#Prodiscover basic hpa 32 bit
32 bit Permitted another factor of 64K sectors to the disk Current rev is 7/8Ģ2 ATA/ATAPI Commands Register delivered commands Most of the flavors do not affect the forensic analysis of the actual media.Ģ1 Hard Disks ATA/ATAPI AT Attachment Packet Interfaceġ994 Original Before 1994 was a crap shoot ATAPI spec issued in 1998 2002, ATA/ATAPI-6 allowed 48 bit LBA vs. 10$ per Gbyteġ6 2005 Antiferromagnetically coupled (AFC) mediaġ9 Hard Disks Geometry CHS Address ( (Cylinder, Head, Sector)Ĭylinder address is limited to a byte – max = 255 Lying must take place at tpi = 32K Most disks – radius = 1.25 inches Sectors = 793 per track (variable) Allocated 1 byte LBA - (Logical Block Address) LBA = (((C*heads-per-cyl) + H) * sectors-per-track) + S – 1 LBA = CHS = (0, 0, 1) Physical location – addressing Sequential sector numberĢ0 Hard Disks Interfaces IDE – ATA/ATAPI/etc SCSI Floppy USB 1394 Rotating platters Platters: 1 – 12+ Heads: Organized – Cylinders/Tracks, Heads, Sectors Track = Cylinder: tpi = 31,200 per inch Bits per inch of track: bpi = 501,760 Areal density: Gb/sq in (2000) 329 Gb/sq in (2009) projected 1 Tbit/sq max Cost. Transfers control to LILO Loads compressed kernel Decompresses itself Log into the blue screenġ5 Hard Disks Current Technology - Moore's Law
#Prodiscover basic hpa code
Size allocated depends on locationġ0 Boot Process Many layered (each hw/os system is different)īIOS – ROM locates HW and initializes some of the hardware, EPROM – determines boot device and HW configurations LBA Sector 0/ CHS (0,0,1) more boot code and dereferences kernel codeġ1 Boot Process Linux JMP 0xFFFFFFF0 Power-On-Self-Test HW detectġst instruction after power on is a jump to BIOS (or) Power-On-Self-Test HW detect Load interrupt vector table Find bootable MBS Copy MBS to 0x7C00 - RAMġ2 MBS Structure 1st Partition Entry 2nd Partition EntryĠ00 1BD Boot code – Master Boot Record, MBR 1BE 1CD 1st Partition Entry 1CE 1DD 2nd Partition Entry 1DE 1ED 3st Partition Entry 1EE 1FD 4st Partition Entry 1FE 1FF Sector signature = 0x55 aaĠ0 00 Bootable flag: 0x80 – bootable, 0x00 – not bootable 01 03 Starting CHS Address – (C, H, S) 04 04 Partition type – 0x83 = linux, 0x82 = swap 05 07 Ending CHS Address 08 0B Starting LBA Address 0C 0F Size in Sectorsġ4 Booting Cont'd Move MBR to 0x9000 and execute Don't go to jail or get sued.ĩ Computer Foundations bin-to- hex and back againīig/little endian confusion Data structures Allocation of “space” to a data structure bit, byte, etc. Written consent to proceed: business plan or policy or memo. Important Maintain chain of custody A casual exam request from your boss can result in legal stuff At first conduct a liturgical exam.
This Part of the Course will cover Hard disk imaging dd and NIST standards Volume Analysis Disk layout Partitions File system analysis Fat, ntfs ext2, ext3 UFS1, USF2
Investigation of block devices that contain digital information Procedures that will maintain the integrity of the digital evidence Analysis of the condition and content of the block device that will permit the reconstruction of an incident or use Last Accessed: October 27,2004 Cluster 344 Cluster 345 Today, the Yankees won the World Series. System Preservation Phase Evidence Searching Phase Event Reconstruction Phase courtesy PriscillaĤ Layers of Analysis Application/OS Analysis Swap Space Analysisĭatabase Analysis File System Analysis Memory Analysis Volume Analysis Network Analysis Physical Storage Media Analysisĥ Finding a File Name: miracle.txt Cluster: 345 Size: 40
#Prodiscover basic hpa trial
Hard drive imaging Volume structure & analysis File system structure & analysis Tools Case studiesĪcquisition of information on digital devices Rigid recipe Investigation of digital devices and digital data for evidence of a crime or violation of stated policy committed by the computer a crime or violation of stated policy against the computer a crime or violation of stated policy using the computer accidental or intentional destruction or corruption of data Preparation for trial Documentation of evidence Proof the evidence has not been altered Presentation on theme: "Computer/Digital Forensics"- Presentation transcript:
0 kommentar(er)
