Cyber Crime and Cyber Terrorism

Download 5,67 Mb.

Pdf ko'rish

bet	88/283
Sana	19.05.2022
Hajmi	5,67 Mb.
	#604880

1 ... 84 85 86 87 88 89 90 91 ... 283

Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

THE STRUCTURE AND FORMAT OF A HARD DRIVE

MEDIA STORAGE FORENSICS
This section focuses on both the known and obscure practices and processes of ana-
lyzing media storage devices for forensic evidence. Included here is brief synopsis
into the structure and format of a hard disk, to give some background context to the
subsequent sections.
THE STRUCTURE AND FORMAT OF A HARD DRIVE
Hard disks are composed of one or more spinning magnetic film coated disks called
platters. Each platter is divided into concentric bands called tracks; tracks located at
the same area of each platter are collectively referred to as a cylinder. Each track is
dived into sectors with each track having an identical amount of sectors regardless

81

Partitions
of its position on the platter, thus sectors are more densely populated at the center of
the platter. A sector is the smallest possible area of storage available on a disk and
is typically 512 bytes in size. Information is read and written onto the sectors using
heads which generate magnetic fields as instructed by the disk controller, which in
turn receives its instructions from the file and operating systems. Although both sides
of the platter are used to store information, one side of one of the platters is used for
track positioning information; this information is coded at the factory and it used to
align the heads when moving between tracks and sectors. The number of sectors and
tracks and their positioning is set at the factory using a process referred to low level
formatting. Low level formatting is only performed once and is not performed by
the user of the hard disk after purchasing, although the term low level format (LLF)
is sometimes erroneously used to describe the process of re-initializing a disk to its
factory state.
The way in which the computer communicates with a hard disk is set via the com-
puter’s Basic Input Output System (BIOS). It is within the BIOS that the addressing
scheme, e.g., logical block addressing (LBA), is set for the drive. A logical block ad-
dress is a 28-bit address which maps to a specific sector of a disk. It should be noted
that while LBA is the most widespread addressing scheme, others are common, e.g.,
the older cylinder, head, sector (CHS), or the up and coming globally unique identi-
fier (GUID) addressing scheme.
PARTITIONS
Partitions are the divisions of a hard drive; each partition can be formatted for use by
a particular file system. Within current IBM PC architecture it is possible to have up
to four partitions, one of which can be an extended primary partition. An extended
partition can be subdivided further allowing for the creation of an additional 24 logi-
cal partitions as shown:
Primary partition #1
Primary partition #2
Primary partition #3
Primary partition #4
Logical partition #1
Logical partition #2
Logical partition #3
…
…
Logical partition #24
One of the primary partitions will be flagged as the active partition and this is the
one which will be used to boot the computer into an operating system. Creating the
first partition on the drive will result in the creation of the master boot record (MBR)
which, amongst other responsibilities, holds information concerning the partitions.

Download 5,67 Mb.

Do'stlaringiz bilan baham:

1 ... 84 85 86 87 88 89 90 91 ... 283