Scribd
Upload
13 views

DF Lesson7

This document discusses the boot process and storage devices in computers. It begins with an overview of BIOS and how the boot process starts by executing BIOS instructions. It then discusses storage devices like hard disks, partitions, and how partitions are used to organize the hard disk drive. The document provides details on master boot records, partition tables and how they define primary and extended partitions.

Uploaded by

Tanvir Khasru Adnan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
13 views

DF Lesson7

This document discusses the boot process and storage devices in computers. It begins with an overview of BIOS and how the boot process starts by executing BIOS instructions. It then discusses storage devices like hard disks, partitions, and how partitions are used to organize the hard disk drive. The document provides details on master boot records, partition tables and how they define primary and extended partitions.

Uploaded by

Tanvir Khasru Adnan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 40

Spring 2017

Dr. Syed Akhter Hossain


• BIOS and boot process
• Storage devices
• Partitions

MISS/MICT 1103, Spring 2017 2


 Memory
 Central Processing Unit (CPU)
 Hard disk
 Basic Input/Output System (BIOS)
◦ Considered Legacy, still very common
 Extensible Firmware interface (EFI)
◦ To be De-Facto Standard
◦ Standard in new Intel Apple Systems

MISS/MICT 1103, Spring 2017 3


 BIOS Instructions
 Disk Sector 0 Instructions
 Partition Sector 0 Instructions
 Operating System Files

MISS/MICT 1103, Spring 2017 4


1. When the PC is turned on, the
CPU begins executing the
instructions in the ROM BIOS
chip, starting at a pre-defined
instruction location.
2. The BIOS performs the power-
on-self-test (POST). If there
are errors, the BIOS generates
appropriate messages and / or
beep codes, and the boot
process stops.
3. If the POST tests are
successful, the BIOS from any
other adapter cards are
combined with the normal BIOS
and loaded into memory
(shadowing), where they can be
executed faster than in ROM. http://www.cci-compeng.com
MISS/MICT 1103, Spring 2017 5
4. The list of devices found
during the POST is
compared with the list of
devices in the non-volatile
BIOS memory (CMOS) chip.
5. If the lists differ, then a new
device must have been
added. In this case, the
BIOS memory is updated
accordingly, and available
system resources (such as
IRQs) are assigned to the
new devices.
6. The BIOS loads and
executes the master boot
code in the master boot
record of the first bootable
device. MISS/MICT 1103, Spring 2017
http://www.cci-compeng.com
6
7. The master boot code locates
the active partition of that device,
then locates and executes the
volume boot code in the volume
boot record of that partition.
8. The volume boot code of the
active partition locates and
executes the operating system
files on the partition, and
transfers control to them.
9. The operating system now
completes the boot process by
loading appropriate device
drivers. If device drivers for any
new devices cannot be found,
the operating system will
generate an appropriate
message, and give the user an
opportunity to install the drivers
now, or at a later time. MISS/MICT 1103, Spring 2017
http://www.cci-compeng.com
7
 Hard disks, floppy disk, thumb drives etc.
 Hard disks are the richest in digital evidence
 Integrated Disk Electronics (IDE) or Advanced
Technology Attachment (ATA)
 Higher performance SCSI drives
 Fireware is an adaptation of SCSI standards
that provides high speed access to a chain of
devices
 All hard drives contain platters made of light,
rig-hid material such aluminum, ceramic or
glass

MISS/MICT 1103, Spring 2017 8


◦ Platters have a magnetic coating on both
sides and spin between a pair of read/write
heads
◦ These heads move like a needle on top of the
old LP records but on a cushion of air created
by the disk above the surface
◦ The heads can align particles of magnetic
media called writing, and can detect how the
magnetic particles are assigned – called
reading
◦ Particles aligned one way are considered “0”
and aligned another way “1”

MISS/MICT 1103, Spring 2017 9


MISS/MICT 1103, Spring 2017 10
 Cylinders are the data tracks that the data is
being recorded on
 Each track/cylinder is divided into sectors
that contain 512 bytes of information
◦ 512*8 bits of information
 Location of data can be determined by
which cylinder they are on which head can
access them and which sector contains
them or CHS addressing
 Capacity of a hard drive # of C*H*S*512

MISS/MICT 1103, Spring 2017 11


MISS/MICT 1103, Spring 2017 12
MISS/MICT 1103, Spring 2017 13
 Volatility
◦ Non-Volatile
◦ Volatile
 Mutability
◦ Read/Write
◦ Read Only
◦ Slow Write, Fast Read Storage
 Accessibility
◦ Random Access
◦ Sequential Access
 Addressability
◦ Location
◦ File
◦ Content

MISS/MICT 1103, Spring 2017 14


 16-bit Cylinder value (C)
 4-bit Head Value (H)
 8-bit Sector Value (S)
 Old BIOS:
◦ 10-bit C
◦ 8-bit H
◦ 6-bit S
◦ Limited to 528MB disk

MISS/MICT 1103, Spring 2017 15


 LBA address may not be related to physical
location of data
 Overcomes the 8.1 GB Limitation of CHS
 Plug old CHS values into:

LBA = (((CYLINDER * heads_per_cylinder) * HEAD) *


sectors_per_track) + SECTOR -1

E.g. CHS 0,0,1 = LBA 0

MISS/MICT 1103, Spring 2017 16


MISS/MICT 1103, Spring 2017 17
Partition 1 Partition 2

MISS/MICT 1103, Spring 2017 18


Partition 1 Partition 2

Partition 1 Partition 2

MISS/MICT 1103, Spring 2017 19


 Volume
◦ A selection of addressable sectors that can be
used by an OS or application. These sectors do
not have to be consecutive
 Partition
◦ A selection of addressable sectors that are
consecutive. By definition, a partition is a volume

MISS/MICT 1103, Spring 2017 20


Disk 1 Partition 1 Partition 2

Partition3 Partition 4 Disk 2

C: Volume D: Volume

MISS/MICT 1103, Spring 2017 21


A Partition organises the layout of a
volume
 Sector Addressing
◦ Physical Address (LBA or CHS)
◦ Logical Disk Volume Address
◦ Logical Partition Volume Address

MISS/MICT 1103, Spring 2017 22


Partition 1 Partition 2
Starting Address: 0 Starting Address: 864

Physical Address: 100 Physical Address: 964


Logical Disk Volume Address: 100 Logical Disk Volume Address: 964
Logical Partition Volume Address: 100 Logical Partition Volume Address: 100

Physical Address: 569


Logical Disk Volume Address: 569
Logical Partition Volume Address: N/A

B Carrier, File System Forensic Analysis, pp75

MISS/MICT 1103, Spring 2017 23


 Analyse Partition Tables
◦ Process them to identify the layout
◦ Can then be used to process partition accordingly
◦ Determine the type of data inside the partition
 Perform a sanity check to ensure that
the partition table is telling the truth
◦ This is important when imaging

MISS/MICT 1103, Spring 2017 24


Partition 1 Partition 1 Partition 1

Partition 2 Partition 2 Partition 2

Partition 1
Partition 1

Partition 2
Partition 2

B Carrier, File System Forensic Analysis, pp76

MISS/MICT 1103, Spring 2017 25


 No standard reference
 Master Boot Record in first sector (1st 512

byte)
◦ Boot Code
◦ Partition Table
◦ Signature Value
 MBR Supports a maximum of 4 partitions

MISS/MICT 1103, Spring 2017 26


MISS/MICT 1103, Spring 2017 27
 Starting CHS Address
 Ending CHS Address
 Starting LBA Address
 Number of Sectors in Partition
 Type of Partition
 Flags

 Limitation
◦ 2 Terabyte Disk Partition Limitation
 MBR Partition size field is 32 bits

MISS/MICT 1103, Spring 2017 28


MISS/MICT 1103, Spring 2017 29
 Limitation of 4 Primary Partitions
 Creation of 3 Primary Partitions and 1

primary extended partition


 Primary Extended partition uses a similar

MBR layout in order to create a linked list of


records, showing where each new extended
partitions exists in relation to the start of
the last

MISS/MICT 1103, Spring 2017 30


MISS/MICT 1103, Spring 2017 31
MISS/MICT 1103, Spring 2017 32
MISS/MICT 1103, Spring 2017 33
MISS/MICT 1103, Spring 2017 34
MISS/MICT 1103, Spring 2017 35
MISS/MICT 1103, Spring 2017 36
• MMLS - displays the contents of a volume system (media
management). In general, this is used to list the partition table
contents so that you can determine where each partition
starts, ends, length of the partition and the type.

• SIGFIND - searches through a storage volume and looks for


the hex-signature at a given offset. This can be used to
search for lost boot sectors, superblocks, and partition tables.

• GPART – command that can scan drives and re-create a


partition table based on "guesses“. This command can
identify a number of file system types by testing sectors and
assessing which file system type is the most probable
MISS/MICT 1103, Spring 2017 37
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


00: Meta 0000000000 0000000000 0000000001 Primary Table(#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0003894911 0003894849 NTFS (0x07)
03: ----- 0003894912 0004999679 0001104768 Unallocated

MISS/MICT 1103, Spring 2017 38


Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 63 (+63)
Block: 92795 (+92732)
Block: 92796 (+1)
Block: 94839 (+2037)
Block: 94855 (+16)
Block: 237724 (+142869)
OUTPUT OMITTED ...
Block: 3473830 (+109635)
Block: 3894911 (+421081)
Block: 3894912 (+1)
Block: 3894975 (+63)
Block: 3894976 (+1)
Block: 3894983 (+1)
Block: 3905831 (+10848)
error reading bytes 4999680 MISS/MICT 1103, Spring 2017 39
Any questions?

You might also like