Académique Documents
Professionnel Documents
Culture Documents
Digital Forensics I
Week 2
Central
Input Device Processing Output Device
Unit (CPU) Computer sends responses
Information is entered to commands & results of its
into the computer thru processing to these devices
input devices. Memory/Storage
Storage area for all computer
information & workspace for
computer operations
DCOM 150 Week2 5
Basic Computer Operation
MICROPROCESSOR
Central Processing
Input Device Output Device
Unit (CPU)
Keyboard Monitor
Mouse Printer
Scanner Memory/Storage Plotter
Modem Modem
Thumb drive RAM Thumb Drive
(SIMM/DIMM)
Disk Drive
DCOM 150 Week2 6
Functions of a computer
DCOM 150
17 Week2
Answers to Problem, # 1
1 PS2/Mouse Port
2 PS2/Keyboard port
3 USB port
4 Printer port
5- Audio IN ( Line IN); Audio Out (Line
OUT), Mic
6- VGA port
7- Serial Port
DCOM 150 18 Week2
Problem #2 Identify Ports
CFOR101 Week3 24
CFOR101 Week3 25
What is a File System?
A system for organizing directories and
files, generally in terms of how it is
implemented in the disk operating system
A system for organizing and cataloguing
files on a data storage media, comparable to
the index in a book
A way of organizing directories and files on
a disk drive.
CFOR101 Week3 26
Examples of File Systems
FAT-12
MS-DOS, Floppy Disks
FAT-16
Windows 95
FAT-32
Windows 98
NTFS
Windows 2000, NT, XP,Vista, Windows 7, 8
and 10
CFOR101 Week3 27
Examples of File Systems contd..
Ext 2 and Ext 3
Linux operating systems
UFS1 and UFS2
Unix-File System (UFS)
HFS and HFS+ (introduced on Mac OS 8.1)
Mac
Hierarchical file system
CFOR101 Week3 28
Analysis of FAT -File
System
CFOR101 Week3 29
How Disk store data
How data is physically stored on a disk
CFOR101 Week3 30
How Data Is Physically Stored
on a Disk
CFOR101 Week3 31
How Data Is Physically Stored
Floppy Disk
In concentric circles (tracks or cylinders)
Each track is divided into sectors
CFOR101 Week3 32
3 floppy disk structure -
Example
Data is written on two sides
Tracks 80/side
18 sectors/track
Sector size 512 bytes
Total sectors = 80x18x2=2880
Total size = 2880 x 512 = 1.44 MBytes
CFOR101 Week3 33
Disk Layout
BOOT RECORD (Sector)
SYSTEM
AREA
FAT (2 copies)
ROOT DIR
DATA FILES
AREA STORAGE
AREA
CFOR101 Week3 34
Formatting Process for a Disk
Creates tracks and sectors
CFOR101 Week3 35
Boot Record
First sector of the disk (Sector 0, track 0)
Volume label
CFOR101 Week3 36
Disk Logical Parts(DOS)
Defined for use by one OS only
BOOT RECORD - contains the volume bootstrap
loader program & disk parameter block.
FAT - File Allocation Table (2 Copies) - is a map used by
the OS to find parts of files (called clusters or allocation
units) on the disk.
ROOT DIR - First (Starting) Directory on a disk.
FILES STORAGE AREA - where all the parts of
files are stored.
CFOR101 Week3 37
Disk File System
CFOR101 Week3 38
Data Area
CFOR101 Week3 39
Cluster Definition
Cluster - defined as a group of sectors represented by
one entry (pointer) in the FAT
Also called an Allocation Unit
Can be just one sector or more than one
each entry in the FAT points to a cluster
once a cluster is assigned to a file, all the sectors in that
cluster are used by that file.
CFOR101 Week3 40
Root Directory Table
Lists all files and subdirectories assigned to
this table
File attributes
CFOR101 Week3 41
Partial Directory Entries
CFOR101 Week3 42
Data Area
Finding the first cluster
First cluster starts at Cluster 2
Cluster 2 is the data area
The reserved and FAT do not use cluster
addresses
CFOR101 Week3 43
Data Area contd..
Cluster 2 starts after the root directory.
CFOR101 Week3 44
Metadata
"data about data", is information that
describes another set of data.
A common example is a library catalog
card, which contains data about the contents
and location of a book:
When was created, accessed and/or
modified
File dates, sizes and attributes
CFOR101 Week3 45
FAT
FILE
ALLOCATION
TABLE
CFOR101 Week3 46
File System
File system
Road map to data on a disk
Determines how data is stored on disk
CFOR101 Week3 47
FAT
File Allocation Table
Defined as a map or linked list used to locate or link the
remaining clusters of a file on a disk.
DOS uses the starting cluster # to find the first cluster in the
File Storage Area.
DOS uses the FAT to find the remaining clusters of the file in
the File Storage Area.
CFOR101 Week3 48
File Allocation Table (FAT)
Lists location of file segments (clusters) on
a disk in a one-column table
Width of each entry in the column is 12 bits
CFOR101 Week3 49
How OS uses the FAT and
Directory Table Example 1
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
#
Hello.txt 54 123 5 EOF
6 9
9 EOF
1. OS reads the file name and starting
cluster number
Cluster 9
CFOR101 Week3 50
How OS uses the FAT and Directory
Table Example 1 contd
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
#
Hello.txt 5 123 5 EOF
6 9
9 EOF
2. OS retrieves the contents of cluster 5 on
the disk Cluster 9
CFOR101 Week3 51
How OS uses the FAT and Directory
Table Example 1 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
#
Hello.txt 5 123 5 EOF
6 9
9 EOF
3. OS returns to FAT, looks at the 5th cluster in the FAT, Cluster 9
EOF
CFOR101 Week3 52
How OS uses the FAT and
Directory Table Example 2
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11
11 12
12 EOF
1. OS reads the file name and starting
cluster number
Cluster 13
CFOR101 Week3 53
How OS uses the FAT and Directory
Table Example 2 contd
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11
11 12
12 EOF
2. OS retrieves the contents of cluster 10 on
the disk Cluster 13
CFOR101 Week3 54
How OS uses the FAT and Directory
Table Example 2 contd
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11
11 12
12 EOF
3. OS returns to FAT, looks at the 10th cluster in the FAT,Cluster 13
and reads 11, which is the next segment of the file in
cluster 11
CFOR101 Week3 55
How OS uses the FAT and Directory
Table Example 2 contd
Partial Directory
FAT Cluster 10
Cluster 11
Starting File Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11
11 12
12 EOF
3. OS retrieves the data from cluster 11 on the disk Cluster 13
CFOR101 Week3 56
How OS uses the FAT and Directory
Table Example 2 contd
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11
11 12
12 EOF
3. OS turns to FAT and reads the content in cluster 11 Cluster 13
and it reads cluster 12
CFOR101 Week3 57
How OS uses the FAT and Directory
Table Example 2 contd
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11 Cluster 12
11 12
12 EOF
4. OS retrieves the data from cluster 12 on the disk Cluster 14
CFOR101 Week3 58
How OS uses the FAT and Directory
Table Example 2 contd.
Partial Directory
FAT Cluster 10
Starting File Cluster 11
Cluster Next
File name Cluster # size Cluster#
#
sam.txt 10 1234 10 11 Cluster 1
11 12
12 EOF
5. OS turns to FAT and reads the content in cluster 12 Cluster 14
and it reads EOF.
CFOR101 Week3 59
How OS uses the FAT and
Directory Table Example 3
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
1. OS reads the file name and starting
cluster number
CFOR101 Week3 60
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
1. OS retrieves the contents of cluster 5 on
the disk
CFOR101 Week3 61
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
2. OS returns to FAT, looks at the 5th cluster
in the FAT, and reads 7, which is the next
segment of the file in cluster 7
CFOR101 Week3 62
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
3. OS retrieves the data from cluster 7 on the
disk
CFOR101 Week3 63
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
4. OS turns to FAT and reads the content in
cluster 7 and it reads cluster 9
CFOR101 Week3 64
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
5. OS retrieves the data from cluster 9 on the
disk
CFOR101 Week3 65
How OS uses the FAT and Directory
Table Example 3 contd..
Partial Directory
FAT Cluster 5
Starting File
Cluster 6
Cluster Next
File name Cluster # size Cluster#
# Cluster 7
Hello.txt 5 1234 5 7
6 0
7 9
8 0
9 EOF
Cluster 9
6. OS turns to FAT and reads the content in
cluster 7 and it reads EOF
CFOR101 Week3 66
FRAGMENTED DISK
FRAGMENTED DISK
1 2 3 4 5
CYL 0 FILE C FILE 2 FILE A FILE B FILE B
6 7 8 9 10
CYL 1 FILE C FILE A FILE D FILE G FILE D
11 12 13 14 15
CYL 2 FILE E FILE 6 FILE E FILE F FILE E
16 17 18 19 20
CYL 3 FILE 7 FILE E FILE F FILE G FILE D
21 22 23 24 25
CYL 4 FILE 1 FILE 4 FILE A FILE 3 FILE 5
26 27 28 29 30
CYL 5 FILE 4 FILE 4 FILE 1 FILE 4 FILE 3
31 32 33 34 35
CYL 6 FILE 6 FILE E FILE 6 FILE 7 FILE E
CFOR101 Week3 67
NO FRAGMENTATION
COMPLETELY DEFRAGMENTED DISK
1 2 3 4 5
CYL 0 FILE A FILE A FILE A FILE B FILE B
6 7 8 9 10
CYL 1 FILE C FILE C FILE D FILE D FILE D
11 12 13 14 15
CYL 2 FILE E FILE E FILE E FILE E FILE E
16 17 18 19 20
CYL 3 FILE E FILE F FILE F FILE G FILE G
21 22 23 24 25
CYL 4 FILE 1 FILE 1 FILE 2 FILE 3 FILE 3
26 27 28 29 30
CYL 5 FILE 4 FILE 4 FILE 4 FILE 4 FILE 5
31 32 33 34 35
CYL 6 FILE 6 FILE 6 FILE 6 FILE 7 FILE 7
CFOR101 Week3 68
Demo
CFOR101 Week3 69
Review of File System
CFOR101 Week3 70
Ref Brian Carrier
Summary
Identify PC external components
Overview of File system
FAT file system
How FAT file system stores Data?
CFOR101 Week3 71
Lab #2
Lab 2a Documenting initial evidence
processing Form
Lab 2b FAT File System ( Part I)