Hard Disks & File Systems

Question 1

Track Numbering

Answer 1

Begins from 0 at outer edge and moves towards the center, typically reaching a value of 1023

Question 2

Sectors

Answer 2

The smallest allocation unit of a disk platter.

Normally holds 512 bytes of data

Question 3

Clusters

Answer 3

The smallest allocation unit of a hard disk. A set of tracks and sectors from 2-32

Question 4

Slack Space

Answer 4

1. The free space on the cluster after writing data on that cluster
2. If the size of the stored data is less than the cluster’s size, the unused area remains reserved for the file, resulting in slack space

Question 5

Bit

Answer 5

a single binary digit

Question 6

Byte

Answer 6

consists of 8 bits

Question 7

Nibble

Answer 7

half a byte/consists of 4 bits/known as a tetrade

Question 8

Hard Disk Data Addressing

Answer 8

1. CHS

2. LBA

Question 9

Disk Partitioning

Answer 9

Primary

Extended

Question 10

Primary Disk Partition

Answer 10

holds the information regarding the operating

system, system area, and other information required for booting

Question 11

Extended Disk Partition

Answer 11

holds the information regarding the

data and files that are stored in the disk

Question 12

BIOS Parameter Block (BPB)

Answer 12

The BPB is a data structure situated at sector 1 in the

volume boot record of a hard disk and explains the physical layout of a disk volume.

Question 13

Master Boot Record (MBR)

Answer 13

A master boot record (MBR) is the first sector (“sector zero”) of a data storage device such as a hard disk

Question 14

Backup the MBR on a UNIX/LINUX System

Answer 14

dd if=/dev/xxx of=mbr.backup bs=512 count=1

Question 15

Restore the MBR on a UNIX/LINUX System

Answer 15

dd if=mbr.backup of=/dev/xxx bs=512 count=1

Question 16

What is the GUID?

Answer 16

The Globally Unique Identifier is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, a database entry, and/or the user.

Question 17

What is GPT?

Answer 17

GPT - Part of the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware interfaces.

Question 18

What Partition scheme does MBR use?

Answer 18

32 bits for storing LBA and the size information on a 512-byte sector.

Question 19

What Partition scheme does GPT use?

Answer 19

In GPT, each logical block is 512 bytes and each partition entry is 128 bytes, and the negative addressing of the logical blocks starts from the end of the volume with -1 as the last addressable block.

Question 20

What is GPTs LBA layout look like?

Answer 20

LBA 0 stores the Protective MBR
LBA 1 contains the GPTheader, and the GPT header comprises a pointer to the partition table or
Partition Entry Array at LBA 2

Question 21

How many bytes does UEFI assign for the Partition entry array?

Answer 21

16,384 bytes

Question 22

Why is LBA 34 the first usable sector?

Answer 22

Since the disk has 512-byte sectors with a partition entry array of 16,384 bytes and the minimum size of 128 bytes for each partition entry,

Question 23

Protective MBR

Answer 23

Helps legacy tools solve compatibility issues when they fail to understand the GPT format.

Question 24

What are essential Windows System Files?

Answer 24

Ntoskrnl.exe
Ntkrnlpa.exe
Hal.dll
Win32k.sys
Ntdll.dll
Kernel32.dll
Advapi32.dll
User32.dll
Gdi32.dll

Question 25

What are the Five phases of UEFI Boot?

Answer 25

SEC - Security
PEI - Pre-EFI Initialization
DXE - Driver Execution Environment
BDS - Boot Device Selection
RT - Run-Time

Question 26

Security (SEC) Phase

Answer 26

initialization code that the system executes

after powering the EFI system on.

Question 27

Pre-EFI Initialization (PEI) Phase

Answer 27

initializes the CPU, temporary memory,

and boot firmware volume (BFV). Finally, it creates a Hand-Off Block List

Question 28

Driver Execution Environment (DXE) Phase

Answer 28

Most of the initialization
happens in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL

Question 29

Boot Device Selection (BDS) Phase

Answer 29

interprets the boot configuration data
and selects the Boot Policy for later implementation. In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot.

Question 30

Run-Time (RT) Phase

Answer 30

the system clears the UEFI program from memory

and transfers it to the OS.

Question 31

Get-GPT Command

Answer 31

analyze the GUID Partition Table data structure of the hard disk.

Question 32

Get-BootSector Command

Answer 32

analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.

Question 33

Get-PartitionTable Command

Answer 33

analyzes the GUID partition table to find the exact type of boot sector (MBR or GPT) and displays the partition object.

Question 34

MACs that are PowerPC-Based

Answer 34

Use firmware to initialize

Question 35

MACs that are Intel Based

Answer 35

Use EFI to initialize

Question 36

What are three Stages with the LInux Boot Process?

Answer 36

The BIOS Stage
The Bootloader Stage
Kernal Stage

Question 37

What are the three structures within a FAT layout?

Answer 37

1. Reserved Area - 1 sector in size
2. FAT Area - Contains the FAT Structures
3. Data Area - Contains the clusters allocates to store files and directory data

Question 38

How large is the FAT Partition Boot Sector?

Answer 38

512 Bytes

Question 39

NTFS Flie Systems

Answer 39

$attrdef - contains definitions of all system & user-defined attributes of the volume
$badclus - all bad clusters
$bitmap - bitmap for the entire volume
$boot - volume bootstrap
$logfile - used for recovery
$mft - a record for every file
$mftmirr - mirror of $mft used for recovery
$quota - disk quota list for all users
$upcase - converts characters into uppercase UNICODE
$volume - volume name & version number

Question 40

NTFS Boot Sector is assigned to how many sectors?

Answer 40

first 16 sectors to the boot sectors and to the bootstrap code

Question 41

What is the NTFS Master File Table?

Answer 41

1. A relational database which consists of information related to the files and the file attributes
2. The rows consist of file records and the columns consist of file attributes
3. It has information of every file on the NTFS volume including information about itself
4. It has 16 records reserved for system files

Question 42

Encryption and EFS

Answer 42

NTFS sets a flag for the file after encrypting it and creates an EFS attribute where it stores the Data Decryption Field (DDF) and Data Recovery Field (DRF).

Question 43

Sparse Files

Answer 43

A type of file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty.

Question 44

What is the basic building block of EXT2?

Answer 44

INODES are the basic building blocks of the EXT2 File System

Question 45

What is the max file size for EXT4?

Answer 45

Maximum file size of 16TB and volume size of 1 Exabyte

Question 46

What Files Systems does MAC use?

Answer 46

HFS or HFS+ or UFS

Question 47

Host Protected Area (HPA)

Answer 47

the reserved area on a HDD, meant to store data in a way that the user, BIOS, or OS cannot modify, change, or access it. Information about HDD utilities, diagnostic tools, boot sector code, etc. is found here.

Question 48

Device Configuration Overlays (DCO)

Answer 48

an additional hidden area which enables system vendors to buy HDDs of varying sizes from different manufacturers and configure all of them to have an equal number of sectors. It can also be used to enable/disable features on the HDD.

Question 49

What tools can you use to detect HPA and DCO on a HDD?

Answer 49

Use tools such as EnCase, TAFT (an ATA (IDE) forensics tool), or Sleuth Kit to detect and image HPA and/or DCO areas.

Question 50

ASCII

Answer 50

a character encoding standard used in computers. The standard has 128 specified characters coded into 7-bit integers. Source code of a program, batch files, macros, scripts, HTML and XML documents are also ASCII files.

Question 51

UNICODE

Answer 51

computing standard, developed along with the Universal Coded Character Set (UCS) standard for encoding, representation, and management of texts. It provides a unique number for every character, irrespective of the platform, program, and language. Unicode contains more than 128,000 characters from about 135 modern and historic scripts.

Question 52

OFFSET

Answer 52

Refers to either the start of a file or the start of a memory address. Its value is added to a base address to derive the actual address.

Question 53

What is a Hex Editor?

Answer 53

It is a program that allows users to modify the binary data of a file. A hex editor has three display areas including an address area, a hexadecimal area, and a character area.

Question 54

File Carving

Answer 54

the process of recovering files from their fragments and pieces from unallocated space of the hard disk in the absence of file system metadata. In computer forensics, it helps investigators to extract data from a storage media without any support of the file system used in creation of the file.

Question 55

Joint Photographic Experts Group (JPEG)

Answer 55

It is a method of lossy compression for digital images and allows users to adjust the degree of compression. JPEG files allow compression ratio of 90%, which is one-tenth of the size of the data.

Question 56

JPEG Hex editor code

Answer 56

ffd8

Question 57

Bitmap (BMP)

Answer 57

BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors.

Question 58

BMP Hex editor code

Answer 58

42 4D

Question 59

GIF

Answer 59

Each color in the GIF color table is described in RGB values, with each value having a range of 0 to 255.

Question 60

Portable Network Graphics (PNG)

Answer 60

a lossless image format intended to replace the GIF and TIFF formats.

Question 61

PNG file hex values begin with?

Answer 61

89 50 4e (The Same as GIF)

Question 62

PDF Hex Value

Answer 62

25 50 44 46

Question 63

fsstat

Answer 63

Display general details of a file system

Question 64

istat

Answer 64

Display details of a meta-data structure. Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.

Question 65

fls

Answer 65

List file and directory names in a disk image.