Hard Disks & File Systems Flashcards
Track Numbering
Begins from 0 at outer edge and moves towards the center, typically reaching a value of 1023
Sectors
The smallest allocation unit of a disk platter.
Normally holds 512 bytes of data
Clusters
The smallest allocation unit of a hard disk. A set of tracks and sectors from 2-32
Slack Space
- The free space on the cluster after writing data on that cluster
- If the size of the stored data is less than the cluster’s size, the unused area remains reserved for the file, resulting in slack space
Bit
a single binary digit
Byte
consists of 8 bits
Nibble
half a byte/consists of 4 bits/known as a tetrade
Hard Disk Data Addressing
- CHS
2. LBA
Disk Partitioning
Primary
Extended
Primary Disk Partition
holds the information regarding the operating
system, system area, and other information required for booting
Extended Disk Partition
holds the information regarding the
data and files that are stored in the disk
BIOS Parameter Block (BPB)
The BPB is a data structure situated at sector 1 in the
volume boot record of a hard disk and explains the physical layout of a disk volume.
Master Boot Record (MBR)
A master boot record (MBR) is the first sector (“sector zero”) of a data storage device such as a hard disk
Backup the MBR on a UNIX/LINUX System
dd if=/dev/xxx of=mbr.backup bs=512 count=1
Restore the MBR on a UNIX/LINUX System
dd if=mbr.backup of=/dev/xxx bs=512 count=1
What is the GUID?
The Globally Unique Identifier is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, a database entry, and/or the user.
What is GPT?
GPT - Part of the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware interfaces.
What Partition scheme does MBR use?
32 bits for storing LBA and the size information on a 512-byte sector.
What Partition scheme does GPT use?
In GPT, each logical block is 512 bytes and each partition entry is 128 bytes, and the negative addressing of the logical blocks starts from the end of the volume with -1 as the last addressable block.
What is GPTs LBA layout look like?
LBA 0 stores the Protective MBR
LBA 1 contains the GPTheader, and the GPT header comprises a pointer to the partition table or
Partition Entry Array at LBA 2
How many bytes does UEFI assign for the Partition entry array?
16,384 bytes
Why is LBA 34 the first usable sector?
Since the disk has 512-byte sectors with a partition entry array of 16,384 bytes and the minimum size of 128 bytes for each partition entry,
Protective MBR
Helps legacy tools solve compatibility issues when they fail to understand the GPT format.
What are essential Windows System Files?
Ntoskrnl.exe Ntkrnlpa.exe Hal.dll Win32k.sys Ntdll.dll Kernel32.dll Advapi32.dll User32.dll Gdi32.dll
What are the Five phases of UEFI Boot?
SEC - Security PEI - Pre-EFI Initialization DXE - Driver Execution Environment BDS - Boot Device Selection RT - Run-Time
Security (SEC) Phase
initialization code that the system executes
after powering the EFI system on.
Pre-EFI Initialization (PEI) Phase
initializes the CPU, temporary memory,
and boot firmware volume (BFV). Finally, it creates a Hand-Off Block List
Driver Execution Environment (DXE) Phase
Most of the initialization
happens in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL
Boot Device Selection (BDS) Phase
interprets the boot configuration data
and selects the Boot Policy for later implementation. In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot.
Run-Time (RT) Phase
the system clears the UEFI program from memory
and transfers it to the OS.
Get-GPT Command
analyze the GUID Partition Table data structure of the hard disk.
Get-BootSector Command
analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.
Get-PartitionTable Command
analyzes the GUID partition table to find the exact type of boot sector (MBR or GPT) and displays the partition object.
MACs that are PowerPC-Based
Use firmware to initialize
MACs that are Intel Based
Use EFI to initialize
What are three Stages with the LInux Boot Process?
The BIOS Stage
The Bootloader Stage
Kernal Stage
What are the three structures within a FAT layout?
- Reserved Area - 1 sector in size
- FAT Area - Contains the FAT Structures
- Data Area - Contains the clusters allocates to store files and directory data
How large is the FAT Partition Boot Sector?
512 Bytes
NTFS Flie Systems
$attrdef - contains definitions of all system & user-defined attributes of the volume
$badclus - all bad clusters
$bitmap - bitmap for the entire volume
$boot - volume bootstrap
$logfile - used for recovery
$mft - a record for every file
$mftmirr - mirror of $mft used for recovery
$quota - disk quota list for all users
$upcase - converts characters into uppercase UNICODE
$volume - volume name & version number
NTFS Boot Sector is assigned to how many sectors?
first 16 sectors to the boot sectors and to the bootstrap code
What is the NTFS Master File Table?
- A relational database which consists of information related to the files and the file attributes
- The rows consist of file records and the columns consist of file attributes
- It has information of every file on the NTFS volume including information about itself
- It has 16 records reserved for system files
Encryption and EFS
NTFS sets a flag for the file after encrypting it and creates an EFS attribute where it stores the Data Decryption Field (DDF) and Data Recovery Field (DRF).
Sparse Files
A type of file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty.
What is the basic building block of EXT2?
INODES are the basic building blocks of the EXT2 File System
What is the max file size for EXT4?
Maximum file size of 16TB and volume size of 1 Exabyte
What Files Systems does MAC use?
HFS or HFS+ or UFS
Host Protected Area (HPA)
the reserved area on a HDD, meant to store data in a way that the user, BIOS, or OS cannot modify, change, or access it. Information about HDD utilities, diagnostic tools, boot sector code, etc. is found here.
Device Configuration Overlays (DCO)
an additional hidden area which enables system vendors to buy HDDs of varying sizes from different manufacturers and configure all of them to have an equal number of sectors. It can also be used to enable/disable features on the HDD.
What tools can you use to detect HPA and DCO on a HDD?
Use tools such as EnCase, TAFT (an ATA (IDE) forensics tool), or Sleuth Kit to detect and image HPA and/or DCO areas.
ASCII
a character encoding standard used in computers. The standard has 128 specified characters coded into 7-bit integers. Source code of a program, batch files, macros, scripts, HTML and XML documents are also ASCII files.
UNICODE
computing standard, developed along with the Universal Coded Character Set (UCS) standard for encoding, representation, and management of texts. It provides a unique number for every character, irrespective of the platform, program, and language. Unicode contains more than 128,000 characters from about 135 modern and historic scripts.
OFFSET
Refers to either the start of a file or the start of a memory address. Its value is added to a base address to derive the actual address.
What is a Hex Editor?
It is a program that allows users to modify the binary data of a file. A hex editor has three display areas including an address area, a hexadecimal area, and a character area.
File Carving
the process of recovering files from their fragments and pieces from unallocated space of the hard disk in the absence of file system metadata. In computer forensics, it helps investigators to extract data from a storage media without any support of the file system used in creation of the file.
Joint Photographic Experts Group (JPEG)
It is a method of lossy compression for digital images and allows users to adjust the degree of compression. JPEG files allow compression ratio of 90%, which is one-tenth of the size of the data.
JPEG Hex editor code
ffd8
Bitmap (BMP)
BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors.
BMP Hex editor code
42 4D
GIF
Each color in the GIF color table is described in RGB values, with each value having a range of 0 to 255.
Portable Network Graphics (PNG)
a lossless image format intended to replace the GIF and TIFF formats.
PNG file hex values begin with?
89 50 4e (The Same as GIF)
PDF Hex Value
25 50 44 46
fsstat
Display general details of a file system
istat
Display details of a meta-data structure. Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.
fls
List file and directory names in a disk image.
