Transcript Document

Bits, Bytes, Files, Hard Drives
Bits, Bytes, Letters and Words
●
Bit – single piece of information
●
●
●
Either a 0 or a 1
Byte – 8 bits of information
●
1 ASCII Character
●
Letters
Word is a collection of letters/characters
●
Is just string of bits.
Hard Drive Geometry
Track
Sector
Platter with 2 heads
Top and Bottom
Second platter
Tracks, Heads, Sectors
●
Heads, Tracks and Sectors
–
Head is one side of a platter
●
–
–
Track is an narrow ring around a platter
●
There upwards of 20,000 tracks per inch of platter.
●
3.5” hard drive has 1.2” of platter = 24,000 tracks
Sector is a pie shaped piece of the platter.
●
●
Drives usually have 1 or 2 platters, hence 1 – 4 heads
1” of track can hold about 200,000 bits of information
10 – 40 Gigabits per platter
Sectors
●
Each sector has a unique address on the hard
drive.
●
Each sector is exactly 512 bytes.
●
Minimum amount that can be read or written.
Time and Technology
●
HDD Addressing
–
Olden days: head/sector/track
●
–
Worked for small drives
Today: LBA – Logical Block Address
●
Capable of addressing Tera bytes of dat
Read – Write
●
The computer can access only one sector at a
time.
●
Must read or write exactly 1 sector (512 bytes).
●
To change 1 character in a document:
●
Read 1 sector
●
Change the character
●
Write 1 sector
Logical Structure of a HDD
●
●
The hard drive can be subdivided into partitions
or volumes.
Partition structure is important for the integrity of
the drive.
●
It can be analyzed by WinHex.
●
But not for this course
Partitions
Partition 1
Partition Table
Partition 2
Extended Partition
Windows – Drives
●
In Windows drives are specified by a letter
followed by a colon.
●
●
●
C:, D:, etc.
Each drive is either a partition or an actual hard
drive.
Often referred to as logical drives.
Files
●
●
●
●
●
A File is data that is related, as such it is a logical
grouping of data.
Files are allocated storage space on a drive when it is
created.
As a file is used it is allocated more space as needed.
File names usually have a first name that is descriptive
of its contents.
And a second name, the file extension, that indicates
the type of file, such as .txt, .pdf, .exe, etc.
Clusters
●
Space is allocated to a file one cluster at
a time
–
A cluster is a fixed number of sectors
●
–
–
Must be a power of 2 (1,2,4,8, ... 64)
Unused sectors retain the data that was on
them prior to allocation
A cluster is the minimum file allocation unit
Disk Storage Review
●
Data is stored on disks one entire sector
at a time
–
–
–
–
A sector is usually 512 bytes
If you use only one byte, the system still
provides the other 511 bytes for you
A sector is the minimum size read from, or
written to, a disk
A sector is the minimum I/O unit
Clusters
Cluster 1
Cluster 2
Sector 1
Sector 1
Sector 2
Sector 2
Sector 3
Sector 3
Sector 4
Sector 4
File Data
Cluster 1
Cluster 2
Sector 1
Sector 1
Sector 2
Sector 2
Sector 3
Sector 3
Sector 4
Sector 4
Slack
●
Slack is the space allocated to a file, but
unused
–
–
●
Slack space often contains useful evidence
–
–
●
Space at the end of a sector that remains unused by the file
Sectors allocated to the file that the file hasn’t yet used
Unused bytes in an allocated sector are less useful
Unused sectors in an allocated cluster retain their original contents
and are very useful
Current operating systems write 0’s in the slack space
per sector, often leaving the residual data in the
unused sectors in the allocated cluster.
File Data
Cluster 1
Slack Space
Cluster 2
Sector 1
Sector 1
Sector 2
Sector 2
Sector 3
Sector 3
Sector 4
Sector 4
Slack Space
Unallocated Clusters
●
●
●
Many clusters on a modern hard drive are
unallocated
Some have never contain data
Unallocated clusters may have been
allocated earlier though and since been
deleted
– These clusters retain their data until they are reallocated
to a new file
– Deleted files are still recoverable!
File Systems
●
High-level formatting creates file system data
structures
– Root directory
– Data that tracks which clusters are unused, allowing the
OS to find available clusters quickly
• File Allocation Table (FAT) on older Windows systems
• $Bitmap in the Master File Table (MFT) on newer
Windows
– Exact details depend on operating system
FAT
●
●
●
FAT – File Allocation Table
Keeps a table of clusters and connects the
ones used for a file and which are unallocated.
Also keeps a directory in the data area of the
partition.
●
MAC times
●
File name
●
First cluster
–
FAT tells the rest of the clusters
File Allocation Table Concepts
Partition 1
FAT
Partition 2
FAT File System
Reserved
Area
FAT Area
FAT Boot Sector
Primary and
Backup FATs
Data Area
Clusters
Cluster
Entry
000
…
001
…
002
000
not allocated
003
004
next cluster
004
072
next cluster
…
…
072
FFF
…
…
end of file
FAT Directories
Partition 1
Directory Entry
Partition 2
Long File Name
FAT File System
Reserved
Area
FAT Boot
Sector
FAT Area
Primary and
Backup FATs
8.3 Filename
Data Area
File attributes (read
only, hidden, system,
archive, etc.)
Clusters
Created time/day
Directory
Files
Accessed day
Modified time/day
First cluster address
Size of file (0 for
directory)
Deleting a FAT File
Deleting C:taxes.txt
•
•
•
•
Find the FAT, and Data areas
Locate taxes.txt in the Directory for C:; determine its
starting cluster
Go to the FAT
Set FAT entries for taxes.txt cluster to 0
• Therefore not allocated
• Follow the links
•
Change filename to axes.txt in C: directory
– First character becomes 0xE5
WinHex to the Rescue
●
Presents the file system
●
Lets you look at the individual files
●
Shows files that have been deleted
●
Attempts to recover deleted files
●
Gathers slack space
Deleted Files
Go Find The File
Note the First Character of Name
Attempts to
Recover File
Unallocated Space
●
After deleting a file the previously allocated
clusters become unallocated.
●
They ready to be allocated to some other file.
●
They have not been touched.
●
They still contain the data from the original file.
●
You can recover the data so long it hasn’t been
written over by a new file.
Media Details
Disk Analysis
Space
Alphabet
Text Search
Files and Drives
●
Hard drive geometry
●
File systems
●
Files
●
WinHex