Module One Review of File Structures and Data Storage PowerPoint PPT Presentation

presentation player overlay
1 / 25
About This Presentation
Transcript and Presenter's Notes

Title: Module One Review of File Structures and Data Storage


1
Module One Review of File Structures and Data
Storage
  • Highline Community College
  • Seattle University
  • University of Washington
  • in conjunction with
  • the
  • National Science Foundation

2
Review of basic physical disk and sectors
  • Sector 512 bytes
  • Clusters are made up of sectors
  • File slack area between end of file and end of
    cluster
  • Unallocated space
  • hidden files
  • hidden partitions

3
Review of FAT-12
  • Created for floppy disks and small drives
  • Each FAT entry contains 12 bits
  • 4086 clusters
  • max drive size 16 MB

4
Review of FAT-16
  • Each FAT entry has 16 bits
  • 65,526 clusters
  • Max drive size from 16 MB to 2,048 MB

5
Review of FAT-32
  • Each FAT entry has 28 bits
  • 268,435,456 clusters
  • Volume size 241

6
Review of NTFS
  • Partition Boot Sector
  • Master File Table
  • Cluster sizes are smaller
  • Less File Slack
  • Unicode
  • Encryption capabilities

7
PKI
  • Public key encrypts
  • Private key decrypts

8
EFS
  • Encrypted File System
  • Part of NTFS
  • Windows XP Pro, not Home Edition
  • encrypts using random file encryption key
  • independent of public/private key pair
  • symmetric encryption algorithm

9
EFS (contd)
  • uses Data Encryption Standard X (DESX)
  • 128 bit in NA
  • EFS automatically decrypts the file for a user
  • has built in data recovery
  • a system can be configured with recovery keys

10
EFS (slide 3)
  • intended to recover encrypted files if someone
    leaves the company
  • the recovery agent resides on the domain
    controller
  • domain administrators can delegate this
    responsibility
  • multiple recovery agents can exist on the network

11
Encrypting a file
  • at the command linecipher /e /s C\Encrypted
    files
  • to decryptcipher /d /s C\Encrypted files
  • more info
  • www.microsoft.com/windows2000/techinfo/planning/se
    curity/efssteps.asp

12
PC Boot Processes
  • Windows overwrites many files every time it boots
  • Changes the evidence
  • Investigators use image tools and write blockers
    to protect evidence

13
Windows 98 Boot sequence
  • BIOS configures motherboard devices, starts ISA
    Plug and Play, looks for expansion cards during
    POST, loads OS
  • Config.sys and autoexec.bat are loaded
  • Loads VxDs through system.ini
  • Literally hundreds of files are affected

14
Windows NT Boot Sequence
  • BIOS, POST
  • Find boot device and load boot record
  • MBR reads partition table
  • NT bootstrap loads NTLDR
  • NTLDR switches processor to 32 bit flat memory
    mode, reads Boot.ini, loads NTDETECT

15
Windows NT (contd)
  • NTDETECT builds hardware list
  • Sends hardware list back to NTLDR
  • NTLDR loads NTOSKRNL.EXE
  • Kernel loads and initializes NT

16
Windows XP needed files
  • BIOS
  • Boot.ini
  • CONFIG.SYS
  • Hiberfil.sys
  • IO.SYS
  • MSDOS.SYS
  • NTDETECT.COM
  • NTLDR

17
Linux Boot Process
  • LILO
  • GRUB
  • In the MBR
  • Lilo.conf in the /etc directory contains
  • Location of the boot device
  • The kernel image file
  • Delay timer

18
Linux File Structure
  • Composed of meta-data and data
  • Meta-data includes
  • User ID
  • Group ID
  • Size
  • Permissions
  • Inodes
  • Contains MAC (modification, access, and creation
    times

19
Linux (contd)
  • A Directory called file_name links the inode
    number to a filename in a directory
  • Inodes are basically pointers to multiple
    occurrences of a file
  • When inode count 0, the file is deleted
  • If inode count 0 and not empty you can
    retrieve data

20
Critical inodes
  • Root inode is inode 2
  • Bad blocks inode is inode 1
  • Can list good inodes in bad blocks to mislead
  • Commands
  • badblocks (can destroy data)
  • mke2fs c /dev/fd0
  • e2fsck c/dev/fd0

21
Hash Values
  • checksum
  • MD5 hash
  • CRC
  • SHA-1 hash

22
Checksum
  • redundancy check
  • error handling
  • add up number of bytes and store it
  • does not detect if you changed the order of
    something

23
CRC
  • Cyclic Redundancy Check
  • CRC-16
  • CRC-32
  • lengthy polynomials

24
MD5
  • MD5 was developed by Professor Ronald L. Rivest
    of MIT
  • Produces a 128 bit message digest of the file or
    drive
  • In 2004, some discoveries of problems

25
SHA-1
  • Secure Hash Algorithm
  • 160 bit message digest
  • used for a variety of purposes including
    verifying data
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Module One Review of File Structures and Data Storage" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!