• The smallest unit of data addressable by a file system is a sector
• Sector is normally 512 Bytes in size
• In addition, for greater efficiency, file systems often group sectors into clusters and these then become the smallest area that can be allocated to a file.
File Slack
• If a file does not completely fill a cluster, then everything within the cluster after the file ends could contain data from a previously deleted file
• Windows typically zeros out data from the end of the data to the end of the sector, but leaves any remaining sectors within the cluster untouched
• Slack space is of great forensic interest as it can contain remenants of data that.
Disk Drive Structure
Analysis of Partitions
Partition Table Entries – each entry has the following fields:
- Starting CHS address
- Ending CHS address
- Starting LBA address
- Number of sectors in partition
- Type of partition
- Flags
CHS addresses vs. LBA addresses:
- CHS can address a maximum disk size of 8 GB
- Therefore nowadays almost all addressing is in the form of Logical Block Addressing
CHS is maintained for backward compatibility
Flags:
- The flag entry denotes whether a partition is bootable or not
- Identifies where the OS is located
Extended Partition Concepts:
- Many systems require more than 4 partitions
- The solution is to use extended partitions
- An entry in the partition table describes the location of an extended partition rather than a normal partition
- This extended partition will have it’s own partition table
Posts
