File Systems, Boot Sequence, and Disk Drives

Questions and Answers

Which of the following best describes the primary function of a file system?

• To encrypt data on a disk.
• To manage the physical hardware components of a computer.
• To compress files for efficient storage.
• To provide a road map for the operating system to locate data on a disk. (correct)

The CMOS stores system configuration and date/time information only when the system has power.

False (B)

What is the function of the BIOS?

Contains programs that perform input and output at the hardware level

On a disk drive, data is stored in concentric circles called ________.

tracks

Match the following disk drive components with their descriptions:

Geometry = Disk's structure of platters, tracks and sectors Head = Device that reads and writes data to a drive Cylinders = Column of tracks on two or more disk platters Sectors = Section on a track

What is the purpose of wear-leveling in solid-state drives (SSDs)?

To ensure even wear of read/writes for all memory cells. (A)

In Microsoft file structures, clusters are storage allocation units consisting of one or more sectors.

True (A)

In which file system do clusters are numbered sequentially starting at 0?

NTFS

_______ are typically 512, 1024, 2048, or 4096, or more bytes each.

Clusters

Match the following terms with their descriptions as related to Microsoft file structures:

Logical Address = The cluster number assigned by the OS. Physical Address = Refers to the sector number. Partition = A logical drive.

What is a partition gap?

The unused space between partitions on a disk. (B)

FAT16 can recognize disks larger than 2 GB.

False (B)

Name at least two disk editor utilities.

Norton DiskEdit; WinHex

The Master Boot Record (MBR) is located at sector ______ of the disk drive.

0

Match the file system with their description:

FAT12 = Microsoft file structure database originally designed for floppy disks FAT32 = FAT version exFAT = FAT version used for mobile personal storage devices

Which of the following best characterizes disk fragmentation?

The state where assigned clusters for a file are not chained together contiguously. (C)

When a file is deleted in Microsoft operating systems, the data in the file is immediately erased from the disk drive.

False (B)

When a file is deleted in a FAT file system, what character replaces the first letter of the filename in the directory?

HEX E5

When the OS stores data in a FAT file system, it assigns a _______ cluster position to a file.

Starting

Match the following file systems with their characteristics:

FAT = File system used before Windows NT and 2000. NTFS = Primary file system for Windows Vista and later.

Which of the following is a key improvement of NTFS over FAT file systems?

NTFS offers journaling capabilities for improved reliability. (B)

In NTFS, only user-created files are considered as a file.

False (B)

In NTFS, what is the first data set on a disk?

Partition Boot Sector

In NTFS, the _______ contains information about all files on the disk, including system files used by the OS.

MFT

Match the default size of clusters in NTFS:

7-512 MB = 4 KB 16-32 TB = 8 KB 64-128 TB = 32 KB

What are metadata records in the MFT?

Records in the MFT (A)

Files larger than 512 bytes are stored in the MFT.

False (B)

At which offset - in the header of all MFT records -, can you find the MFT record identifier FILE?

0x00

In NTFS, ways data can be appended to existing files are called _______.

Alternate Data Streams

Match the following software with their functions:

Cipher = MS-DOS command Copy = MS-DOS command Efsrecvr = MS-DOS command (used to decrypt EFS files)

Which command eliminates the file from the MFT listing in the same way FAT does?

Del (D)

When a file is deleted in Windows XP, 2000, the operating system deletes it immediately.

False (B)

What does ReFS stand for?

Resilient File System

________ is a current whole disk encryption tool that offers preboot authentication.

Current whole disk encryption tool

Match The Third-Party Disk Encryption Tools below:

PGP Whole Disk Encryption = Third-party disk encryption tool Utimaco SafeGuard Easy = Third-party disk encryption tool TrueCrypt = Open Source encryption tool

Which of the following is a hardware and software requirement for Microsoft BitLocker?

The TPM microchip, version 1.2 or newer (A)

To examine an encrypted drive, you need to encrypt it first.

False (B)

What is the function of the Windows Registry?

Stores hardware and software configuration information, network connections, user preferences, and setup information

________ split the registry into categories with prefix HKEY.

Windows

Match these software with their functions:

Regedit = Registry Editor program for Windows 9x systems. Regedt32 = For Windows 2000, XP and Vista.

With which tool you can extract System.dat and User.dat from an image file?

ProDiscover Basic (A)

Flashcards

What is a file system?

Gives the OS a roadmap to data on a disk.

What is CMOS?

Stores system configuration, date, and time, even when power is off.

What is BIOS?

Contains programs for performing input and output at the hardware level.

What is Bootstrap process?

A process contained in ROM that instructs the computer how to proceed.

What is disk geometry?

The disk's structure of platters, tracks, and sectors.

What is a head?

The device that reads and writes data to a disk drive.

What are tracks?

Concentric circles on a disk platter where data is located.

What are cylinders?

The column of tracks on two or more disk platters.

What are sectors?

A section on a track, typically 512 bytes.

What is wear-leveling?

An internal firmware feature ensuring even wear in solid-state drives.

What are clusters?

Storage allocation units of one or more sectors.

What are logical addresses?

Cluster numbers assigned by the OS.

What are physical addresses?

Sector numbers on a disk.

What is a partition?

A logical drive on a disk.

What is partition gap?

Unused space between partitions.

What is the first sector of all disks?

Contains boot record and file structure database.

What is MBR?

A file called by boot disk in Windows and DOS.

What is FAT?

File structure database originally for floppy disks; used before Windows NT/2000.

What is drive slack?

Unused space within a cluster.

What does drive slack include?

Includes RAM slack and file slack.

What assigns a starting cluster position to a file?

When the OS stores data in a FAT file system.

What is file fragmentation?

Occurs when the next available cluster isn't contiguous.

What does MS OS do when a file is deleted?

Marks a file as deleted and sets its FAT chain to 0.

What is unallocated disk space?

Space available for overwriting after deletion.

What is the New Technology File System (NTFS)?

File system introduced with Windows NT.

What is the master file table (MFT) in NTFS?

Contains info about all files ; the first 15 records are reserved

What are record field?

Referred to as attribute ID.

What are data runs?

Where the file is located.

What is is OS doing?

OS assignes logical clusters to the entrie disk partition.

What are alternate data streams?

A way data can be appended to existing files.

What can be compressed under NTFS?

Files, folders, or entire volumes can be compressed.

Why is EFS used?

Users can apply EFS to local workstations or remote server.

What is Efsrecvr?

Used to decrypt EFS files.

What happens when a file is deleted in Windows?

The OS renames it and moves it to Recycle Bin.

What is resilient file system?

ReFS - Designed to address very large data storage needs

Why is whole disk encryption used?

To prevent loss of information, software vendors now provide whole disk encryption.

To examine an encrypted drive.

prompts for a one-time passphrase

What is registry?

database that stores hardware and software configuration information

What is Registry terminology?

Collection of files containing system/user data.

Why is HKEY needed?

HKEY split the registry into categories with prefix HKEY.

Study Notes

File Systems

• A file system is used by an operating system as a roadmap to find data on a disk
• The type of file system determines how data is stored
• File systems are typically tied to an operating system
• Platform familiarity is essential when acquiring data

Boot Sequence

• Complementary Metal Oxide Semiconductor (CMOS) stores system, date, and time info, even when powered off
• Basic Input/Output System (BIOS) contains programs for hardware-level input and output
• The Bootstrap process in ROM guides the computer's startup
• A key or key combination opens the CMOS setup screen
• Modifying CMOS boot settings is necessary to boot from forensic media like a floppy disk or CD

Disk Drives

• Disk drives are constructed from coated platters with magnetic material
• Geometry refers to the layout of platters, tracks, and sectors on a disk
• The Head reads and writes data to a drive, with one head per platter surface
• Tracks are concentric circles on a disk platter where data resides
• Cylinders are columns of tracks across multiple platters, spanning top and bottom surfaces
• Sectors are sections on a track, commonly sized at 512 bytes
• Drives handle properties at firmware or hardware level
• Zoned bit recording (ZBR) involves varying sector sizes
• Track density refers to space between tracks
• Areal density measures bits per square inch on platter
• Head and cylinder skew are properties

Solid-State Drives

• Wear-leveling is included in flash memory devices to ensure even wear of read/writes across all memory cells
• A full forensic copy should be made of solid-state devices to recover unallocated disk space data

Microsoft File Structures

• In Microsoft file systems, sectors are grouped ito clusters
• Clusters are allocation units that are one or more sectors in size
• Clusters typically contain 512, 1024, 2048, or 4096 bytes
• Combining sectors into clusters minimizes overhead when reading or writing to a disk
• Clusters start from 0 in NTFS and 2 in FAT
• The first sector of all disks has a system area, boot record, and file structure database
• OS assigns logical addresses also known as cluster numbers
• Sector numbers are physical addresses
• Clusters and addresses are assigned to logical disk drives, also known as partitions

Disk Partitions

• A partition is a logical drive
• FAT16 does not recognize disks larger than 2MB. Larger disks have to be partitioned
• Windows operating systems can have three primary partitions and an extended partition which holds several logical drives
• Hidden partitions constitute voids or gaps between actual partitions
• Partition gaps can be found in the unused space between partitions
• Disk editor utilities can alter partition tables typically to hide them
• Disk editors like Norton DiskEdit, WinHex, or Hex Workshop can examine a partition's physical level
• Key hexadecimal codes are analyzed by the OS to maintain and identify file systems
• Hex Workshop can recognize file headers to define file types
• Boot disks include a Master Boot Record (MBR)
• The MBR is located at sector 0 of the disk drive
• In hex editors like WinHex, an initial partition can be found at offset 0x1BE
• The hexadecimal filesystem code is 3 bytes from 0x1BE
• Partition info in the MBR contains locations, sizes, and important data
• Software like PartitionMagic can modify the MBR

FAT Disks

• The File Allocation Table (FAT) represents file structure database first used in floppy disks
• The FAT was deprecated after Windows NT and 2000
• The FAT database includes filenames, directory names, timestamps, the starting cluster number, and file attributes
• The FAT database is written on a disk's outermost track
• FAT versions include FAT12, FAT16, FAT32, VFAT and exFAT (mobile personal storage devices)
• Cluster sizes can vary according to hard disk size and file system, resulting in drive slack
• Drive slack includes RAM and file slack
• One of the unintentional side effects of FAT16 was the reduced fragmentation due to its large clusters
• As cluster size increased, this reduced fragmentation
• As available space is used up the OS assigns new allocated clusters adding more slack
• A chain can be broken or fragmented, as files grow and require more disk space
• The OS assigns a starting cluster position when storing data in a FAT file system
• Data is written to the first sector of the first cluster that is assigned
• When this first assigned cluster is full the next available cluster will be assigned
• Files may become fragmented if the next cluster isn't contiguous

Deleting FAT Files

• When a file is deleted in a Microsoft OS, its directory entry is marked as such using the HEX E5 (σ) character to replace the original first letter
• The FAT chain for the file is set to 0
• Data in the file remains on the hard drive
• The area of disk where the deleted file is located is unallocated
• The disk space becomes usable to write other files

NTFS Disks

• New Technology File System (NTFS) was launched with Windows NT and is the current primary file system
• NTFS allows more control over files, folders, and information about the file compared to FAT
• NTFS is Microsoft's journaling file system which involves recording every transaction
• In NTFS, all information written to a disk is considered as a file
• Partition Boot Sector comes first on an NTFS disk, followed by the Master File Table (MFT)
• NTFS decreases the amount of file slack
• Clusters and smaller on smaller drives
• NTFS uses unicode: international data format
• MFT contains disk file info, and is called metadata
• First 15 records within the MFT are reserved
• Hex Workshop allows viewing of file headers

NTFS Attributes

• In the NTFS MFT files and folders are stored in separate records of 1024 bytes each
• A record contains file or folder data is within record fields (metadata). Record fields are also called Attribute IDs
• File or folder info saves through Resident v Non-resident.
• Files larger than 512 bytes will be stored outside the MFT; cluster addresses store file placement locations
• Files larger than 512 bytes are known as a data run
• Each attribute record is identified by a header as resident vs nonresident
• OS allocates logical clusters to the disk partition after its created and are known as logical cluster number, or LCN
• The MFT links these to the nonresident files on disk partition
• Then data is written to nonresident files + assigns (LCN) address, these become virtual cluster number or VCN
• All MFT records begin their header with 'FILE'
• Size of the MFT record in its header starts at offset 0x1C ending at offset 0x1F
• The length of the header begins at offset 0x14
• At offset 0x32 and 0x33 the final update details of sector 1
• Data can be appended to files, this is called Alternate Data Streams, that can hide essential info
• File association with the same data stream

NTFS Compression & Encryption

• NTFS compression is same as former FAT DriveSpace 3
• Individual files, entire folders, or drives can be compressed with NTFS
• In forensics, compression and analysis of compressed data can also be achieved
• Files encrypted with EFS are decrypted with a public or private key (Windows 2000)
• Windows Vista or later will use a recovery certificate, and is given to local admin account
• Windows Admin can choose Windows or the command line for recovery
• EFS decrypts with a command called 'Efsrecvr'

Deleting & Resilience

• A file deleted on Windows XP or NT, its renamed and moves to recycle bin
• Windows command line tool named 'Del' removes files
• Resilient File System (ReFS) address extensive data storage
• Has maximized data accessibility, enhanced data integrity, and scalability in design
• ReFS has a metadata table like NTFS

Understanding Encryption

• Encryption was developed in response to concern over loss of personal info
• Software that encrypts the whole partition is a full disk encryption (FDE)
• Current WDE or whole disk encryption features: login screen before it goes into to Windows
• Complete V differential drive encryption and safe hibernation
• Complex calculations for AES, advanced encryption standard, or IDEA are also included
• TPM or Trusted Platform Module is included; it is a chip so keys and authentication can be safely protected

Examining MS BitLocker & other Encryption

• Only Vista Ultimate and Enterprise have BitLocker
• TPM microchip (version 1.2 or later) is needed along with compatible BIOS
• Two NTFS were also needed to run Bitlocker
• Bitlocker configuration is dependent on running the hardrive first
• Individual sector of the hardrive is encrypted
• Many encrypt the device's boot sector; stopping boot bypass
• Use provided CD to prompt/recover for one-time passphrase, in order to decrypt

The Windows Registry

• A database that stores hardware and software configuration info and user settings
• Can contain valuable evidence for investigative purposes
• Use Registry Editor program, 'Regedit.exe' for Windows 9x based systems to view registry
• ‘Regedt32.exe’ registry viewer is used for XP, or Windows 2000.
• Both utilities can be used with Windows 7 and 8.
• Viewing and editing tool to show registry to the user
• The registry breaks windows into category with HKEY prefixes
• “H” is for handle of a key
• Each folder and key within registry is the values and more
• Branch is also shown

Locating Registry files

• Specific branch examples in each HKEY
• Hives is specific branch examples local versus hardware
• Each key has the value for the name or file description
• ProDiscover to extract System.dat from image file is used
• AccessDatato review these files and find what info is available
• OSForensics or X-Ways are additional registry viewer