Media and storage

Session 17
Recapping
• We have cover both Microsoft and Unix files
system
Today
• Introduction to ACW2
• Covering each ACW
• ACW2 session (Needed to complete ACW)
• expected deliveries
• Dates both parts in and out

• Partitioning
Learning Outcomes
• Be able to show and demonstrate knowledge
the difference between
• Physical drive
• Primary partition
• Logical partition
Media and storage

AC W2 INFOR MATI ON
Dates and times
• Part1 out Week 17 Friday Part1 in Week 19
• Part2 out Week 18 Friday Part2 in Week 21
• Part3 out Week 20 Friday
• Final Hand in Week 24

• All submitting times will be Friday 16:00 on the

weeks indicated above
ACW2 part1

• Crime scene
• Write a brief report in order to prepair for a knock on
the suspects address
• The report should address the following areas
• ACPO Guidelines
• What equipment you migth need
• Procedures to carry out
• 1500Words
ACW2 part2
• Inspection and imaging
• Scene recording
• Working with a system removal and recording parts
• Hopefully Looking at the crime scene (still trying to get
authorization for the video use)
• Imaging a device
• 1500 words
ACW2 part3
• Forensic examination of a forensic image
• Examining a Forensically sound image
• Reporting your findings
• 2000 words
Final handin

• All three parts

• Critical commentary
• Copy of all notes
• Appendix
Media and storage

PARTI TIONS
Physical drive
• In the current IBM PC architecture
• there is a partition table in the drive's Master Boot
Record
• The MBR lists information about the partitions on
the hard drive.
• This partition table is then further split into 4
partition table entries
• Due to this it is only possible to have four partitions.
Primary partition
• These 4 partitions are typically known as
primary partitions.
• To overcome this restriction, system
developers decided to add a new type of
partition called the extended partition.
• By replacing one of the four primary partitions
with an extended partition, you can then make
an additional 24 logical partitions within the
extended one.
Primary/Logical partition
• Partition Table
• Primary Partition #1
• Primary Partition #2
• Primary Partition #3
• Primary Partition #4
• (Extended Partition)
• Logical Partition #1
• Logical Partition #2
• As you can see, this partition table is broken up into 4
primary partitions.
• The fourth partition, though, has been flagged as an
extended partition.
• This allows us to make more logical partitions under
that extended partition and therefore bypassing the 4
partition limit.
• Each hard drive also has one of its possible 4
partitions flagged as an active partition.
• The active partition is a special flag assigned to
only one partition on a hard drive that the
Master Boot Record (MBR) uses to boot your
computer into an operating system.
• As only one partition may be set as the active
partition, you may be wondering how people
can have multiple operating systems installed
on different partitions, and yet still be able to
use them all.
• This is accomplished by installing a boot loader
in the active partition.
• When the computer starts, it will read the MBR
and determine the partition that is flagged as
active.
• This partition is the one that contains the boot
loader.
• When the operating system boots off of this
partition the boot loader will start and allow you
to choose which operating systems you would
like to boot from.
Recovery
• GPart, Partition recovery tool
• Can be use to Retrieve Partitions damaged or
Altered
• This will change the disc/image