CS 275 Study Guide For Chapters 7 & 8
With the exception of terms beginning **, The test will consist of statements from this study guide that require you to identify the file system that the statement describes.
Example:
___FAT File System___ MSDOS.SYS A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel.
___Macintosh_________The File Manager is the part of this Operating System. It manages the organization, reading, and writing of data located on physical data storage devices such as disk drives.
Terms accompanied by ** may be fill in the blank or essay. Bonus question will require you to calculate the RAM slack and file slack as per the FAT file system. See example done in class.
**File System Provides an operating system with a road map to the data on a disk.
The type of file system that an operating system uses determines how data is stored on the disk and where data can be hidden.
Booting to the hard drive overwrites and changes evidentiary data. You can ensure that the computer looks for system information on drive A by changing the primary boot device in the CMOS setup.
**Registry A database that stores hardware and software configuration information, user preferences, and setup information.
The number of bytes on a disk is determined by multiplying the number of cylinders (platters) by the number of heads, (actually tracks) and by the number of sectors (groups of 512 or more bytes).
The hard disk drive industry refers to the calculation of disk capacity as cylinders, heads, and sectors (CHS).
FAT file systems
File Allocation Table (FAT) The original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. The variations are FAT12, FAT16, and FAT32.
Clusters Storage allocation units of 512, 1024, 2048, 4096, or more bytes.
Logical Address Clusters that are assigned by the operating system.
Physical Address Addresses that reside at the hardware or firmware level.
Partition A logical drive on a disk. It can be the entire disk or a portion thereof.
Inner-Partition Gap Partitions created with unused space or voids between the primary partition and the first logical partition.
Someone who wants to hide data on a hard disk can create hidden partitions or voids, large unused gaps between partitions on a drive.
Microsoft OSs allocate disk space for files by clusters.
This practice results in drive slack, which is any space not used for active files.
Drive slack includes RAM slack and file slack.
File slack is the unused space between the End Of File and the end of the current cluster.
RAM slack is the unused space between the End Of File and the end of the current sector.
Any information in the RAM at that point such as login IDs or passwords are placed in RAM slack when you save a file.
Command.com Provides a prompt when booting to MS-DOS mode. User interface for the MS-DOS operating system.
IO.SYS The first file loaded after the ROM bootstrap loader finds the operating system. This file allows for communication between the computers BIOS and Hardware, and with MS-DOS code.
MSDOS.SYS A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel.
CONFIG.SYS A text file that contains commands that are typically run only at system startup.
AUTOEXEC.BAT An automatically executed batch file that contains customized commands and settings for MS-DOS.
DOS Protected-Mode Interface (DPMI) Used by many computer forensics tools which do not operate in the Windows environment.
NTFS
New Technology File System NTFS is the primary file system for Windows XP. NTFS uses security features, allows for smaller cluster sizes, and uses Unicode, which makes it a much more versatile operating system than FAT file system.
Partition Boot Sector The first data set of an NTFS disk. It starts at sector [0] of the disk drive and it can be expanded up to 16 sectors.
The bootSector contains basic information about how the logical drive is organized, including: # of sectors, # of sectors per cluster, number of bits in each FAT entry..info the OS needs to read the drive. Indicates the version of DOS or Windows used to format the disk and includes the name of the program it searches for to load an OS, (Ntldr or IO.sys)
At end of boot Sector is bootstrap loader which can be used to boot from the disk.
Immediately after the Partition Boot sector is the Master File Table (MFT).
The MFT contains information about all files located on the disk. This includes the system files used by the OS such as XP, 2000 and NT.
The Master File Table, similar to the FAT in older OSs, is created at the same time a disk partition is formatted as an NTFS volume. Typically 12.5 percent of the disk when it is created, the MFT can expand to take up 50 percent of the disk as data is added.
Master File Table contains information about the access rights, date and time stamps, system attributes, and parts of the file.
NTFS consumes much less file slack space than FAT systems because clusters are smaller for the smaller disk drives.
NTFS uses Unicode as opposed to ASCII for western language alphabetic characters. The first 8 bits are identical to ASCII, and the remaining 8 bits are null, all zeros. This is important in keyword searches.
Within the MFT, the first 15 records are reserved for system files.
Records within the MFT are referred to as meta-data.
In NTFS, all files and folders, (directories), have file attributes such as its name, security information, and even the data in the file.
Each of these attributes has a unique attribute type code.
NTFS attributes fall into 2 categories, resident attributes and nonresident attributes.
Resident Attributes all attributes that are stored in the MFT of the NTFS.
Nonresident Attributes all data that is stored outside of the MFT.
In Windows 2000 and XP, all file and folder (directory) data is contained within the MFT.
If more room is needed for file growth, the MFT assigns an inode to the file attribute.
An inode links attribute records to other attribute records within the MFT.
The MFT inodes only link records within the MFT, that is, to resident attributes.
If a file is extremely large, such as a large database file, the MFT assigns the data to a nonresident attribute area of the disk. The file entry has links from the MFT to areas outside of the MFT in the free disk space area of the disk volume.
Logical Cluster Numbers (LCNs) Used by the MFT of NTFS. It refers to a specific physical location on the drive.
Virtual Cluster Number (VCN) When a file is saved in the NTFS, it is assigned both a logical cluster number and a virtual cluster number. The logical cluster is a physical location, while the virtual cluster consists of chained clusters.
Data is linked to nonresident attributes by directly accessing cluster positions on the disk volume. That is, when a disk is created as an NTFS file structure the OS assigns logical clusters to the entire disks partition. The assigned clusters are called logical cluster numbers (LCNs). LCNs become the addresses that allow the MFT to read and write data to the nonresident attribute area of the disk.
When data is written to nonresident attribute disk space, an LCN address is assigned to the MFT file (record) entry.
This file entry is given a virtual cluster number (VCN) for every LCN used to store data for each file in a nonresident disk.
A VCN is associated with the LCN for the files that extend into the nonresident attribute disk space.
The first VCN used for each file that extends into the nonresident attribute area of a disk volume starts at zero (0). The numbering of the LCN also starts at zero (0), which is the beginning area of the disk partition (the volume).
Multiple Data Streams Data that can be appended to existing files. Data streams can obscure valuable evidentiary data. In NTFS, a data stream becomes an additional data attribute of a file.
IF you see a (:) with a name following it in the MFT, that is a data stream file.
To improve data storage on disk drives, NTFS provides compression. Under NTFS, individual files, folders or entire volumes can be compressed.
When you are running Windows XP, 2000, or NT system, the compressed data appears normal when you access it through Windows Explorer or applications like Microsoft word.
Encrypted File System (EFS) Symmetric key encryption first used in Windows 2000 on NTFS formatted disks.
Public Key In encryption, the key held by the system receiving the file.
Private Key In encryption, the key held by the owner of the file.
NT Loader (NTLDR) Loads Windows NTFS. It is located in the root folder of the system partition.
Boot.ini Specifies the Windows NT path installation.
BootSect.dos Contains the address of the boot sector location of each operating system.
NTDetect.com A command file that identifies hardware components during bootup and sends the information to NTLDR.
NTBootdd.sys Device driver that allows access to SCSI or ATA drives that are not related to the BIOS.
Ntoskrnl.exe The Windows NTFS operating system kernel. It is located in the Windows\System32 folder.
Hal.dll Hardware abstraction layer dynamic link library. It tells the operating system kernel how to interface with the hardware.
Macintosh Operating System
The File Manager is the part of the Macintosh Operating System that manages the organization, reading, and writing of data located on physical data storage devices such as disk drives.
This data includes the data in documents as well as other collections of data used to maintain the hierarchical file system (HFS) and other system software services.
The Resource Manager uses File Manager routines when it needs to read and write resource data.
The File Manager calls the Device Manager to perform the actual reading and writing of data on a physical data storage device.
You use the Resource Manager to read and write data in a file's resource fork and the File Manager to read and write data in a file's data fork.
You use the File Manager to perform operations on directories and volumes.
Finder Works with the Macintosh OS to keep track of files and maintain the users desktop.
The Macintosh Operating System uses files consisting of two linear sequences of bytes known as forks.
The data fork is used to store the file's data and corresponds to a file created by a Win32 platform. As far as the Macintosh Operating System is concerned, the content of the data fork is unstructured and is subject to interpretation by applications.
The resource fork is used to store information about the file, such as its icon or the fonts used in it. Every file has both forks, but either or both may be empty. The resource fork has a definite structure imposed by the Macintosh Operating System and is used for file management purposes.
The resource fork contains the following information:
- Resource map
- Resource header information for each file
- Window locations
- Icons
Macintosh files attach supplementary file properties not included on standard PC files.
Of particular importance is the creator and type information. These are both four-digit codes that allow the Macintosh operating system and other applications to identify the program that created the file as well as the nature of the data contained in the file.
Apple maintains a registry of creator types for Macintosh files. If a new software vendor wants to make a Macintosh version of their program that creates files, they must register a unique creator type with Apple. This ensures that no two vendors use the same identifier codes, which could cause the wrong application to launch when a user tries to open a file.
** Because the naming conventions for files on the Macintosh Operating System include such rules as:
- The colon (:) is used as a path separator
- Characters such as ?, *, \, and / are perfectly legal in Macintosh file names.
o Don't copy files created by Macintosh clients to volumes that have the FAT file system. The FAT file system does not support multiple streams, so the file will be flattened; that is, its resource fork will be lost.
o Don't copy or rename files created by Macintosh clients from Windows 95, Win32s, or Windows 3.x clients.
Volume Refers to any storage media in the Macintosh file system.
A volume can be a single floppy disk, a partition on a hard drive, the entire drive, or several drives.
On larger disks, the administrator defines the size of the volume
o Each HFS volume begins with two boot blocks.
o The boot blocks on the startup volume are read at system startup time and contain booting instructions and other important information such as the name of the System file and the Finder.
o Following the boot blocks are two additional structures, the master directory block and the volume bitmap.
o The master directory block contains information about the volume, such as the date and time of the volume's creation and the number of files on the volume. The volume bitmap contains a record of which blocks in the volume are currently in use.
o The largest portion of a volume consists of four types of information or areas:
o applications and data files
o the catalog file
o the extents overflow file
o unused space
All the areas on a volume are of fixed size and location, except for the catalog file and the extents overflow file. These two files can appear anywhere between the volume bitmap and the alternate master directory block (MDB).
The information on all block-formatted volumes is organized in logical blocks and allocation blocks.
Logical blocks contain a number of bytes of standard information (512 bytes on Macintosh-initialized volumes).
Allocation blocks are composed of any whole number of logical blocks and are simply a means of grouping logical blocks in more convenient parcels.
Logical EOF In the Macintosh file system, the number of bytes that contain data.
Physical EOF In the Macintosh file system, the number of allocation blocks assigned to the file.
Clumps In the Macintosh file system, a contiguous allocation block. Clumps are used to keep file fragmentation to a minimum
The first two logical blocks on every Macintosh volume are boot blocks. These blocks contain system startup information: instructions and information necessary to start up (or "boot") a Macintosh computer.
This information consists of certain configurable system parameters (such as the capacity of the event queue, the number of open files allowed and so forth) and is contained in a boot block header.
The system startup information also includes actual machine-language instructions that could be used to load and execute the System file.
A master directory block (MDB)--also sometimes known as a volume information block (VIB)--contains information about the rest of the volume. This information is written into the MDB when the volume is initialized. Thereafter, whenever the volume is mounted, the File Manager reads the information in the MDB and copies some of that information into a volume control block (VCB). A copy of the MDB is kept in the next to the last block on the volume.
A Volume Control Block, VCB is a private data structure maintained in memory by the File Manager (in the VCB queue).
Extents Overflow File Used by the Macintosh File Manager when the list of contiguous blocks of a file becomes too long. The overflow of the list is placed in the extents overflow file. Any file extents not in the MDB or VCB are contained here.
Catalog Is used to maintain the relationships between files and directories on a volume.
B*-Tree Organizes the directory hierarchy and file block mapping for the File Manager.
Header Node Stores information about the B*-Tree file.
The File Manager uses a volume bitmap to keep track of whether each block in a volume is currently allocated to some file or not. The bitmap contains one bit for each allocation block in the volume. If a bit is set, the corresponding allocation block is currently in use by some file. If a bit is clear, the corresponding allocation block is not currently in use by any file and is available for allocation.
Index Node Stores link information to the previous node and the next node.
Map Node Stores a node descriptor and a map record.
Leaf Node A node in the B*-Tree system that contains data in the Macintosh file system.
UNIX
Red Hat Linux is one of the most popular
flavors of UNIX on the market today.
GNU General Public License (GPL) Define Linux as open source software, meaning that anyone can use and distribute the software without owing royalties or licensing fees to another party.
The standard Linux file system is called the Second Extended File System (Ext2fs) which can support disks as large as 4 TB and files as large as 2 GB.
The data portion of the Linux file structure contains the contents of the file.
In UNIX, everything is a file including disk drives, the monitor, the printer, tape drives, system memory, directories and actual files. Each file is defined as an object with properties and methods.
The linux file structure is made up of meta-data and data.
Meta-data includes:
The data portions contains the file contents.
UNIX consists of four components that define the file system.
o The Boot Block where the bootstrap code is located. Only one, which is located on the main disk.
o Superblock contains vital system information and is considered part of the meta data.
o Inode
o Data Block.
Superblock
o Indicates the geometry of the disk
o Available space
o The location of the first inode
o Keeps track of all inodes
o Manages the UNIX file system including:
n Block size for the disk drive
n File system names
n Blocks reserved for inodes
n Free inode list
n Free block starting chain
n Volume Name
n Last Update time and backup time inodes
Multiple copies of the Superblock are stored on the disk in various places to prevent data loss
Linux is unique in that it uses inodes or information nodes that contain descriptive information about each file or directory. An inode is a pointer to other inodes or blocks.
When the last pointer to a file is deleted, the file is effectively deleted. **To find deleted files during a forensic investigation, you search for inodes that contain some data and whose link count is 0.
Inodes
o The first data after the superblock on a UNIX file system are the inode blocks.
o An inode is assigned to every file allocation unit.
o As files or directories are created or deleted, inodes are also created or deleted.
o The link between the inodes controls access to those files.
o Just like the Microsoft file system, on a PC, the Linux file system has 512 byte sectors. (UNIX blocks may be larger, ie., depending on what was defined when the Volume was initiated, commonly 1024bytes.)
o Typically, a data block consists of 4096 bytes (8 sectors) or 8192 bytes (16 sectors) in a cluster.
o When you save a file, the data blocks are clustered and a unique inode is assigned.
**Direct pointers
o When a file or directory is created in UNIX, an inode is assigned.
o This first inode has 13 pointers which link directly to data storage blocks in the data block area of the disk.
o Each pointer contains a block address.
**Indirect Pointers
o As the file expands, the OS initiates the eleventh pointer of the original inode.
o The eleventh pointer links to 128 pointer nodes and each of these pointers link directly to 128 individual blocks located in the data block area.
**Double Indirect pointers
o If more storage is needed, the 12th pointer position of the original inode is used to link to another 128 inode pointers. From each of these 128 pointers, another 128 pointers are created. (1282) This second level of inode pointers are linked directly to blocks in the data block area of the disk drive.
**Triple indirect pointers
o If more storage is needed, the thirteenth pointer links to 128 pointer inodes. Each of these 128 pointers points to another 128 pointers, and each second layer of pointers points to a third layer of 128 (1283)pointers. At this triple indirect inodes level, data storage blocks are linked.
An assigned inode contains the following information about a file or directory:
· The mode and type of the file or directory.
· The UID and GID of the files or directorys owner.
· An internal link count, the number of links to a file or directory. When the number of links is 0, the file is effectively deleted.
· Modification, Access, and Creation (MAC) times. (Not filenames.) The files or directorys last access time and last modified time.
· A file number that is associated with the file name. (File names are stored in a directory called file_name. To keep track of files and data, Linux pairs the inode number with the filename.
· File or Directory size. The number of bytes contained in the file or directory.
· The inodes last file status change time.
· The block address for the file data.
· The indirect, double indirect, and triple indirect block addresses for the file data.
· Current usage status of the inode.
· The number of actual blocks assigned to the file.
· File generation number and version number.
· The continuation inodes link.
**To find deleted files during a forensic investigation, you search for inodes that contain some data and whose link count is 0.
Bad Block Inode
o Linux keeps track of bad sectors using an inode called the bad block inode.
o The root inode is 2, the bad block inode is inode 1.
n Some one trying to hide information may access the bad block inode and list good sectors in it and then hide information in these sectors.
Data Block In the Linux file system, a cluster of hard disk sectors, normally 4096 or 8192 bytes in size.
Linux Loader (LILO) Linux utility that initiates the boot process which usually runs from the master boot record (MBR).
Lilo.conf, located in the /etc directory contains the location of the boot device, the kernel image file and a delay timer that specifies the time to allow you to select which OS you want to use.
CDs, DVDs, SCSI and RAID disks
**Compact Discs (CD) Optical media that stores information and typically holds up to 640 MB.
**Digital Video Discs (DVD) Optical media that stores information and movies.
CDs and DVDs store information differently than magnetic media like a disk drive.
**A laser burns flat areas or Lands on the top side of the CD. Lower areas not burned by the laser are called Pits.
The transition from land to pit has a binary value of 1.
No transition has a binary value of 0.
**The basic structure of a CD surface includes:
- Label surface
- Protective layer
- Reflective layer
- Substrate layer
**International Organization for Standardization (ISO) An organization set up by the United Nations to ensure compatibility in a variety of fields including engineering, electricity, and computers. CDs and DVDs are regulated by the ISO 9660 and ISO 13346.
**Phase Change Alloy The metal PC layer of a CD-RW that allows it to be written to several times.
**Amorphic A condition achieved when a laser heats the Metal PC layer to 600 degrees Celsius to achieve crystallization.
**Constant Linear Velocity (CLV) Older CD players use this method to read data, typically used in CD players less than 12X.
**Constant Angular Velocity (CAV) Newer method for reading data. Used in newer technologies of CD players, typically about 12X.
**Small Computer System Interface (SCSI) An input /output standard protocol device. SCSI connectors are used for a variety of peripheral devices.
**Advanced SCSI Programmer Interface (ASPI) Provides several software drivers that allow the communication between the operating system and the SCSI component.
**Redundant Array of Independent Disks (RAID) A computer that has two or more hard drives with redundant storage features so that if one drive fails, the other drives can take over.
**RAID Levels
RAID 0 Disk striping
RAID 1 Disk mirroring
RAID 2 Striping bit level
RAID 3 Striping dedicated parity
RAID 4 Striping block parity writing
RAID 5 Distributed data and parity