Types of Hard Drive Formatting
The two types of hard drive formatting are low and high level. Low level formatting creates the track and sectors on the drive. These tracks and sectors form the physical blocks of storage of 512 bytes each.
High level formatting is file system specific, including Microsoft (DOS, FAT, and NTFS) and Open Source Initiative (OSI) varieties (ext2, ReiserFS, and XFS). Low level formatting is done by the hard drive vendor. High level formatting is done when the OS is installed.
High level formatting creates the hard drive's file system and allows the OS to store files by dividing them into smaller pieces and saving them in separate clusters (a grouping of sectors) on the disk. The OS uses this file system to keep track of the placement and sequence of each piece and to identify which sectors on the disk are free and available for new files. The computer can then assemble the different pieces when a file is viewed or executed.
Why Understand File Systems?
Different OS, different file systems
Poor documentation
File location
Hidden data
File deletion
2.2.3 Importance of File Systems
A file system has two basic functions that impact the computer's performance:
. mapping physical spaces on the drive to logical addresses that comprise files
. read/write capability to open, change, and delete files
Understanding how these functions work on different file systems is the foundation for responding to a security incident. Most file systems are related directly to a particular OS, although some OSs combine file systems.
To discover where files are located and how they are distributed, you need to know how to access and modify system settings when necessary. This is especially important because files can be hidden.
Typically when a user deletes a file, the file system does not permanently erase (wipe) the file from the hard drive. It simply creates a flag that tells the OS that the sector can be reused. Knowing how to rebuild files from the file system is one of the most important skills of the forensic examiner.
The forensic examiner has access to deleted files and to files contained in swap space, which is part of the virtual memory created on the hard drive by the OS. Swap space files are described later in this module.
No comments:
Post a Comment