data character representationathena.ecs.csus.edu/~cookd/116/notes/csc 116 - summer 2018 - 1 - part 2...

1

Data

Representation

& Hard Drives

Week 1 – Part 2

Character

Sets

How Text is Stored

Represents text

• Punctuation & symbols

• Numerals 0 – 9

• Letters

Each has a value

• computers think in numbers

• characters and their matching values are a character set

7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3

Characters

ASCII

• 7 bits – 128 characters

• uses a full byte, one bit is not used

• created in the 1967

EBCDIC

• Alternative system used by old IBM systems

• Not used much anymore

Unicode – we'll cover this in a few slides


Character Sets

NUL SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI

DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS RS US

sp ! " # $ % & ' ( ) * + , - . /

0 1 2 3 4 5 6 7 8 9 : ; < = > ?

@ A B C D E F G H I J K L M N O

P Q R S T U V W X Y Z [ \ ] ^ _

` a b c d e f g h i j k l m n o

p q r s t u v w x y z { | } ~ DEL


ASCII ChartControl characters

Each character has a unique value

The following is how "Moe" is stored in ASCII

Char Binary Value Decimal Value

M 0100 1101 77

o 0110 1111 111

e 0110 0101 101


ASCII Codes

2

ASCII is only good for the United States

• Other languages need additional characters

• Multiple competing character sets were created

Unicode was created to support everyspoken language

Developed in Mountain View, California


Unicode Character Set

Originally used 16 bits

• that's over 65,000 characters!

• includes every character used in the World

Expanded to 21 bits

• 2 million characters!

• now supports every character ever created

Unicode can be stored in different formats


Unicode Character Set

UTF-8 users 1 byte per character

• can use "override" chars to get up to 4 bytes

• backwards compatible with ASCII systems

UTF-16 uses 2 bytes per character

• can use "override" chars to get up to 4 bytes

• most common format in use

UCS-4 always uses 4 bytes. Rarely used.


Unicode Formats

Inside a

Computer

Not for the Squeamish

Memory


Basic Operation of Computers

Mother Board Processor

Hard Disk CPU is core of any computer

Executes instructions

Performs calculations & logic• why computers were invented!

• registers hold data

Controls your computer• talks to other components

• talks to ports


Central Processing Unit (CPU)

3

Mother board connects all the components together

BIOS is a collection of chips

that control the motherboard

• controls how information is

moved into or out of the computer

• loads a boot program from ROM

• provides a user interface for configuration


Basic Input & Output System (BIOS)

CMOS is used by the BIOS to store configuration information – sometimes called "BIOS Settings"

Saves settings if computer is unplugged

Settings include (but not limited to):• boot order – the order the system checks

drives looking for an operating system

• information about the drives

• system clock time


CMOS


Some BIOS programs contain a password

and the system will not run until the password has been entered

If the BIOS is password protected

• it may require resetting the CMOS memory to change the boot order to acquire evidence

• should only be used as last resort!

• the best practice is to remove the hard drive


CMOS and Passwords

Most computers expect the operating

system to be found on floppy disk, hard disk, optical disc – CD, DVD, etc...

Some are now able to boot an OS from a flash drive

The order of examining these devices is stored in the CMOS


Disk Boot

Warning: allowing a computer to boot the OS can change evidentiary data on the drive

One way to prevent this

• boot an OS from CD or DVD that only uses RAM

• then copy the hard disk to a external disk

• then perform forensic analysis on the copy

NEVER PERFORM ANALYSIS ON THE

ORIGINAL DRIVE!


Disk Boot

4

During the trial, a question arose on the settings of the CMOS

By the time the trial had started, the laptop had lost all power -including CMOS battery

The loss of all power meant:• original date/time was lost

• type of port and peripherals enabled were lost

• hard drives settings were lost – did he change hard drives?


U.S. v. Zacarias Moussaoui (2003)

This made it difficult to

authenticate associated digital evidence

Fortunately, CMOS settings were recorded when the

laptop was first processed by

Secret Service Agency on 9/11, 2001


U.S. v. Zacarias Moussaoui (2003)

Booting Your

Computer

What Happens Below the Surface

Starting your computer is a

complex process

When it is first turned on...

• it doesn't know about its drives, ports, etc....

• and it has no idea how to load the operating system


Booting Your Computer

There are two distinct phases

that happen:

1. motherboard checks and finds hardware

2. operating system loads itself


Booting Your Computer

Performs a Power On Self Test (POST)

• check memory – both size and functionality

• find devices and check if they work

Then find the operating system

• Boot ROM reads CMOS

• finds the location of the operating system

• loads and executes the hard drive’s Boot Sector


Phase 1: Motherboard

5

Often the computer displays a logo

• stored on the motherboard in ROM

• company's or the maker of the motherboard

As hardware is "discovered"...

• hard drives speed up

• CD / DVD drives might speed up or blink

Beeps after POST is complete - “all is okay”


Phase 1: What You See & Hear

The Bootstrap Program is executed

• this is also known as the "Bootstrap Loader" and "Boot Loader"

• instructions needed to load the kernel

The Kernel

• the bare minimum part of operating system

• required to load the rest of the system

• communicates with drivers, etc…


Phase 2: Operating System

The operating system often has a fancy

boot image

Sometimes it includes a progress bar and

boot information


Phase 2: What You See & Hear

Storage

Media

How Those Little Bits Are Stored

6

In a binary computer we say...• that it knows ones and zeros

• ...but, in fact, that is only for humans to believe

Computer memory is…• electrical power on/off (some voltage charge)

• wired networks might use electrical pulse or photons (light in the case of glass fiber)

• wireless might use radio frequency (RF)


Storage Media Basics

Uses laser refraction to store data

Data Representation• disk surface stores bits

• light spots are called lands

• dark spots are called pits

Data Transfer• read using laser refraction

• written by burning pits


Optical Storage

Uses iron oxide and the property of magnetization

Used by floppy and hard disks

Bits are stored using magnetized

and unmagnetized spots on a magnetic surface

DANGER: Magnets cause data loss!


Magnetic Storage

Hard disks contain a number of circular hard disks called platters

These spin at a high revolution (RPMs)


Hard Disk Technology

The arm that moves over the disk platter has a device that can read or write to the surface and we call it the head

The platters and head are encased in an air-tight sealed container. A piece of dust can destroy the disk.


Hard Disk Technology


Hard Disk Platter

Magnetic

surface of platter

Center connects

to motor

7


Storage Media: Hard Disk

Read-Write head The data is stored in a series of concentric

circles called tracks

If the disk has more that one platter, the

tracks that are directly above each other are called a cylinder


Tracks and Cylinders


Hard Disk: Track

Track


Hard Disk: Cylinder

The hard drive platter is also divided into

pie wedges called physical sectors

The number of physical sectors on a typical

hard drive numbers into the billions


Physical Sectors


Hard Disk: Physical Sector

Physical Sector

8

The intersection of a track and a physical

sector is called a track sector

When people talk about the hard drives,

they usually just shorten the term to "sector"

Number bytes stored in each sector is small

• traditionally, disks use sectors of 512 bytes

• some new disks use sectors of 4KB


Track Sectors


Hard Disk: Track Sector

Track Sector

Location of data can be

referred to using CHS:

Cylinder – group of tracks the

data is stored

Head – the actual track by

referencing a specific head

Sector – exact location on the

track


Location of Data

The number of sectors can be huge!

Operating systems, when they save CHS,

can't store such large sector numbers

For example:

• a hard drive has 8 billion sectors

• it would require 33 bits to store sector #s

• cannot be stored by 32-bit operating systems


Clusters / Blocks

To better organize sectors, operating

systems group sectors into clusters

UNIX systems call a cluster a "block"

The larger the hard drive, the larger

clusters tend to get


Clusters / Blocks


Hard Disk: Clusters

Sector

Cluster

9

Maintenance track is the first

cylinder on the disk

Contains information about:

• drive geometry

• bad sectors (breakdown data)

• possible to change this to hide information


Maintenance Track


Hard Disk: Maintenance Track

Maintenance Track

Disk drives are attached in several

types

Each has different a

speed of data transfer, capacity size and costs

The main ones are ATA and SATA


Hard Disk Connections

Serial Advanced Technology

Attachment (SATA)

Created in 2003

Uses a cable rather than a

ribbon (typically red)

There is also eSATA which is

designed for external

connections


SATA Hard Drive Connector

Advanced Technology

Attachment (ATA)

Uses a ribbon cable (typically

gray)

Older design – first created in

the 1980's

Being replaced by SATA


ATA Hard Drive Connector

Synonymous with Integrated

Disk Electronics (IDE)

• also called Parallel ATA (PATA)

• so… ATA = IDE = PATA


ATA Hard Drive Connector

10

Small Computer System Interface (SCSI)

• has a wide number of connectors – some look like old P.C. parallel ports, IDE, etc…

• used by Macintosh computers prior to iMac. Macintosh then went to ATA

Serial Attached SCSI (SAS)

• almost identical to SATA

• actually, SAS cables can talk to SATA hard drives, but not vice-versa


Other Connectors

File Systems

Keeping Track of Data

A file system is used to

organize the data stored in a medium – such as a hard

drive, thumb drive, CD, etc…

Each operating system has

their own approach

• FAT, NTFS (Windows)

• HFS (Macintosh)

• Ext2 (Linux)7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 57

File System

The nice hierarchical way we

organize our files is an illusion

Folders are, in fact, a special type of file used internally by

the file system


Folders are Files

Folders are also called "directories"

They predate the graphical user interface

Two are typically synonymous

However, generally…

• folder: the desktop metaphor icons you click on

• directory: list of files/folders in a folder


Folders vs. Directories

Folder's store information

about each file that it "contains"

Includes where the file is located on the hard drive

(cluster #'s)

Also includes: name, creation

date, last access, size, etc...


What a Folder "File" Stores

11

The first sector of the hard disk is called the

Master Boot Record (MBR).

Can divide the disk up into partitions

• the different parts of the hard disk are treated different – like they are different disks!

• once a partition has been created it can be formatted with any file system


Master Boot Records

A volume is the area occupied by a file system

First sector on volume called the boot sector

In DOS/Windows…

• each volume is assigned a letter

• A: used to be the main floppy disk

• B: a second floppy disk (often optional)

• C: was the hard drive (and remains the standard)


Volumes

File System may not use all the partition

• the unused space is called volume slack

• this can be used to hide data

File may not use all the sectors in a cluster

• the extra sectors are called file slack space

• can contain parts of a deleted file (partially overwritten)


Slack Space

Even part of a sector may not be used

• in that case, it might contain zeros

• or even part of the computer's RAM (at the

time of save) called RAM slack

• what is stored depends on the operating

system


Slack Space

When a file is deleted, the OS

merely (and simply) marks the space, occupied by the

file, as unallocated

The file still remains!

• can stay, unaltered, forever

• but, when a new file is saved, it may overwrite the old data


File Deletion

If an old file's clusters are

overwritten, the new file maynot fill all the sectors

If so, not some of the old file's data remains in the file slack

space

This can be recovered!


File Deletion and File Slack

12


Hard Disk: File Slack

Original File


Hard Disk: File Slack

Part of original

file remains

New file

overwrites part of cluster

File systems that use large

cluster sizes results in large file slack spaces

Most forensic tools can search slack space to reveal

any data that might be hidden

there


Bigger the Cluster…the Better the Slack

Not all devices have file systems

• for example: back up tape

• UNIX machines use a partition of the disk as

swap space. Swap partition is like virtual memory and contains data that was in memory at one time. But it is not accessed like a file.


Bigger the Cluster…the Better the Slack

Formatting a volume

• creates a new, empty, file system

• all the prior data remains

• it is like destroying a card catalog in a library but leaving all the books on the shelves. It is

possible to find a book but it takes longer

Hard disks can be "low level formatted"

• effectively destroys all data

• but takes a program from the vendor7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 71

Formatting

Windows File

Systems

Microsoft’s Ways of Organizing Data

13

Windows supports a variety of file systems

To successfully examine Windows media:• must know what a ‘normal’ file

structure looks like

• must know where data can be hidden in each file system


Windows File Systems

Floppy disks • formatted in FAT12

• each entry in the FAT is 12 bits

Hard drives• may FAT16 or FAT32

• nowadays, most often formatted in NTFS

Flash drives can be any of these – often FAT


Windows File Systems

Used by DOS, Windows 3.1, 95, 98, ME

It was replaced by NTFS on hard drives

However, it is still used by memory cards

Strengths

• simple – why it was implemented on early systems

• uses the disk surface equally – great idea on old floppy disks which would wear out


FAT File System

Weaknesses

• does not store the last access date or creation date – only the last edit date

• inefficient – requires the hard drive to look in many different locations to read a file

• files and FAT entries are updated only when the file is changed or deleted


FAT File System


FAT Directory Entry

1. Find the file's directory entry (start in the

root directory and follow the path)

2. If successful, read the directory entry: file

size and start/end cluster

3. Read the file's data:

• read cluster and check the File Allocation Table for the next cluster

• ends when it contains a EOC (end of cluster)


The Steps

14


FAT File System Example

cat.doc 184

notes.txt 229

ToDo.txt 227

Directory

Cluster 184

Data

184

185

186

File Allocation Table

187 0

185

186

EOC

Cluster 185

Data

Cluster 186

Data

When a file is deleted, only a

few things are changed

The original directory entry is

still there – only slightly changed

As a result, recovery can be

quite easy


FAT: Deleting a File

Step 1: Remove the filename

from the directory

• first character of the filename is simply replaced with E5

• rest of the filename, its size,

start cluster, etc… is still there

• so, restored files will lack the

first letter – be careful!



Step 2: Update the FAT table

• system follows the table links like it is reading a file

• however, it sets all the links to zero (available)



Used in Windows NT, 2000, XP, 7, 8, 10

The "NT" File System is far more efficient

than FAT

Stores more forensic data

However, there are some major drawbacks for investigators


NTFS File System

File information is stored in the Master File

Table (MFT) using a binary tree structure

Entries contain more date evidence:

• when first created

• last modified

• last accessed

This gives more information to the forensics

examiner


NTFS: File Entries

15

Deleted files may be more difficult to

recover because NTFS creates entries as needed

NTFS reuses entries before creating new

ones it more likely that a new file will

overwrite a deleted one

The data may be intact, but the file system

references may be lost


NTFS: Deleted Files

UNIX &

Macintosh

File Systems

Keeping Track of Data

UNIX was developed at

AT&T’s Bell Labs in 1969

Design goals:

• operating system for mainframes

• stable and powerful

• but not exactly easy to use –

GUI hadn’t been invented yet


UNIX

UNIX evolved into several

competing versions

Two major branches:

• HP UNIX

• BSD UNIX

Became the standard OS for all mainframes


UNIX

By 1991, personal computers

were as powerful as mainframes 20 years ago

Linus Torvalds decided to port UNIX to x86 PCs

… but gave it a nice graphical

user interface


UNIX and Linux

Released as General Public License (GPL)

• which allowed anyone to use and expand upon it original code

• it, just like UNIX, evolved into several competing versions - Red Hat, Ubuntu, etc....

Where used:• popular as a Windows alternative

• mostly used for small servers & workstations


Linux

16


Red Hat Linux


Ubuntu Linux

Pronounced "Mac-OS TEN”

Created by the Apple

Corporation using the version

of UNIX developed at NeXT

It became the default

operating system on all Macintosh computers


Mac-OS X

Mac-OS X did not evolve

from Linux

However, both evolved from

BSD UNIX

As a result, they are very

similar “under the hood”


Mac-OS X


UNIX has many different types of file systems

• UFS – UNIX File System

• ext3 (Extended File System 3) – Linux

• HFS+ (Hierarchical File Structure) – Mac-OS

• … and more

Each, however, shares the same structure

• data is organized using index nodes (inode)

• these are like "links" in a logical chain

• these link to other inodes or, finally, the file itself


UNIX File Systems

17

Each inode is a directory or file

Directories

• contains a list of filenames and links to inodes

Files

• contains links to the "blocks" (aka clusters)

• it also contains information about the file (owner, permissions, dates, etc.)

• inode doesn’t contain the file name


UNIX INodes


UNIX File System Example

C:/Files/Cat.doc

Files 1184

System 265

Log.txt 1337

C: Root

notes.txt 4527

cat.doc 2297

ToDo.txt 628

inode 1184

Owner

Permission

File Type

inode 2297

Time Stamps

Blocks

Block 185

Data

Block 186

Data

data character representationathena.ecs.csus.edu/~cookd/116/notes/csc 116 - summer 2018 - 1 - part 2...

Documents