File systems such as FAT16, FAT32, NTFS, HFS (Macintosh Hierarchical Filesystem), HFS+, Ext2 (Linux), and UFS (Solaris) keep track of where data are located on a disk, providing the familiar file and folder structure. Before a file system can be created, a partition must be created to specify how much of the hard drive it will occupy. The first sector of a hard disk contains the Master Boot Record (MBR) containing a partition table to tell the operating system how the disk is divided. Figure 8.5 shows the general structure of a disk with two partitions.
Figure 8.5: Simplified depiction of disk structure with two partitions, each containing a FAT formatted volume.
The partition table specifies the first and last sectors in each partition, as well as additional information about the partition. The simplest example of creating or viewing a partition is using the fdisk command. The following example shows output from the Linux fdisk command run on a Dell computer with two hard drives - one hard drive has a small partition for recovery purposes and a larger partition containing an NTFS file system (Windows NT/2000/XP), and the other hard drive has several partitions containing an ext2 file system (Linux).
# /sbin/fdisk -1 Disk /dev/hdc: 255 heads, 63 sectors, 9726 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdc1 1 4 32098+ de Dell Utility /dev/hdc2 * 5 9725 78083932+ 7 HPFS/NTFS Disk /dev/hdd: 255 heads, 63 sectors, 7476 cylinders Units - cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdd1 * 1 6 48163+ 83 Linux /dev/hdd2 7 7346 58958550 83 Linux /dev/hdd3 7347 7476 1044225 82 Linux swap
A failure to realize that this system has two hard drives could result in lost digital evidence.
As another example, the following output from the Windows fdisk command shows a hard drive with one primary partition and an extended partition that is subdivided into four smaller partitions. The use of extended partitions is necessary because the partition table only has room for four primary partitions - an extended partition can be subdivided into additional partitions without entries in the partition table.
Display Partition Information Current fixed disk drive: 2 Partition Status Type Volume Label Mbytes System Usage D: 1 A PRI DOS MELPOMENE 4910 FAT32 25% 2 EXT DOS 14614 75% Total disk space is 19532 Mbytes (1 Mbyte = 1048576 bytes) The Extended DOS Partition contains Logical DOS Drives. Do you want to display the logical drive information (Y/N)......?[Y] Display Logical DOS Drive Information Drv Volume Label Mbytes System Usage E: CLIO 4871 FAT32 33% F: ERATO 4903 FAT32 34% G: TERPSICHORE 4840 FAT32 33% Total Extended DOS Partition size is 14614 Mbytes (1 MByte = 1048576 bytes)
Once a partition has been created it can be formatted with any file system. For instance, a FAT file system can be created using the format command on Windows. The area occupied by the file system is called a volume, which is assigned a letter such as C: by the operating system. Contrary to popular belief, the format command does not erase data from the volume - it is possible to recover data from a hard drive after it has been formatted.[6] Comparing volumes to bookcases in a library, file systems are analogous to library catalogs, providing an efficient way to locate a particular item. Formatting a volume is like destroying the card catalog in a library but leaving the books on the shelves. It is still possible to find a particular book but it takes more time.
The first sector on each volume, called the boot sector (a.k.a. boot record or boot block), contains important file system information. For instance, Figure 8.6 shows the boot sector of a Windows 95 machine. It shows that two (2) copies of the file allocation table (FAT) are available - this table is the equivalent of the library card catalog and a backup copy is maintained in case the primary one is damaged or destroyed. This figure also shows that each cluster on the disk is quite large (64 sectors/cluster 512 bytes/sector = 32 kbytes).
Figure 8.6: Windows 95 boot sector viewed using Norton Diskedit.
Be aware that a file system may not use an entire partition, leaving space between the end of the volume and the end of the partition, an area called volume slack that can be used to hide data. Figure 8.7 shows remnants of the Form virus stored in volume slack.
Figure 8.7: Volume slack containing remnants of Form virus viewed using EnCase.
Also be aware that partitions typically start at the beginning of a cylinder resulting in unused space between the end of one partition and the beginning of the next.
There are several features of file systems that are useful from a data recovery standpoint. When a file takes up less than one cluster, other files will not use the additional space in that cluster. In short, once a cluster contains data, the entire cluster is reserved. This is similar to the situation in most restaurants. If three people are sitting at a table that seats four, the additional seat remains empty until the three people have finished using the table. The idea is that a fourth stranger might interfere with these three people's meal. Similarly, if a computer tried to squeeze extra data into the unused part of a cluster, the new data might interfere with the old. The extra sectors in a cluster are called file slack space. When a file does not end on a sector boundary, operating systems prior to Windows 95a fill the rest of the sector with data from RAM, giving it the name RAM slack. Later versions of Windows fill this space with zeros.
When a file is deleted, its entry in the file system is updated to indicate its deleted status and the clusters that were previously allocated to storing are unallocated and can be reused to store a new file. However, the data are left on the disk and it is often possible to retrieve a file immediately after it has been deleted. The data will remain on the disk until a new file overwrites them (Figure 8.8). However, if the new file does not take up the entire cluster, a portion of the old file might remain in the slack space. In this case, a portion of a file can be retrieved long after it has been deleted and partially overwritten. The process of recovering deleted or partially overwritten data from a disk is described in later chapters.
Figure 8.8: When old data are overwritten with new data, some of the old data can remain.
Having large clusters such as those in Figure 8.6 results in large amounts of slack space. More modern file systems are designed to limit slack space because it is wasted from a file system viewpoint.
Notably, not all storage devices have file systems. For instance, data can be written to backup tapes in a simple way that does not require a file system. This approach maximizes the amount of space used for data storage and minimizes the amount used for data organization. Also, on UNIX machines, swap partitions do not have file systems. A swap partition or file acts as virtual memory, enabling a computer to run more processes than can fit within a computer's physical memory (RAM). This illusion of extra memory is achieved by either swapping or paging data into and out of RAM as required. Swapping replaces a complete process with another in memory whereas paging removes a "page" (usually 2–4 kbytes) of a process and replaces it with a page from another process.
[6]This does not apply to low-level formatting. The format command can perform a low-level format on floppy diskettes prior to creating a file system, thus destroying all information on the floppy. To low-level format a hard drive it is necessary to obtain a special program from the vendor. For example, IBM provides the Drive Fitness Test utility (www.storage.ibm.com) to help individual maintain disks in IBM systems.