Upload File

volume analysis volumes - university of rhode islandthenry/csc487-orig/video/10_volumes_and... ·...

  • Home
  • Documents
  • Volume Analysis Volumes - University of Rhode Islandthenry/csc487-orig/video/10_Volumes_and... · Volume 1Volume 2Volume 3 Volume 4 Volume-Set of addressable sectors used for storage-Can
1
Volume 1 Volume 2 Volume 3 Volume 4 Volume - Set of addressable sectors used for storage - Can span multiple devices (similar to RAID 0) Partition - Collection of consecutive sectors on a device Volume Analysis Hard Disk 1 Hard Disk 2 Hard Disk 3 Partition 1 Partition 2 Partition 3 Partition 4 Partition 5 Volumes Volumes appear differently on each operating system MacOS X Windows Linux Partitions Reasons for Partitions - maximum size of file system is smaller than hard disk - older FAT16 limited to 2 GB - section of disk used for special purposes - memory contents when laptop is put to sleep - swap area for some virtual memory systems - protection against file system corruption - multiple partitions localize damage - computers with multiple operating systems - each operating system requires separate partition Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS Sector offset from start of device Logical Block Address (LBA) - Sector offset from beginning of device - Physical address of sector - Used in partition table Logical Volume Address - Offset from start of volume Logical Partition Address - Offset from start of partition No volume or partition logical address Sector Addressing Volume 1 Volume 2 Volume 3 Volume 4 Hard Disk 1 Hard Disk 2 Hard Disk 3 Partition 1 Partition 2 Partition 3 Partition 4 Partition 5 Forensic Concepts Most investigations use entire hard drive - Must determine partition and volume structure Partition Table - Identifies start and end of each partition - Can be falsified to hide partitions - Consistency Checks - draw partition map Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 Unused 300 599 NTFS Sim mple Partit tion Table Start End Type 0 99 FAT 100 599 NTFS Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Hard Disk 1 Partition 1 Partition 2 Forensic Concepts Most investigations use entire hard drive - Must determine partition and volume structure Partition Table - Identifies start and end of each partition - Can be falsified to hide partitions - Consistency Checks - draw partition map Partition Recovery - Assume a files system was located on each partition - Look for special or “magic” values - For example, in FAT - 0x55AA is stored in byte 510 of sector 0 (logical partition address) Sim mple Partit tion Table Start End Type 0 99 FAT 100 249 NTFS 300 599 NTFS

Upload: others

Post on 05-Jan-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Volume Analysis Volumes - University of Rhode Islandthenry/csc487-orig/video/10_Volumes_and... · Volume 1Volume 2Volume 3 Volume 4 Volume-Set of addressable sectors used for storage-Can

Volume 1 Volume 2 Volume 3 Volume 4

Volume- Set of addressable sectors used for storage- Can span multiple devices (similar to RAID 0)

Partition- Collection of consecutive sectors on a device

Volume Analysis

Hard Disk 1 Hard Disk 2 Hard Disk 3

Partition 1 Partition 2 Partition 3 Partition 4 Partition 5

VolumesVolumes appear differently on each operating system

MacOS X

Windows

Linux

PartitionsReasons for Partitions

- maximum size of file system is smaller than hard disk - older FAT16 limited to 2 GB

- section of disk used for special purposes- memory contents when laptop is put to sleep

- swap area for some virtual memory systems

- protection against file system corruption- multiple partitions localize damage

- computers with multiple operating systems- each operating system requires separate partition

Simple Partition TableSimple Partition TableSimple Partition Table

Start End Type0 99 FAT

100 249 NTFS300 599 NTFS

Sector offset from start of device

Logical Block Address (LBA)

- Sector offset from beginning of device

- Physical address of sector

- Used in partition table

Logical Volume Address

- Offset from start of volume

Logical Partition Address

- Offset from start of partition No volume or partition logical

address

Sector Addressing

Volume 1 Volume 2 Volume 3 Volume 4

Hard Disk 1 Hard Disk 2 Hard Disk 3

Partition 1 Partition 2 Partition 3 Partition 4 Partition 5

Forensic ConceptsMost investigations use entire hard drive

- Must determine partition and volume structure

Partition Table

- Identifies start and end of each partition

- Can be falsified to hide partitions

- Consistency Checks - draw partition map

Simple Partition TableSimple Partition TableSimple Partition Table

Start End Type0 99 FAT

100 249 NTFS300 599 NTFS

Simple Partition TableSimple Partition TableSimple Partition Table

Start End Type0 99 FAT

100 249 Unused300 599 NTFS

Simple Partition TableSimple Partition TableSimple Partition Table

Start End Type0 99 FAT

100 599 NTFS

Hard Disk 1

Partition 1 Partition 2

Hard Disk 1

Partition 1 Partition 2

Hard Disk 1

Partition 1 Partition 2

Hard Disk 1

Partition 1 Partition 2

Hard Disk 1

Partition 1 Partition 2

Forensic ConceptsMost investigations use entire hard drive

- Must determine partition and volume structure

Partition Table

- Identifies start and end of each partition

- Can be falsified to hide partitions

- Consistency Checks - draw partition map

Partition Recovery

- Assume a files system was located on each partition

- Look for special or “magic” values- For example, in FAT - 0x55AA is stored in byte 510 of sector 0 (logical partition address)

Simple Partition TableSimple Partition TableSimple Partition Table

Start End Type0 99 FAT

100 249 NTFS300 599 NTFS

Timothy Henry
00:14
Timothy Henry
02:05
Timothy Henry
Timothy Henry
03:03
Timothy Henry
06:27
Timothy Henry
08:20
Timothy Henry
10:52
Timothy Henry
12:14
Timothy Henry

Navigating a Board of Law Examiners Hearingmedia.avvosites.com/upload/102/2014/01/Texas.Board_… ·  · 2014-01-30Navigating a Board of Law Examiners Hearing 1Volume . ... informs

File GUID Partition System Table Forensics Partitioningthenry/csc487/video/14_GPT_Partitioning.pdfPartitioning GPT Partitioning GUID Partition Table-Used on Intel IA64 (EFI) Systems-Supports

Candlelight VOLUME 43 - NUMBER 1VOLUME 43 - NUMBER 1 StL hapter Newsletter Karen: "You will lose someone you can't live without, and your heart will be badly broken, and the bad news

newsletter 39.4 Layout 1Volume 39.4 Fall 2018 ISSN 1095-2837 Stordalen Lecture T erje Stordalen is Professor of the Faculty of Theology, University of Oslo. He coordinates the project

j aeeeueeenSSeueeeueeThe 1VOLUME Iwillnyx.uky.edu/dips/xt75hq3rw48x/data/0366.pdf · Montgomery of Grand Rapids Lila publican bar been reelected jutloe of the supreme corrt by about

Master File Table File NTFS $MFT System Master File Table …thenry/csc487/video/62_MFT_Layout.pdf · MFT Record Header. NTFS Partition. MFT . MFT File Record. Header Attribute Unused

Congregation*Beth*Israel*of*Media … · 2019. 7. 22. · January'2015 Tevet/Shevat''5775 1Volume'38'No.'5 Endowment)Fund 2 Report Food)Justic)Project 2 Collection'Theme Religious)Practice

The University o/Newcastle collections/pdf...Volume 2 -Volume 3 -Volume 4 -Volume 5 -Volume 6 -Volume 7 -Volume B -Volume 9 -Legislation University Bodies and Staff Faculty of Architecture

Directory Management NTFS - homepage.cs.uri.eduthenry/csc487/video/68_NTFS_Directories.pdf · bbb.txt eee.txt fff.txt ggg.txt hhh.txt mmm.txt ppp.txt rrr.txt vvv.txt zzz.txt Node

Volume XLI11(43) Fall, 1983 Number 1Volume XLI11(43) Fall, 1983 Number 1 CONTENTS National Officers 1 Amicable Numbers Mark R. Woodard 2 Constructing Efficient Codes Nanay Zebraitis

Volume de Dados Volume Removível Volume de Sistema

May January - The Ride For Missing Children€¦ · January THE RIDE 20 16 Volume No. 20 Issue No.1Volume No. 23 Issue No. 4 National Center for Missing & Exploited Children-NY/Mohawk

64 NTFS Attributes - homepage.cs.uri.eduthenry/csc487/video/64_NTFS... · NTFS Attribute Header HexDecBytes Description 0x000 4Attribute Type Identifier 0x044 4Length of Attribute

Volume 5 / Issue 2 / November 2017 What’s in the Hill ......NEWS FROM THE HILL 603-472-4414 | 1Volume 5 / Issue 2 / November 2017 Whether on a mountaintop surrounded by nature, at

Law Environment and DevelopmentJournal · Environment and Development Journal 6/1VOLUME ... 2.1 The CDM – A Brief Explanation 3 2.2 The Rationale of Proposing the CDM 4 3. Sustainable

NTFS Partitions - homepage.cs.uri.eduthenry/csc487/video/60_NTFS.pdf · NTFS Partitions New Technology File System-“Everything is a file.”-NTFS stores information about itself

Law Environment and DevelopmentJournal - lead · PDF fileLawLEAD Environment and Development Journal 10/1VOLUME ENVIRONMENTAL IMPACT ASSESSMENT PROCESS FOR OIL, GAS AND MINING PROJECTS

Vol. 2 Issue 1Volume: 2 Rs. 6 Issue: 1 A MESSAGE FROM SR.JUANITA !!!!! ! We need a new system of sustainable economics. No economic system is sustainable unless it based on the notion

VOLUME VOLUME 6666

SOLUBILITY DATA SERIES - NIST · 2010-08-19 · SOLUBILITY DATA SERIES Volume Volume 2 Volume 3 Volume 4 Volume 5/6 Volume 7 Volume 8 Volume 9 Volume 10 Volume 11 Volume 18 H. L

Volume 11, 2001 British Columbia Birds Page 1Volume 11, 2001 British Columbia Birds Page 5 SPRING WATER BIRD MIGRATION AT ALKALI LAKE Andrew C. Stewart 3932 Telegraph Bay Road Victoria,

First United Methodist Church Commerce Volume 10, Issue ... · First United Methodist Church First United Methodist Church Commerce Volume 10, Issue 1Volume 10, Issue 1 January 11,

Using Eminent Domain Powers to Acquire Private Lands for ... · LawLEAD Environment and Development Journal 2/1VOLUME USING EMINENT DOMAIN POWERS TO ACQUIRE PRIVATE LANDS FOR PROTECTED

The U Diversity of Newcastle...The University of Newcastle Calendar consists of the following volumes: Volume 1 Volume 2 Volume 3 Volume 4 Volume 5 Volume 6 Volume 7 Volume 8 Volume

Procurement Bulletion vol. 11, issue 1Volume 11, Issue 1, January 2005 Page 2 . five years, and project contact names and telephone numbers. You can then check a selected list of project

The Father Funcken Council #1504 & Assembly THE ECHOVolume 8, Issue 1Volume 8, Issue 1 Oct. THE ECHO Inside this issue: 2 • Chaplain’s Message 3 • D.G.K.’s Message • Firefighter

Law Environment and DevelopmentJournal · Environment and Development Journal 13/1VOLUME REGULATING EFFLUENTS FROM INDIA’S TEXTILE SECTOR: NEW COMMANDS AND COMPLIANCE MONITORING

C9 1Volume Dealer GOING ON NOWAT NVILLE’S Over NOW IN …nyx.uky.edu/dips/xt7j9k45rg69/data/70195_Lexington_09-30... · 2012. 9. 30. · 2013 DODGE CHALLENGER SXT COUPE #C13025.5

Infinite Campus Instruction Guide - Franklin Universitycs.franklin.edu/~caton03/e-portfolio/Online Manual.pdf · Infinite Campus Instruction Guide 1Volume . OAK GROVE SCHOOL DISTRICT

HGS Bulletin Volume 49 No.6 (February 2007)February 2007 Houston Geological Society Bulletin 1Volume 49, Number 6 February 2007 Houston Geological Society The In Every Issue 5 From

VOLUME 10, NUMBER 1 (2014)...VOLUME 10, NUMBER 1 (2014) CANADIAN NAVAL REVIEW 1VOLUME 10, NUMBER 1 (2014) Editorial Board Dr. David Black, Gary Garnett, Ken Hansen, Peter T. …

CA Breaker Instruction Manual - homewoodsales.com · Instruction Manual 1Volume . HOMEWOOD PRODUCTS CORPORATION Compressed Air Circuit Breaker ... book comes from the Westinghouse

read.pudn.comread.pudn.com/downloads60/doc/208545/115devg.pdf · Contents i Contents Volume 1VOLUME 1 i. . . . . . . . . . . . . . . . . . . . . . . . . Preface i

Green elt Preparatory ModuleV12 - Benchmark Six · PDF fileGreen elt Preparatory ModuleV12 1Volume . ... Transactional change by applying tools and methodologies to reduce ... In 1987,

CA Breaker Instruction Manual - homewoodsales.com … · CA Breaker Instruction Manual 1Volume . ... of the breaker by hand through use of a hand-operating lever is also possible