Computer Forensic Investigation and Cryptography- lecture 6

Hard disk technology and data acquisition

Computer booting

BIOS- Disk sector 0 code- partitions bootable- OS

On power, processor executes code from the BIOS

Drives and hardware devices are searched and set

BIOS code examines floppy disk, CD and hard disk

Locates first sector code to execute

Code in Sector 0 of a bootbale disk forces processer to process the partition table, and locate bootbale partition where OS is found

Hard disk geometry

Hard disk contains 1 or more circular platters stacked on top of each other spin at the same time, think vinyl records

Arm moves back and forth had heads on top and bottom of each platter for reading and writing- can only do one at a time

Tracks and sectors-

Tracks- circular rings that go round the platter

Tracks each have an address from outside towards inside

All tracks on the same platter have same address, referred to by cylinder

                                

Each track is divided into sectors, which is the smallest addressable storage unit- typically 512 bytes

Each track has its own sectors, starting from one

A unit is addressed by Cylinder, Head of the platter, S sector

CHS

So simple terms-

Track is the ring- each has an address- referred to by the cylinder

Tracks split in to sectors- each track has its own group of sectors

They are smallest addressable storage unit- typically 512 bytes

So we get the track from cylinder, head number to get platter and side and the sector address for the sector in track

Hard disk capacity= C*H*S*512 bytes

New systems use LBA, so for systems still using CHS, must convert

• LBA = (((C*NumberHeads)+S)*NumberSectors) + S -1
• Example:
• A disk has  16 heads, and 63 sectors per track, a CHS (2, 3, 4) convert to
• LBA = (((2*16)+4)*63) +4-1 = 2271

So it is 2X16+4*63+4=1

So how do we get the numbers?

Well, Cylinder is 2 and number heads is 16= 2x16

+sector 4 as S in CHS is 4

X by number of sectors which is 63 as 63 per track

Then add the Sector again

Minus 1

The ATA/IDE interface

ATA is the most popular hard disk interface

IDE- integrated disk electronic, a disk with built in logic

Requires a controller-  built in motherboard

Controller issues commands to 1 or 2 ATA through a ribbon cable

Interface data path between disk and controller is called the channel- each channel supports master and slave disk

Removeable media is called Attachment packet interface by ATA

Commands with ATA

Controller issues commands to the disk via the channels, also identifies slave or master

BIOS can communicate with the controller

Hard disk passwords, user and master allow company to get access to computer is user password is lost

Host Protected Area (HPA) and Device Configuration Overlay (DCO)

HPA and DCO- used to hide relevant data- will take up say 2gb in a 20gb drive

Important to analyse as things could be held here

HPA

Can be detected in unix with –l /dev/had

SCSI drives

Small computer system interface

Standard in servers, nowhere else,

Many connector types

Can support more than 2 devices on the cable

No limitations with size

Direct vs BIOS access

Direct- access disk directly, code needs to know the hardware and the controllers

BIOS- access through BIOS

Need to know system that you are checking!

Dead versus live acquisition

Consider HPA area, data may be hidden there

Consider DGO

Use a hardware write blocker device!

Software as well