Introduction to Files, Filesystems, and Disks
This module serves as a brief introduction to files, filesystems, and disks, all of which are important concepts in Computer Forensics. We discuss the difference between the human and computer view of a file and how a filesystem serves as a middleman between the two. We also discuss the fundamental concepts of disk layout and partitions, the boot-up process, and the difference between memory and hard disks. An added focus is placed on the “mmls” tool, which can be used to view disk partitions.
By: Moshe Caplan
The below sections of this page provide a short discussion of some of the topics in this module. The slides and video give a more complete look at the covered topics. (Credit for the remainder of this page goes to Moshe Kaplan.)
What is a file?
When you’re using your computer, you usually type something into Microsoft Word and save it. The next time you log on, you’re able to continue your work, without needing to retype what you typed the previous day. This information is stored in a file, and is therefore saved, even when the computer is turned off. These files are all stored on your hard drive. But what is a file; just a bunch of bytes stored on your hard drive.
Files are all stored on a hard disk drive, which allow data to be written to physical locations on the disk. But ‘we’ (people) don’t access a file by its physical location. The hard disk doesn’t know what a file or directory (folder) is. So how do we access our files on the hard disk?
Intro to Filesystems
So now we’re ready to understand what a filesystem is. It’s the glue between the user, who is used to seeing files and directories, and the hard disk, which only understands addresses and bytes. There is no single filesystem that is used - different Operating Systems (OSes) use different filesystems by default. Every filesystem has some method for viewing the available files, creating a file, and deleting a file. Most filesystem organize the files on the disk, with an index (list) of the files on the drive, which includes the name of the file, where that file is physically stored, and other useful information.
It is also possible to partition (split up) a disk into multiple pieces. One common method is the Master Boot Record (MBR), which is used by Windows and Linux. The MBR contains a table of partitions, which includes the filesystem used by that partition and the physical address of where the partition starts.
Memory vs. Disk
There are two types of storage on a computer: Memory (RAM) and hard disks. Memory is volatile, meaning that if it loses power the data is lost. It is used for temporary storage. Hard disks are nonvolatile; the data is not lost when it loses power. It is used for permanent storage.
A simple metaphor for understanding RAM is that of a desk and a garage. When doing work at your desk you can almost immediately look at something else on your desk, but if you want to look at something in the garage you have to get up and go to the garage, find it, and bring it back to your desk. Only then can you look at it.
RAM is at a relative premium to disk space. RAM is now measured in GB’s, while hard disks are currently measured in TB’s. However, the time to access a hard disk is around a million times longer than RAM.
1. Use mmls to identify the partitions on the (compressed) sample image, "mmlsDemo" This file can be found on the resources page.
Your results should be pretty similar to the partition layout for the 128MB Flashdrive in the presentation slides.
2. Use mmls to identify the partitions on the SANS SIFT VM, another Forensics VM.
You can find instructions on it at: http://cyfor.isis.poly.edu/virtual-lab/build-your-own-virtual-lab
Your results should be pretty similar to the partition layout for the CERT ADIA.
Further information on this module can be found at the following:
Below is the (compressed) image file to be used with Sample Challenge #1.
|mmlsDemoFileForChallenge.zip(1.77 MB)||marcbudofsky, Mar 17 2013, 9:46 PM|
You must Sign-In to post a comment.