NTFS Forensics Part 1

In performing any action relating to computer forensics, programming or any other aspect of a file system storage it is important to understand basics of the operating on binary systems, storage types, etc. Failure to understand the basic workings of a computer properly can result in a lot of wasted time scratching your head wondering what you are looking at.  Understanding how to convert hex to decimal or binary to decimal or even convert it the other way around is crucial to understanding in detail how file systems work. Also it is important to know how the hard drive provides data to the application to read and writes data to the disk.

Counting Systems

Counting systems range differently in the computer realm and the human realm. Humans rely on the decimal counting system that is based on the base of 10. The system counts in the following way, as many are aware of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9. Computers do not understand the decimal system but understand the binary system. Binary is a base-2 number system limiting our options of either 0 or 1. Hexadecimal is also another counting system that you will commonly deal with in the computer realm, which is a base-16 system. The option for hexadecimal range from 0 to F which is different from the base population is accustomed to.

Converting these from one system to another is time consuming to learn as it forces you to think out of the realm of what you are use to. You may or may not be used to seeing numbers such as FF which is 255 in decimal. Practicing the conversion process several times will allow you to convert from one counting system to another. You should understand how to convert from one system to the other before continuing. Memorizing how to convert it is not necessary but understanding it is a key point to focus on.

Binary Structures

Binary can be grouped into several categories to know how many bits you are talking about. A group of 8 bits or eight 1 and zeros beside each other is known as 1 byte. 16 bits or sixteen one and zeros together can be classified as a word.

Storage Types

Storage system started at the smallest form and has grown to be several terabytes in size as well as many types of storage systems. Knowing these types of systems will not only allow you to make informed decisions of pulling data off and how data is stored in the forensic field but also troubleshooting regular computer issues. Data is stored on storage devices in the form of binary such as either a one or a zero. This document will not cover how the storage controller writes to the storage media but rather the types of media storage types.

Volatile Memory and Non-volatile Memory

Memory can be stored on a device that will retain its state when power is lost or loses its state when the power is lost to the device. Volatile memory is the form of storage that requires power to maintain stored information. Devices such as Random Access Memory (RAM) are included in the volatile memory section. Hard drives, USB drives are included in the section of non-volatile memory. It is important to know these due to the fact if you power off the machine to move to another location to perform forensic analysis then you will lose all memory in RAM.

Hard drives explained.

Hard drives are made from several different pieces that make a platter that stored the information. Knowing each piece of information will aid in the understanding on how the hard drive reads the data. Heads is the device in the hard drive that reads data from the platter and a single hard drive can have multiple heads in the hard drive enclosure.  The platter contains tracks, cylinders and sectors and the operating system adds on this by forming Blocks or clusters. Tracks are a thin concentric strip on the platter service which contains the magnetic medium to which the data is written. Cylinders contain the same track number on each platter in the enclosure. Sectors are the most important piece to get out of this section. Tracks are subdivided into smaller sections called sectors. This is the smallest storage unit on a hard drive. The typical amount for hard drive sectors are 512 bytes.  Blocks and Clusters are used in the file system and group multiple sectors into one “sector.”

Little Endian vs Big Endian

This section does not conclude which architecture is better or which one can perform more calculations per second but it does describe the basics of how each architecture works. Little endian is processors such as x86 and big endian  is processors such as IBM PowerPC Core. The biggest difference between these two architectures is how they order the bytes in an external media. Little endian stores the low order byte first and big endian stores the high order byte first. Figure 1-1 shows part of the NTFS MBR and the bytes per sector highlighted. If you try to convert 2 to decimal you will get 2. In order to get 12 you have to read it backwards and convert it to 200( 00 02 becomes 200.) If you take 200 and convert it to decimal it shows that we have 512 bytes per sector.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: