CSE 494/598 Forensic Computing: Computer and Network Forensics Prof. Gail-Joon Ahn IMPORTANT DATES ! Exam #1: Feb 19, 2009 ! Assignment #1: Mar 3, 2009 ! Spring Break: Mar 10 & 12, 2009 ! Exam #2: Mar 31, 2009 ! Class Project Due: Apr 23, 2009 ! Paper Report Due: Apr 28, 2009 ! Class Presentation: Apr 28 & 30, 2009 May 5, 2009 ! Exam #3 (Final): May 7, 2009 (12:10PM – 2:00PM) 2

3 Outline ! File Forensics ! Layers of analysis ! Data Organization ! How to manage ! How to store ! FTK Tutorial ! File Forensics (cont’d) ! Storage Media Analysis ! Volume Analysis Storage Media Analysis ! Data Storage ! To obtain a conceptual understanding of internals, not to fix hard disks ! Hard Disk Geometry ! Head – the device that reads and writes data to a drive ! Track – concentric circle on a disk platter ! Cylinder – a column of tracks on disk platters ! Sector – a section on a track
5 Storage Media Analysis (cont’d) Head Actuator Head Arm Chassis Disk Platter Storage Media Analysis (cont’d) ! Platters are divided into concentric rings called tracks ! Tracks are divide into wedge-shaped areas called sectors ! A sector typically holds 512 bytes of data 6 Tracks Sector

7 Storage Media Analysis (cont’d) http://www.pcguide.com/ref/hdd/geom/tracksZBR-c.html 9 sectors/track 16 sectors/track Storage Media Analysis (cont’d) ! A cylinder is a three- dimensional concept consisting of all tracks in the same position vertically 8
Storage Media Analysis (cont’d) ! Hard Disk Geometry (cont’d) ! Address Methods ! CHS Address (CHS-0,0,2) " 512 bytes per sector " X sectors per track " Y tracks per cylinder " Number of bytes on a disk = " Cylinders (tracks) x Heads (platters) x sectors

