Exam 2 Flashcards Preview

Digital Forensics > Exam 2 > Flashcards

Flashcards in Exam 2 Deck (64)
Loading flashcards...
1
Q

MBR

A
Master Boot Record
Method of organizing hard drive.
Located in sector 0.
Disk Signature at offset 440.
Beginning at offset 446 there is a partition table with 4 16-byte entries.
MBR signature at offset 510.
Ends in 55 AA.
Only allows for ~2TB.
2
Q

GPT

A

GUID Partition Table.
Began with Windows 2003.
Up to 128 partitions.

3
Q

GUID

A

Global Unique Identifier.
16-byte (128-bit) number.
{4 LE - 2 LE - 2 LE - 2 BE - 6 BE}.
Usually unique.

4
Q

Protective MBR

A
Legacy MBR.
Physical sector 0.
Partition type EE.
Non-bootable.
First 446-bytes are bootstrap/boot code.
Partition table at offset 446 with a single record entry.
4-byte serial number at offset 440.
No back-up.
5
Q

Protective MBR: Purpose

A

Prevents drive from being overwritten when connected to older operating systems.

6
Q

GPT Header

A

Physical sector 1.
92-bytes.
Contains GUID.
Indicates number of usable sectors on drive.

7
Q

GPT Partition Tables

A

Physical sectors 2-33.
No CHS values, only LBA.
Each entry is 128-bits, and there can be 128 entries.
No extended partitions.

8
Q

MSR

A

Microsoft Reserved Partition.
Automatically created as 128 MB for drives > 16 GB.
32 MB for drives < 16 GB.

9
Q

GPT Back-up

A

Header indicates sector containing back-up copy.
Always last addressable sector of drive.
Partition table backed up 33 sectors from end of drive.
To back-up, sector references just need to be reversed.

10
Q

GPT Structure

A
Sector 0: Protective MBR.
Sector 1: GPT Header.
Sector 2-33: Partition Table.
Back-up located 33 sectors from end of drive.
Back-up stacked reverse from original.
11
Q

Physical Structures

A

MBR.
GPT.
Sectors.

12
Q

File System

A

File organizational method.
Controls how files are named and stored.
May also be responsible for managing file ownership, encryption, and security.

13
Q

Cluster

A

Smallest logical unit that can be written or read by the operating system.
Made up of one or more contiguous sectors.
Size varies based on size of the volume.
If not one, even number of clusters.
One file per cluster.

14
Q

FAT

A

Oldest Windows file system.
No longer used on hard drives.
Still used on flash drives.

15
Q

VBR

A
Volume Boot Record.
Logical structure.
First sector of a partition.
At least one sector in length.
Contains reference info:
# of sectors per cluster.
Total # of sectors in partition.
16
Q

FAT 12 and FAT 16

A

FAT 12 can manage 2^12 clusters.
FAT 16 can manage 2^16 clusters.
VBR is single sector, no back-up.
2 copies of FAT.

17
Q

FAT 32

A
Can manage 2^28  clusters.
VBR has 6 sectors.
Back-up VBR immediately after first copy.
First sector similar to FAT12/16.
First 36 bytes identical to FAT 12/16.
2 copies of FAT.
18
Q

FAT 32 VBR Structure

A

6 sectors.
First sector identical to FAT 12/16 VBR.
Second sector is FS INFO (File System Information).
Third sector only has a signature at offset 510 (55AA).
Sectors 4-6 are blank with no signature.
Back-up VBR follows directly behind original.

19
Q

Uses of VBR

A

If partitions are deleted, they can be rebuilt from VBR.

Can be done in both MBR and GPT partitioning schemes.

20
Q

Formatting

A

Process of setting the System Area and Data Area of a partition by writing a VBR and zeroing out the File Allocation Table and the Root Directory.

21
Q

System Area

A

Area of the partition containing file system information.

22
Q

Data Area

A

Are of the partition where the content of files and folders are written.

23
Q

FAT 12/16 Structure

A

System Area: VBR/FAT/Root Directory.

Data Area.

24
Q

FAT 32 Structure

A

System Area: VBR/FAT.

Data Area: Root Directory.

25
Q

FAT Root Directory

A

32-bytes of information.
Contains file names, location, file size, and dates.
Standard entry up to 8 characters plus 3 for extension.

26
Q

Subdirectories

A
Same structure as the Root Directory.
Hold 32-byte entries.
All have the same first two entries "." and ".."
Dot "'." points to current location.
Dot Dot ".." points to parent directory.
27
Q

LFN

A

Long File Name.
More than 8 characters (plus 3 for extension).
After Windows 95 names could have 255 characters.
32-byte structure.
Names stored in Unicode, so there are 2-bytes per character.

28
Q

SFN

A

Short File Name.
8 characters or less (plus 3 for extension).
Created for LFN when older systems are used.
First 6 valid SFN characters are taken, then a ~, then a number is added.
All characters converted to uppercase.

29
Q

LFN and SFN Creation

A

First SFN is created.
Then LFN is added going up.
First 32 before SFN is beginning of file.

30
Q

Quick Format

A

Data is not erased.

31
Q

Structure Analogy

A

Drive: Book.
Partition: Story.
Cluster: Page.
Sector: Paragraph.

32
Q

File Slack

A

RAM Slack.

Residual Slack.

33
Q

RAM Slack

A

Space from the end of a file to the end of the sector.

Current systems fill this space with zeroes.

34
Q

Residual Slack

A

Space from the end of the last occupied sector to the end of the cluster.
Also called Disk Slack.
Can potentially contain data from a previous file.

35
Q

FAT File Tracking

A

FAT 12/16 2-byte reference to cluster location.

FAT 32 4-byte reference to cluster location.

36
Q

Cluster Reference Types

A
0x00 00 00 00 Unused.
0x00 00 00 01 Reserved.
0x00 00 00 02-0x0F FF FF F6 Cluster Number.
0x0F FF FF F7 Bad Cluster.
0x0F FF FF FF End of File.
37
Q

FAT Allocation Table

A

0 First 4-bytes: Media Descriptor.
1 Second 4-bytes: Reserved.
2 Third 4-bytes: Root Directory (FAT32).
3 Fourth 4 bytes: Cluster references begin.

38
Q

Media Decriptor

A

First 4-bytes of FAT Allocation Table.
Either floppy or hard disk.
Typically 0xF8 FF FF 0F.

39
Q

Contiguous Clusters

A

Clusters next to each other.

40
Q

Fragmented Clusters

A

Clusters not next to each other.

41
Q

Writing a File

A

32-byte directory entry created.
Data written to available clusters.
FAT 1 updated.
FAT 2 updated.

42
Q

Deleting a File

A

First character of name changed to 0xE5.
FAT 1 zeroed out.
FAT 2 zeroed out.
(Data is still there until overwritten).

43
Q

Deleted File Recovery: Steps

A

Change first character of name to 0x5F (_).
Change FAT cluster references to point to required numbers including EOF.
Make changes in both FATs.

44
Q

Deleted File Recovery: Needed Information

A

Get starting cluster from directory entry.
Get number of sectors per cluster from VBR.
File size from directory entry.
Calculate number of clusters needed per file.

45
Q

Deleted Partition Recovery

A

Find a VBR through File Systems (FAT,DOS) or 55 AA.

46
Q

MBR Recovery

A
Locate VBR.
Need Partition Type code.
Starting sector (of VBR).
Number of sectors (found in VBR).
55 AA signature.
47
Q

VBR Back-up

A

Two copies in FAT 32.

Backup is 6 sectors after original.

48
Q

GPT Recovery: Needed Items

A
When partition is deleted, entries below are moved up.
VBR.
Number of sectors in partition.
Starting sector.
Ending sector.
Partition Type GUID.
49
Q

GPT Recovery: Starting Sector

A

Search VBR and find the sector it starts in.

From VBR you can get number of sectors in partition, then determine ending sector.
(Starting sector + # of sectors - 1).

50
Q

GPT Recovery: Ending Sector

A

Starting sector + number of sectors - 1.

51
Q

GPT Recovery: VBR

A

Search for VBR using file system types (FAT, DOS).

52
Q

GPT Recovery: Steps

A

Locate VBR.
Obtain needed info.
Insert 128-byte partition entry into table in proper order.
Copy any other partition entry in recovered position.
Delete unique GUID and update starting and ending sectors.

53
Q

GPT Recovery: Full Partition Structure Deletion

A

Recreate Protective MBR with partition type EE.
Starting sector: 01.
Number of sectors: FFFFFFFF
Signature: 55AA.

54
Q

MBR Partition Table Info

A

Bootable or not.
Partition Type.
Starting LBA.
Number of sectors in partition.

55
Q

VBR Recovery

A

Need partition type code.
Starting sector.
# of sectors.
55 AA.

56
Q

FAT12/16 Root Directory

A

Part of system area.
Limited amount of data that could be used.
Fixed size.

57
Q

FAT32 Root Directory

A

Part of data area.

Size not fixed so can accommodate more data.

58
Q

Partition Types

A

06 FAT16.

0B FAT32.

59
Q

VBR Offsets

A

11 for 2: # of bytes per sector (always 512).

13 for 1: # of sectors per cluster.

60
Q

Calculate Cluster Size

A

of sectors per cluster x 512.

61
Q

Calculate # of Clusters per File

A

File size / bytes per cluster.

Round up.

62
Q

Calculate File Slack

A

Bytes per cluster x # of clusters = total size of clusters - file size = total File Slack.

63
Q

Calculate RAM Slack

A

If total File Slack is >512, -512 to get RAM slack.

If <512, it is just that number.

64
Q

Calculate Residual Slack

A

If total File Slack is >512. -512 until <512 to get RAM slack.
Then Total Slack - RAM Slack = Residual Slack.