Computer forensics deals with the gathering of digital evidences by utilizing appropriate techniques Champlain 2003. Therefore Computer forensics is also known as digital forensics on the basis of digital media. The basics of Hard disk storage and organization have been discussed below to help understand its relation to computer forensics (Marcella & Menendez 2008). The different technological entities that are involved in disk organizing are given below for better understanding:
Tracks, sectors and clusters, sides and heads
Hard Disk or diskette has a number of sides, each of which is a magnetic surface to store binary information. Each side is divided into a number of concentric tracks where binary information is actually stored. Each track, in turn, is further divided into a number of sectors, each of which can hold 512 bytes of data. Head - Each side has a read-write head to read/write data from/to a particular sector. Disk access latency pertains to seek time which is the time taken for the read-write head to reach to the correct track. Wait time is the time required for a particular sector to rotate to its designated position under the read-write head. (Parsons & Oja 2008)
Data Transfer Rate is measured by the rate of rotation of the disk. Cylinders - A group of all tracks that have the same number from all the sides of the disk. The Identifying Sectors of the Disk are the cylinder number, head/side number. Sector number begins from 0. Relative Sector Single sequence number starts from 0 increments are instituted in line with sector, head/side and then cylinder numbers. (Bunting & Wei 2005)
Disk Organization
Each raw hard disk can be divided into a number of partitions. Each partition is a separate file system and it occupies a certain number of sectors in the hard disk.
File Systems
File System is a self-contained system which is capable of performing all kinds of operations on a file like locating a particular file, writing and read ing file, modifying and creating a file, etc. Before creating a file system, formatting of the partitions would have to be done to avoid damaged sectors. (Parsons & Oja 2009)
FAT (File Allocation Table)
FAT is a structure used to manage free clusters on the hard disk, link all the clusters allocated to each data file (including subdirectories). It contains one entry for each cluster on the hard disk. For a particular file, each FAT entry holds the cluster number of the next cluster. (Parsons & Oja 2008)
Directory and Directory Entry
Directory is a table of directory entries, one for each file. A directory entry (32 bytes) contains the information about the file it represents
Hard Disk Organization Application
This is a systems-side programming project. The forensic analysis tool helps determine unique strings that are resident within a hard disk. This project involves finding the hard disks and listing out the occurrences of such unique strings in the hard disks that have been scanned. If the string is found, files holding many segments are produced in the destination drive. The results file would hold the following details: (Baldauf & Stair 2008)
System Information
Computer Name
Logged User Name
Other details of the machine
Chunks of the words found with number of bytes before and after
The utility makes use of only a single thread whilst the scanning happens and it uses Peek Message to monitor activities. A modeless dialog box is used to display messages. For example, if the destination drive happens to be a CD drive, a modeless dialog box pops out and prompts the user to insert the CD ROM following which the contents of the CD are read without any keyboard or mouse interference. (Volonino, Anzaldua, & Godwin 2007)
Practical Demonstration on Hard Disk Organizing:
Before hoarding the data into the memory space, formatting has to be done. Hard disk usually requires low-level format. For partition high-level format has to be used. The purpose is putting into place certain data logical structure on physical hard disk. Usually hard disk is composed of 5 parts which are as follows: MBR, DBR, DIR, FAT and DATA. (Caloyannides 2001)
Performing Low level format
After setting parameter of hard disk in CMOS Setting, the hard disk still can't be used because of Cylinders, Headers and Sectors. After being produced in the factory, the hard disk is usually "blank" i.e. it consists of no data whatsoever. It's only after the partitioning of tracks and sectors that we can store data on the hard disk. Many disks undergo low-level format before being delivered to the users. (Parsons & Oja 2009)
Main functions of low level format
Low level format which is also referred to as physical format, performs a lot of functions like confirming the presence of the magnetic media, dividing the tracks, partitioning sectors for each track, and arranging the order of partitions in track according to the interleave desired by the customer. Its main functions are as follows: (Kanellis 2006)
Inspecting the hard disk media and Partition tracks for hard disk:
Providing each sector of hard disk with a unique ASCII value.
Hard disk is the most important storage device in a computer. Usually, low level format can be used in the following cases:
1- When a new hard disk or hard disk adapter has been purchased, it's best to low level format it again. This helps in easier synchronization between the hard disk and hard disk adapter.
2- "Bad" sectors, which are created over time, often cause "sector not found" error in DOS. Machines can't differentiate between a bad sector and a sector that doesn't actually exist because of which computer users are required to face serious problems. The loss of sector ID which is used to segregate the sectors gives the "Sector Not found" error. It is marked onto disk as the magnetization map, which however, may wear away with long-time storage or use. Many a times, circumstances might call for a complete overhaul of sector IDs for which only low-level format can be used. High level format has hardly any role to play in this assignment. (Vacca 2009)
3- Usage of a proper set of interleave can increase the rate of data transfer. In most cases, low level format is the only way to change the interleave.
4-When there are always inexplicable problems, the low level format should be considered first.
Methods of low-level format: There are many ways to perform low-level format operation. In early times, it used to be done in CMOS or by using special disk tools, or by writing some small programs in Debug. Nowadays, at the time of purchase, hard disk manufacturers provide the buyers with specific tools for performing this operation. These tools may either be given free or for a nominal extra charge.
Description of Hard Disk Organization
First of all we should know the details about the hard disk. The figure 1 below shows a hard disk section that shows its main components. A hard disk is a sealed unit with the components shown below. Electromagnetic read / write heads are placed in the platters from down and above. The platters spin while the drive head slides over the surface to read the whole data stored on the hard disk. The data is stored in concentric bands known as tracks. The tracks are further divided into sectors. Sector is the smallest unit of physical storage up until now at least and can hold data up to 512 bytes in size. Who knows, later on, maybe an even smaller unit of storage might come into being! The computer operating system sees the tracks as logical rather than physical structures. These are formed when the hard disk is formatted to low level format. The tracks are given numbers from 0 to highest number of 1023 that forms 1024 cylinders on the hard disk. The sectors and clusters are smallest physical storage locations. Each disk sector is identified using the factory track positioning data. Sector identification data is usually given first for a particular area, even before data is pumped into the area. It determines the starting address of the sector. The optimal method of storing the file on a hard disk is by using adjacent series. All the data in a stream is stored end to end in a single line so that it's easy to be read. The greater sized files like above 512 bytes are stored in sectors as allocated by the file allocation tables. A cluster usually has the same size as that of a sector. Cluster size can be changed according to the storage requirements. Large cluster size reduces the chances of fragmentation but there's every possibility of having empty spaces within the clusters. Using clusters larger than one sector reduces fragmentation and reduces the amount of space needed to store the information about the used and unused parts of the hard disk. (Parsons & Oja 2009)
Hard Disk Organization Overview
We shall discuss the most commonly used FAT file system's hard disk organization which is a very straightforward and easy method. The organization of the files ensures that the files can be accessed through a simple usage of pointers in a random way which is described by the author Vinoj Kumar . He says that there is a simple way to identify a particular file stored in the hard disk that can be either FAT12, or 12-bit FAT (lowest member of the FAT family, where the file pointers are just 1.5 bytes; FAT, or 16-bit FAT). It is commonly used in hard disks that have 16-bits or 2 bytes per pointer. The boot sector comes first in FAT, and after that comes the hidden and reserved sectors. The FAT tables are next in line. The FAT tables are composed of pointers that point to the next cluster within a file. The last cluster is terminated by a word or a double word, and it varies according to the file system being used. The bad clusters are given a unique word or dword, as a result they are overlooked during the scanning process. There are two copies of FATs stored for security reasons because this is the most important part of the file system. If any of the FAT sectors sustain damage, they are ignored and the second copy is automatically imported. The FAT is placed at a fixed location in the disk at the start of the partition. Then, after the two copies of FAT, comes the root directory which is a 32-byte packet with file information coded in it. The Root directory is fixed in FAT12 and FAT16, but it is just another sub-directory in FAT32. Only a particular number of files can be stored in the directory but in FAT32 file system where it is a sub-directory, it can store large number of files. (Volonino, Anzaldua, & Godwin 2007)
The files and sub-directories are organized only with the help of the FAT tables. The starting cluster number is stored in the directory entry it points to the next cluster in the FAT table that is occupied by the file. This pattern repeats until the end-of-file mark is reached.
Hard Disk Organization Utility in Computer Forensic
After introducing the hard disk organization for computer forensics and overview of cyber forensics and the related policies, legal ramifications, implications, procedures and methodologies for computer forensic investigation, we do get a good idea about the basic operations to be performed. The objective of this data was to prepare the reader to be associated in a bigger way with the world of computer forensics which would include participating with trained professionals and forensically examining the condition of a machine.
Conclusion
The possibility of computer crime is all-pervasive, and it can have disastrous consequences. Recent events have confirmed that a single computer crime can trigger the downfall of any enterprise in absolutely no time. Just as enterprises need to be prepared and have adequate plans for business continuity planning, they ought to act conscientiously about the nature of computer crimes and the impact that it can have on an organization. This should be a vital aspect of risk management strategy formulated by all organizations. IT auditors, IT assurance professionals and senior management should keep themselves updated about the concepts and practice of computer crimes. They should also have a basic understanding of the bearing that computer forensics has on the legal and legislative process. They should also chalk out effective strategies to avoid computer crimes within their respective organizations. Computer forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve evidence or information that is magnetically stored or encoded. Recent computer crimes have increased the demand for Computer forensic experts.
