Dr.

Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
How Hard Disk Works?

Video
 Understanding File System 3

FILE
• A collection of Data or Information that has a name, called the File. Almost all
information stored in a computer must be in a file. There are many different types of files:
data files, text file, program files, directory files, and so on. Different types of files store
different types of information. For example, program files store programs, whereas text
files store text.
FILE ALLOCATION TABLE (FAT)
• A Table that the OS uses to locate Files on a Disk. Due to fragmentation, a file may be
divided into many sections that are scattered around the disk. The FAT keeps track of all
these pieces. Fats are stored just after the boot sector. The FAT system for older versions
of Windows 95 is called FAT16, and the one for new versions of Windows 95 and Windows
98 is called FAT32
 Understanding File System.. 4

• To protect the volume, two copies of the table are kept, in case one
becomes damaged. The file allocation tables must also be stored in a fixed
location so that the files needed to start the system can be correctly
located.
• The file allocation table contains the following types of information about
each cluster on the volume:
• Unused (0x0000)
• Cluster in use by a file
• Bad cluster (0xFFF7)
• Last cluster in a file (0xFFF8-0xFFFF)

• There is no organization to the FAT folder structure, and files are given the
first available location on the volume. The starting cluster number is the
address of the first cluster used by the file.
 Understanding File System… 5

• Each cluster contains a pointer to the next cluster in the file, or an indication
(0xFFFF) that this cluster is the end of the file. These links and end of file
indicators are shown below

• This illustration shows three files. The file File1.txt is a file that is large enough to
use three clusters. The second file, File2.txt, is a fragmented file that also
requires three clusters. A small file, File3.txt, fits completely in one cluster. In
each case, the folder entry points to the first cluster of the file.
 Understanding File System… 6

LOST CLUSTER
• Also called a Lost Allocation Unit, or a Lost File Fragment. A data fragment
that does not belong to any file, and, therefore, is not associated with a
file name in the FAT.
FRAGMENTATION
• Fragmentation refers to the condition of a disk in which files are divided
into pieces scattered around the disk. Fragmentation occurs naturally
when you use a disk frequently, creating, deleting, and modifying files. At
some point, the operating system needs to store parts of a file in non
contiguous clusters.
• This is entirely invisible to users, but it can slow down the speed at which
Data is accessed because the disk drive must search through different
parts of the disk to put together a single file.
 Understanding File System… 7

FAT 16
• Also called 16-bit FAT, the File Allocation Table (FAT) for a floppy disk. The
location of files on a floppy disk are listed in a one-column table in the
FAT. Because the width of each entry in a floppy disks column is 16 bits,
the FAT is called FAT16. FAT16 supports disks up to 16MB.
FAT32
• A version of the FAT available in Win 95 and Win 98. FAT32 increases the
number of bits used to address clusters and also reduces the size of each
cluster. The result is that it can support larger disks (up to 2 TB) and better
storage efficiency (less slack space).
 Understanding File System… 8

exFAT
• exFAT, first introduced in 2006, is yet another file system created
by Microsoft although it's not the "next" FAT version after
FAT32.exFAT is primarily intended to be used on portable media
devices
• exFAT officially supports portable media storage devices up to
512 TB in size but theoretically could support drives as large as
64 ZB, which is considerably larger than any media available as
of this writing.
• The exFAT file system is supported by almost all coming versions
of Windows, Mac OS X as well as on many TV, media, and
other devices.
 Understanding File System… 9

Master File Table in NTFS

• Short for NT File System, one of the File System for the Win NT OS (Windows
NT also supports the FAT file system).
• NTFS has features to improve reliability, such as transaction logs to help
recover from disk failures. To control access to files, you can set
permissions for directories and/or individual files. NTFS files are not
accessible from other OS such as DOS.
• For large applications, NTFS supports spanning volumes, which means files
and directories can be spread out across several physical disks. The data
stored in the MFT is what the OS needs to retrieve the files. For example, it
contains file permissions, the name and size of the file, the date and time
it was created and the date and time it was modified.
 File System and the Operating System 10

• File system depends firstly on the operating system that you are using.
• In general, the more recent the operating system, the greater the
number of files it will support. DOS and on the first versions of Windows 95,
FAT16 is required.
 Starting with Windows 95 OS, choice between FAT16 and FAT32 file systems.
 If the partition size is greater than 2GB, then FAT16 file systems are excluded and you
need to use the FAT32 system (or modify the size of the partition).

Below this limit, FAT16 is recommended..

 File System and the Operating System 11

NTFS reserves the first 16 records in the MFT for special metadata files, listed
below:

Record 0: metadata about the MFT itself.

Record 1: the MFT mirror record, which is a copy of the first 16 records of the MFT
Record 2: the NTFS volume logging file
Record 3: volume partition information, such as its name, NTFS version and creation date
and time
Record 4: metadata regarding the NTFS file attributes used on the volume
Record 5: a pointer to the volume root directory
Record 6: a map displaying which clusters on the volume are available for use
 File System and the Operating System 12

Record 7: a copy of the volume boot code

Record 8: a list of all the volume clusters that have been marked as
unusable because of
detected errors
Record 9: a table of disk quotas for NTFS 5.0 or later
Record 10: information for converting files to Unicode
Records 11-15: reserved for future metadata

The 17th record and those following it contain information for each file and
directory on the NTFS volume in order to prevent excessive disk
fragmentation as file on the NTFS are added, causing the MFT to grow.
 Other File Systems 13

• High Performance File System (HPFS)

 Supported by OS/2, builds on directory organization of FAT
• Hierarchical File System (HFS)
 Mainly used in older versions of MAC OS
• Universal Disk Format (UDF)
 Used for DVDs and some CDs
• Unix File System
• Compact Disk File System
• ….
 Understanding the Clusters 14

• In Microsoft file structures, sectors are grouped to form

clusters
 A storage allocation unit of one or more sectors
• Clusters range from 512 bytes up to 32K bytes each
• Combining sectors minimizes the overhead of writing or
reading files to a disk
 Understanding the Clusters 15

• Clusters are numbered sequentially starting at 0 in NTFS and 2

in FAT
 First sector of all disks contains a system area, the boot
record, and a file structure database
• OS assigns these cluster numbers, called logical addresses
 Sector numbers are called physical addresses
• Range from 0 (first sector) to the last sector
• Clusters and their addresses are specific to a logical disk drive,
which is a disk partition
 Understanding the Clusters 16

• Cluster sizes vary according to the hard disk size and file system. For FAT32
file systems, cluster sizes are determined by the OS. Clusters can range
from 1 sector consisting of 512 bytes to 128 sectors of 64 KB.
• Microsoft OSs allocate disk space for files by clusters.
 This practice results in drive slack, composed of the unused space in a
cluster between the end of an active file’s content and the end of the
cluster.
 Drive slack includes RAM slack (found mainly in older Microsoft OSs)
and File slack.
• In newer Windows OSs, when data is written to disk, the remaining RAM
slack is zeroed out and contains no RAM data
Examining File Slack & RAM Slack 17
Examining File Slack & RAM Slack… 18
Examining File Slack & RAM Slack… 19
File System and the Operating System 20
 Disk Partitions 21

• A partition is a logical drive

 Windows can have 3 primary partitions followed by an extended
partition
• Which contains one or more logical drives
• Hidden partitions --Large unused gaps between partitions on a
disk
 Deleting FAT Files 22

• In Microsoft OSs, when a file is deleted

 Directory entry is marked as a deleted file
• With the 0xE5 character replacing the first letter of the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides becomes
unallocated disk space
 Available to receive new data from newly created files or other
files needing more space
 Coexistence of several File Systems 23

• Since the file system is tightly coupled to the operating system,

when there are several operating systems there can be a file
system for each, bearing in mind that it is possible that data
from one operating system may be accessed from another.

 One solution would be to use FAT16 partitions for all the systems,
making sure that the partitions are no larger than 2 GB.
 The most appropriate solution would be to use for each OS a
partition whose file system is best suited to it
 Difference between File Systems- FAT 16 24

• Those operating systems organized files under the FAT file system,
represents logical areas of the disk in allocation units called clusters, and
maps the locations of file data to those areas using a file allocation table
(FAT).
• FAT is also called FAT16 because it uses a 16-bit address space for tracking
files and clusters.
• FAT clusters vary with the size of the disk.
• FAT's 16-bit address space can support up to 65,536 clusters.
• With a 65MB disk, cluster sizes were just 1KB in size, but they ballooned as
disks emerged that were able to hold gigabytes of data. And since only a
single file can be written to a cluster, this created inefficiencies that
ended up wasting as much as 50% of available space on a 2GB disk
drive.
 Difference between File Systems- FAT 32 25

• debuted with Windows 95 OEM Service Release 2 (OSR2), introduced a

32-bit address space. By increasing the size of the file allocation table, it
could support more clusters that were smaller in size on large disk drives,
reducing the potential for wasted drive space.
• Another FAT32 innovation was that it could handle file names with up to
255 characters, whereas FAT could only handle names with up to eight
characters. Users could finally create long file names to better describe
the contents.
• The advent of FAT32 extended the maximum addressable volume size
from 2GB to 2TB and improved reliability by allowing the system to switch
to a copy of the file allocation table if the default copy should become
damaged. But FAT32 also added to file system overhead and was
therefore inefficient to run on disks smaller than 260MB.
 Difference between File Systems- NTFS 26

• The next development in Windows file systems was the New Technology
File System (NTFS), introduced with Windows NT4 (which also supported
FAT32).
• With a 64-bit address space and the ability to vary cluster size
independently of the disk drive size, NTFS virtually eliminated the cluster
size limitation problem.
 It also brought other benefits, including file and directory security attributes, file
encryption and support for storage volumes of up to 16TB.
 NTFS replaced the familiar file allocation table format with the Master File Table
(MFT), which holds more information about files than did FAT. The MFT
references all files and directories on the disk drive, including associated
metadata such as security settings.
 Difference between File Systems- NTFS 27

• The NTFS also introduced a high level of fault tolerance.

• It logs disk operation activity prior to committing the transaction.
 If the system crashes during an update, it can examine the log file and restore
the data.
 When read or write errors occur during normal operation, NTFS automatically
identifies and blocks out the bad clusters and copies the data to a new
location. Finally, NTFS creates a mirror of the MFT and can revert to the mirror
should the original fail
 Difference between File Systems- NTFS 28

• NTFS's overhead makes it unsuitable for disks smaller than 400MB, and it
can't be used on floppy disks. Instead, Windows must write to formatted
diskettes using FAT32
 Difference between File Systems- Ext2 & Ext3 29

• Ext supported 2GB file systems and 255-character file names but suffered
from some performance limitations. Ext2 supports 4TB file systems and 255
character file names and remedies those problems.
• The Ext2 architecture uses a data structure called identification nodes
(inodes) to refer to and locate files and associated data. The inode table
includes the file type, size, access rights, pointers to associated data
blocks and other attributes.
• The file system organizes disk space into groups of blocks, which contain
both inode information and associated data block
 Difference between File Systems 30

• The Linux kernel uses the Virtual File System layer, which interacts
with the file system to perform disk I/O.
• This gives Linux the ability to support multiple file systems,
including DOS, FAT16 and FAT32 (which it supports as a native
file system)
 File Attributes and Meta Data 31

File Attributes
• Every file has a name and its data. In addition, all operating
systems associate other information with each file. For example,
the date and time the file was last modified and the file's size.
We will call these extra items the File's Metadata.
 File Attributes and Meta Data 32

File Attributes
• Every file has a name and its data. In addition, all operating
systems associate other information with each file. For example,
the date and time the file was last modified and the file's size.
We will call these extra items the File's Metadata.
 File Attributes and Meta Data 33

• Name consisting of the path From The Root Directory to the file. An
example, the path/usr/ast/mailbox (means that the root directory contains
a subdirectory usr , which in turn contains a subdirectory ast , which
contains the file mailbox)
• In UNIX the components of the path are separated by /.
• In Windows the separator is \.
• Thus the same path name would be written as follows in these three
systems:
 Windows \usr\ast\mailbox
 UNIX /usr/ast/mailbox
 File System Implementation 34

• File system are stored on disks. Most disks are divided up into several partitions
• Sector 0 is called MBR (Master Boot Record), to boot the computer
• The end of the MBR contains the Partition Table that gives the Starting And Ending
addresses of each partition.
• The first thing the MBR program does is locate the active partition, read in its first block,
called the Boot Block and execute it.
• One of the partitions is marked as active. When the computer is booted, the BIOS reads
in & executes the MBR.
• The program in the boot block loads the operating system contained in that partition. For
Uniformity, every partition starts with a boot block, even if it does not contain a bootable
operating system.
• Other than starting with a boot block, the layout of a disk partition varies a lot from file
system to file system
 Implementing Files/ File Allocation /File 35

Storage Methods
• The contiguous allocation method
requires each file to occupy a set of
contiguous blocks on the disk.
• Disk addresses define a linear order
on the disk.
• The file allocation table needs just a
single entry for each file showing the
starting block and the length of the
file.
• The blocks assigned to a file are of
variable size.
 Implementing Files/ File Allocation /File 36

Storage Methods
Linked List Allocation (Chained Allocation)

• Linked list solves all the problems of

contiguous allocation. With linked allocation
each file is a link list of disk blocks, the disk
blocks may be scattered anywhere on the
disk.
• Each block contains a pointer to the next
block in the list.
• The selection of blocks is now a simple
matter.
• Any free block can be added to the list.
 HEX Editor 37

Hex Editor a powerful application that is used as a tool for data analysis
and recovery, a forensics tool used for evidence gathering. It displays
three columns: an address, a 16- byte hex display, and a 16-character
text display
HEX Editor 38
 Structure of a Generic MBR 39

• The MBR location starts with the very first sector of a physical disk. To be more
precise, at the physical/absolute sector 0 (0x00).
• There is a difference between physical/absolute sector number and a logical sector
number.
• To locate the MBR at the beginning of your hard disk, you need to go to the actual
first sector of the disk, the absolute sector 0.
• Relative sector numbers apply when you open a logical drive or partition. In that
case, sector 0, 1, 2 etc might actually be sectors 1024, 1025, 1026 etc on the actual
disk.
 Hiberfile.sys 40

• Hibernate Mode conserves power by writing the information in

memory out to the hard drive and essentially shutting down.
• The benefit is when bringing PC back up is much quicker than
bringing it up from a fully off state.
 hiberfil.sys is a file the system creates when the computer goes into
hibernation mode.
 Hibernate mode uses the hiberfil.sys file to store the current state
(memory) of the PC on the hard drive and the file is used when
Windows is turned back on.
• Forensic investigation of Memory dump, Pagefile and hiberfil files
can provide a lot of information.
 Reading Task for Quiz 2 (Scheduled on 5/11/20) 41

1. Ten Deadly Sins of Computer Forensics

2. Using the object ID index as an investigative
approach for NTFS file systems
3. A comparison of machine learning techniques
for file system forensics analysis

All files can be downloaded from GCR

 Explore for Assignment 2 42

• https://mh-nexus.de/en/hxd/
• https://www.youtube.com/watch?v=L3BwX
bRDQM4
• http://www.flexhex.com/docs/howtos/hex-
editing.phtml
ANY QUESTIONS