Day 1.2a - Disk-Volume

Disk
UNLEASH
& Volume
Digital Forensics
Acquisition
The process of acquiring a forensically sound image.
Acquisition
• Forensic Image: a bitstream copy of the original evidence.

• For this image to be a copy and the legal equivalent of the
original, it must represent a duplicate image of the original.
Every single bit on the original must be replicated.
• Acquisition: to acquire data stored on a storage device as an
image in a forensically sound manner.
• Write blocking device (hardware / software) is used during
acquisition to prevent altering data stored on the device.
Remember the ACPO guidelines?
• Hash value is used to verify the image after acquisition.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
3
Security and Forensics Society
Performing a forensically sound acquisition
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and Forensics
Society
▪ FastBloc is a writeblocker brand
name under Tableau
▪ FastBloc SE is the FastBloc
Software Edition bundled under
EnCase Forensic
▪ FastBloc SE can be used even
without the EnCase License
▪ Only plug in your usb drive when you see the green bar under “Waiting
for PnP device insertion”
▪ In the above figure, you can see the JetFlash is now in “Write Blocked”
mode and mounted as F:\
▪ Try to find out the difference between the “Write Blocked” and “Write
Protected” mode and suggest what will be the corresponding use cases.
Hard Disks
A basic understanding of storage devices.
How it works?
Understanding the mechanism of hard disks
How it works
• A hard disk consists of a series of magnetized platters

revolving at speeds ranging from 4,200 to 15,000 revolutions
per minute (RPM).
• Platters are accessed by heads as they spin.
• The heads can read or write, detecting or creating
microscopic changes in polarity.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

10
Information Security and Forensics Society
How it works
From Windows Internals, 6th

Edition

11
How it works
• CHS System (Cylinder / Head / Sector)

• 1 sector = 512 bytes (the smallest amount of space on
a drive that can be written to at a time)
• Cluster: group of sectors
• Track: the thin concentric circular strips of sectors.
• For older hard drives, the number of sectors on each
track remains the same
• To calculate the total number of bytes on a hard drive:
C x H x S x 512 bytes

12
How it works
• Zoned-Bit Recording: the number of

sectors per track varies in zones, with the
outer zones containing more sectors per
track → improved data storage capacities.
• New address scheme: Logical Block
Addressing
• Sectors are addressed simply by sector
http://www.pcguide.com/ref/hdd/geom/tracksZBR-
number, starting with sector zero. c.html
• Total storage:
Total LBA sectors x 512 bytes

13
Types of Hard Disk
1) ATA: Advanced Technology Attachment

2) SATA: Serial Advanced Technology Attachment
3) SCSI: Small Computer Systems Interface
4) SAS: Serial Attached SCSI

14
Types of Hard Disk
• Also know as IDE (Integrated

Drive Electronics) or PATA
(Parallel ATA)
• On mother board: primary IDE
and secondary IDE
➢ Each can handle two IDE devices
(master and slave)
• Support 8/16-bit interface

➢ ATA-2: transfer up to 8.3MB/s
➢ ATA-6: up to 100MB/s (ATA-6)
15
Types of Hard Disk
• Released in 2001.
• An evolution of the Parallel ATA
physical storage interface.
• SATA ports can be found on most
modern motherboards.
• Transfer rates:
SATA I 150 MB/s
SATA II 300 MB/s
SATA III 600 MB/s

16
Types of Hard Disk
• Originated with Apple computer

systems. It is also used by PC or
UNIX systems.
• A high-speed, high-performance
interface used on devices
requiring high input/output, such
as scanners and hard drives.
http://www.yourdictionary.com/scsi-chain

17
Types of Hard Disk
• As SATA replaced ATA using a

serial bus technology, SAS also
replaced SCSI with a point-to-
point serial bus technology.
• It enables multiple devices (up to
128 of different sizes and types)
to be connected simultaneously
with thinner and longer cables.
• Full-duplex signal transmission
supports 3.0Gb/s.
• It can be hot-plugged.
18
Types of Hard Disk
http://en.wikipedia.org/wiki/Solid-state_drive
• A solid-state storage device (SSD) uses integrated circuit assemblies as

memory to store data persistently.
• SSDs have no moving mechanical components.
• It emulates a hard disk drive interface.

19
Someone asked in a forensicator mailing list why this SSD cannot be
recognized by the write blocker. Any idea why?
Copyright © 2019 Ivan Chow, Karson Chan & Ricci IEONG Information
Security and Forensics Society The University of Hong Kong,
Volume
A basic understanding of logical disks.
Volume
• Volumes are logical storage units that can be assigned with

drive letters by the operating systems.
• Theoretically, Windows operating systems can support up to 24
volumes, using the letters C through Z (A and B for floppy
drives).
• MBR manages the volumes on a computer system.

22
MBR
What is Master Boot Record?
MBR
• Located at the 1st physical Executable Code
sector “PS0” of a hard drive

(512 bytes). Error Messages
• One MBR per hard disk

Disk Signature
only.
• offset 0x01B8
• It locates and loads the
boot volume on the system
and also manages all the Master Partition Table
volumes on the system. • 4 entries @16 bytes
Signature
• 2 bytes: 0x55AA
Copyright © 2019 Ivan Chow, Karson Chan & Ricci IEONG 24
The University of Hong Kong,
MBR
Machine Boot Code

• Scans the partition table for the active partition (the boot
volume).
• Finds the starting sector of the active partition.
• Loads a copy of the boot sector from the active partition into
memory.
• Transfers control to the executable code in the boot sector.

25
MBR
Disk Signature
• A unique number at offset 0x01B8.
• Identifies the disk to the operating system
• Windows uses the disk signature as an index to store and
retrieve information about the disk in the registry subkey:
• (NT) HKEY_LOCAL_MACHINE\SYSTEM\DISK
• (2000) HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
• Windows write it to the disk when you “initialize” the disk

26
MBR
• A 64-byte data structure used to identify the type and location of

partitions on a hard disk.
• conforms to a standard layout independent of the operating system
• The size of each partition table is 16 bytes

• A maximum of 4 entries:
• Partition 1\ Sector 0x01BE (446)
• Partition 2\ Sector 0x01CE (462)
• Partition 3\ Sector 0x01DE (478)
• Partition 4\ Sector 0x01EE (494)
• Partition type code can be found here

• https://www.win.tue.nl/~aeb/partitions/partition_types-1.html

27
Offset Field
Description
(bytes) length
Status of partition (0x80 means active/bootable, 0x00
0x00 1 byte
means inactive)
0x01 3 bytes CHS address of first absolute sector in partition.
0x04 1 byte Partition type
0x05 3 bytes CHS address of last absolute sector in partition.
0x08 4 bytes LBA of first absolute sector in the partition
0x0C 4 bytes Number of sectors in partition

MBR

Information Security and Forensics Society 29
MBR

30
MBR

31
MBR
• Disk Size <=2TB

• Number of primary partitions = 4
➢ 16 bytes per partition
• If more partitions is needed, change primary partition to

extended partition
• Total logical volumes: can be more than 24, but not all volume
will have their drive letter.
• Single point of failure: Single record at physical sector 0

32
GPT
The successor of MBR
GUID
• GUID: Globally Unique Identifiers

• Maximum disk size: up to 8ZB
• Currently support up to 128 partitions
➢ 128 bytes partition entry per partition table
• Two copies of record

• Controlled by UEFI (Unified Extensible Firmware Interface).
➢ Successor of BIOS
➢ 64-bit OS only

34
Information Security and Forensics Society,
GPT
MBR GPT
Number of 4 Primary / 3 Primary + many Unlimited (current implementation is

partitions Extendeds 128)
Max Disk Size 2TB 8ZB
OS supported All windows 64 bit windows
BIOS or EFI BIOS and EFI BIOS (Data disk only)

EFI (OS and Data disk)

35
GPT

36
GPT

37
▪ Because tools are not always showing you the right information.
▪ Let’s look at an example.

All 3 software show
different information on
the same disk.
Which one is correct?
How to confirm?
▪ Can we tell what partition scheme
(MBR/GPT) is used just by
looking at PS0?
▪ How to tell?
▪ Is it a MBR partition scheme?
▪ If so, how many partitions here?
▪ PS2 contains the GPT partitions.
▪ How many partitions can we see
here?
▪ Can a disk be partitioned to MBR and
GPT at the same time?
▪ Can you tell what has happened on
this disk?
VBR
Finally we moved to the volume
VBR
• Every partition/volume comes with a Volume Boot Record at

the start of volume.
• The VBR describes the properties of the volume.
➢ filesystem type, volume size, cluster size, volume serial number etc.
• VBR contains a data structure call the boot parameter block

(BPB), which is for identifying the physical disk address of MFT
(NTFS filesystem only).

44
VBR

45
VBR

Information Security and Forensics Society 46
Boot Process
BIOS Boot Process Components
Boot Process
• The boot process begins when the user presses the power
switch and starts the system.
• It is to test the various system components, establish
configuration settings, and load pieces of code
• All the above culminates in the loading of a functional operating
system, custom-configured to your particular hardware and
software environment.

48
Boot Process
Load BIOS data

Power On BIOS runs POST from add-on
cards
BIOS calls code BIOS check boot Monitor displays

stored in MBR sequence info
VBR loads & runs

The MBR loads
the bootloader
code from VBR of
from its
active partition
filesystem

49
Boot Process

50
Boot Process

51
Boot Process

52

Day 1.2a - Disk-Volume

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day 1.2a - Disk-Volume

Uploaded by

Copyright:

Available Formats

Disk

• Forensic Image: a bitstream copy of the original evidence.

• A hard disk consists of a series of magnetized platters

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

From Windows Internals, 6th

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• CHS System (Cylinder / Head / Sector)

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Zoned-Bit Recording: the number of

number, starting with sector zero. c.html

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

1) ATA: Advanced Technology Attachment

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Also know as IDE (Integrated

• Support 8/16-bit interface

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Originated with Apple computer

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• As SATA replaced ATA using a

• A solid-state storage device (SSD) uses integrated circuit assemblies as

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Volumes are logical storage units that can be assigned with

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Located at the 1st physical Executable Code

sector “PS0” of a hard drive

• One MBR per hard disk

Machine Boot Code

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Windows write it to the disk when you “initialize” the disk

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• A 64-byte data structure used to identify the type and location of

• The size of each partition table is 16 bytes

• Partition type code can be found here

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

0x04 1 byte Partition type

0x05 3 bytes CHS address of last absolute sector in partition.

0x08 4 bytes LBA of first absolute sector in the partition

0x0C 4 bytes Number of sectors in partition

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2019 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Disk Size <=2TB

• If more partitions is needed, change primary partition to

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• GUID: Globally Unique Identifiers

• Two copies of record

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Number of 4 Primary / 3 Primary + many Unlimited (current implementation is

OS supported All windows 64 bit windows

BIOS or EFI BIOS and EFI BIOS (Data disk only)

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

• Every partition/volume comes with a Volume Boot Record at

• VBR contains a data structure call the boot parameter block

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2019 Ivan Chow, Karson Chan & Ricci IEONG

Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG

Load BIOS data

BIOS calls code BIOS check boot Monitor displays