] [/Z] [/A | /B]
[+ source [/A | /B] [+…]] [destination[/A | /B]]
Where:
Source- specifies the file or files to be copied
destination- specifies the directory and/or filename for the new files(s)
/A- Indicates an ASCII text file
/B- Indicates a binary file
/V- Verifies that new files are written correctly
/N- Uses short file names, if available, when copying a file with a non-8dot.3 name
/Y- Suppresses prompting to confirm overwriting an existing destination file
/Z Copies network files in restartable mode
EFSRECVR: This command helps the recovery agent recover encrypted files from the specified location.
Syntax:
EFSRECVR [/S]: dir]] [/I] [/Q] [filename […]]
/S Recovers the files from the respective directories and subdirectories
/I Recovers the file even after errors have occurred
/Q Reports only useful recovery keys from the list of recovery key identifications
List and describe the different tools used to examine the registry:
The registry is a hierarchial database. Windows continuously refers to the registry for information during the execution of applications.
The window registry contains a set of pre-defined keys:
- HKEY_CURRENT_USER: It is abbreviated HKCU and can be scanned for inforatmion about the configuration of the user currently logged in.
- HKEY_USERS: HKEY_CURRENT_USER is a subkey of HKEY_USERS. It can be checked for all the user profiles loaded on the computer
- HKEY_LOCAL_MACHINES: It is abbreviated HKLM and can be searched for the configuration information of a particular computer.
- HKEY_CLASSES_ROOT: It is a subkey of HKEY_LOCAL_MACHINES/Software. The information stored in this key ensures that the correct program opens when a file is opened in Windows Explorer.
HKEY_CURRENT_CONFIG: This key contains data about the hardware profile used by the local computer at start-up.
Examining Registry Data: A registry hive is defined as a set of keys, subkeys, and values in the Windows registry. The registry has a group of supporting files that contain backups of its data. Teh extensions and the file names of these files vary from oerating sytem to operating system. The various registry hives and their supporting files in Windows are listed below:
HKEY_LOCAL_MACHINE\SAM- (Sam, Sam.log, Sam.sav)
HKEY_LOCAL_MACHINE\Security- (Security, Security.log, Security.sav)
HKEY_LOCAL_MACHINE\Software- (Software, Software.log, Software.sav)
HKEY_LOCAL_MACHINE\System- (System, System.alt, System.log, System.sav)
HKEY_CURRENT_CONFIG- (Ntuser.dat, Ntuser.dat.log, System, System.alt, System.log, System.sav)
HKEY_USERS\DEFAULT- (Default, Default.log, Default.sav)
A user can examine the registry manually using the Registry Editor. There are two versionsfor Windows: REGEDIT (16-bit) and REGEDIT32 (32-bit). REGEDIT32 and REGEDIT are installed by default on a Windows computer. The following are the steps for opening the Registry Editor in any Windows version:
*To start the 32-bit Registry Editor:
Click Start
Click Run
Type: Regedt32, and click OK
*To start the 16-bit Registry Editor:
Click Start
Click Run
Type RegEdit and click OK
There are other tools that a user can use to examine or monitor the registry:
*Registry Monitor- A program that can be used to monitor changes to the registry as they occur. It gives an idea of how the OS and other application use the registry. Windows Explorer can be monitored from the FOLDER OPTIONS dialog box to check where each program stores its option in the registry. The changes can be displayed by filtering the Registry Monitor’s output from the set-up program.
- Registry Checker: A part of the Windows 98 operating system. This program can be used to:
- back-up and restore the registry
- scan and fix various erros in the registry
- optimize the space that is unused in the registry
bad sector
An area of a disk that has become unusable
boot sector
the first sector of a data storage device that contains the code for bootstrapping a system
bootstrapping
the process by which a small program actually initializes the operating system installed on a computer
