DAT2343 - idallen | slideum.com

DAT2343 - idallen

Transcript DAT2343 - idallen

DAT2343
Disk Structure Analysis
Project 3
© Alan T. Pinck / Algonquin College; 2003
Project 3 Requirements
See the complete requirements for this
project under the Projects area for this
course in Blackboard
Determine specific structure information
from an non-standard formatted diskette
using DEBUG to analyze the boot sector.
Locate a deleted file in a deleted directory
by tracing through directory entries.
DEBUG Sector Level Read
DEBUG Command:
Lmmmm d s n
where
mmmm is the (offset) memory address to where
the sector(s) are to be copied
d is the disk drive number (0=A: 1=B: …)
s is the disk sector number (0 is the boot sector
n is the number of sectors to read
Critical Boot Sector Entries
000B-C : bytes per sector
000D : sectors per allocation unit (file cluster)
0010h : number of copies of the FAT
0011-12h : number of root directory entries

(20h bytes per entry)
0016-17h : number of sectors per copy of FAT
0018-19h : number of sectors per track
001A-1Bh : number of tracks per cylinder (number
of read/write heads)
Directory Entry Components
For “normal” 8.3 named files:
bytes 0-7 : primary file name
bytes 8-0A : extension
byte 0B : attribute (see next slide)
bytes 1A-1B : starting cluster
bytes 1C-1F : file size (in bytes)
Directory Entries: Attributes
The attribute byte, within a file’s directory entry
provides the following information (reading the
bits from right to left):
bit 0 : Read Only (if on)
bit 1 : Hidden (if on)
bit 2 : System (if on)
bit 3 : Volume Label, not a real file (if on)
bit 4 : Subdirectory (if on)
bit 5 : Archive needed (if on)
Note the special value of the attribute byte for
long/extended file names (next slide)
Directory Entries: Long File Names
Long/Extended file names are stored in directory
entries, but with a quite different format than
“normal” file entries; the Attribute field for these
extended file name entries is always 0F(hex) a value
which would not make sense if interpreted normally.
Extended file names are always followed by a
“normal” (8.3) form for the same file and it is this
8.3 form which should be used for file analysis.
Directory Entries: Deleted Files
When a file is deleted, the first byte of the file name in
the directory entry(ies) for this file is changed to a
special code: E5(hex) and its FAT table entries are
zeroed (indicating that the space is “free”).
No other changes are made and, provided nothing else
is changed on the disk, the file can be recovered
(except for the first character of its name), since its
first cluster number still points to a sector of the disk
which contains the contents of the (deleted) file.
End of Lecture