WEBVTT 0:00:09.720000 --> 0:00:14.020000 Let's dive a little bit deeper into persistent storage devices. 0:00:14.020000 --> 0:00:17.520000 So let's do a quick review. 0:00:17.520000 --> 0:00:21.980000 For our purposes, we're using the term persistent storage device to refer 0:00:21.980000 --> 0:00:28.400000 to anything that keeps this data integrity when powered off. 0:00:28.400000 --> 0:00:33.340000 So when we use this distinction, we'll say we can use one word to cover 0:00:33.340000 --> 0:00:39.280000 multiple types rather than saying hard drive or SSD drive or CD-ROM drive 0:00:39.280000 --> 0:00:43.740000 or USB, right? So just anything that's going to hold on to its data when 0:00:43.740000 --> 0:00:48.900000 powered off. Let's talk a little bit about hard disk drives, right? 0:00:48.900000 --> 0:00:53.720000 They're called hard disk drives or HDDs because they use a magnetic type 0:00:53.720000 --> 0:00:57.300000 of storage on spinning metal platters. 0:00:57.300000 --> 0:01:02.760000 This was introduced by IBM in about 1956 and they have been an essential 0:01:02.760000 --> 0:01:07.320000 storage solution for most of the history of computing. 0:01:07.320000 --> 0:01:11.580000 Now nowadays, most people don't even need to know about the inner workings 0:01:11.580000 --> 0:01:15.340000 of their hard drives, but it's good for us to have a basic understanding 0:01:15.340000 --> 0:01:19.860000 of how they work and what makes them different than other persistent storage 0:01:19.860000 --> 0:01:28.500000 devices. So a hard disk consists roughly of three components. 0:01:28.500000 --> 0:01:34.000000 It's going to be a platter, a spindle, and a head. 0:01:34.000000 --> 0:01:36.500000 The platter is going to look a little bit like a CD. 0:01:36.500000 --> 0:01:41.860000 It's metal to metal disk and it's reflective, so that's why it looks like 0:01:41.860000 --> 0:01:45.160000 a CD. That's what actually stores the data on there. 0:01:45.160000 --> 0:01:51.200000 The spindle, you can think of it as kind of like a turntable that that 0:01:51.200000 --> 0:01:55.580000 spins the disk. And it's going to be what the platters are mounted on 0:01:55.580000 --> 0:01:58.520000 and then it's going to spin them, which takes us to the head. 0:01:58.520000 --> 0:02:01.820000 The head is in charge of reading or writing to the platters. 0:02:01.820000 --> 0:02:05.420000 You can kind of think of it as like a record needle. 0:02:05.420000 --> 0:02:11.900000 So when we dive into platters a little bit, what we have on each platter 0:02:11.900000 --> 0:02:19.100000 is going to be a track and then sectors and then cylinders. 0:02:19.100000 --> 0:02:25.500000 And as you can see from this graphic, the tracks and the sectors track 0:02:25.500000 --> 0:02:28.200000 down the cylinders. 0:02:28.200000 --> 0:02:32.820000 So let's talk about how we address hard disk drives because you're going 0:02:32.820000 --> 0:02:38.600000 to see this. There's two different types of addressing schemes out there. 0:02:38.600000 --> 0:02:44.340000 There's CHS or cylinder head sector, and there's LBA or logical block 0:02:44.340000 --> 0:02:48.840000 assignment. And the CHS is going to be a coordinate system. 0:02:48.840000 --> 0:02:53.260000 It's based on the geometry of the drive, just like you saw in this previous 0:02:53.260000 --> 0:02:58.980000 one right here. And the addressing system goes kind of all the way down 0:02:58.980000 --> 0:03:03.260000 just the same way in these track of platters. 0:03:03.260000 --> 0:03:07.200000 Okay. And the first sector on the disk is zero, zero, one. 0:03:07.200000 --> 0:03:11.120000 So that's going to be cylinder zero, head zero, sector one. 0:03:11.120000 --> 0:03:17.260000 LBA is used to address a larger number of these because as we think about 0:03:17.260000 --> 0:03:20.640000 this or as time has gone on, if you want to use a three and a half inch 0:03:20.640000 --> 0:03:25.520000 hard drive, form factor, as an example, our three and a half inch drives 0:03:25.520000 --> 0:03:27.480000 stayed the same. 0:03:27.480000 --> 0:03:29.540000 The form factor stayed the same. 0:03:29.540000 --> 0:03:34.340000 However, we were able to pack more data into that as our technology got 0:03:34.340000 --> 0:03:38.920000 better. So what we've done is we switched to an addressing scheme called 0:03:38.920000 --> 0:03:41.480000 LBA. It's more accurate. 0:03:41.480000 --> 0:03:45.640000 And it addresses that drive capacity limitation the CHS gives us. 0:03:45.640000 --> 0:03:49.440000 It's going to use a single number to address each sector. 0:03:49.440000 --> 0:03:53.700000 It's not related to drive geometry. 0:03:53.700000 --> 0:03:57.600000 However, it's going to use this algorithm down here at the bottom that 0:03:57.600000 --> 0:04:00.560000 does use some of the drive geometry to get there. 0:04:00.560000 --> 0:04:03.840000 But it's really just cylinders, times heads per cylinder, plus head, and 0:04:03.840000 --> 0:04:08.640000 then times sectors per track, plus the sector and then minus one. 0:04:08.640000 --> 0:04:13.180000 So that that's your basic algorithm for calculating an LBA address. 0:04:13.180000 --> 0:04:21.780000 And most, if not all hard disk drives, use the LBA format. 0:04:21.780000 --> 0:04:26.060000 Okay, let's talk a little bit about sector sizes. 0:04:26.060000 --> 0:04:33.340000 You've seen, are they 512 bytes, are they 4 kilobytes, or are they both? 0:04:33.340000 --> 0:04:39.420000 So this next bit of information is going to be about some ways that we 0:04:39.420000 --> 0:04:43.040000 have matured our drives over time. 0:04:43.040000 --> 0:04:48.160000 So modern hard disk drives, logical sector sizes are pretty standardized. 0:04:48.160000 --> 0:04:54.740000 For about 30 years, the standard sector size was 512 bytes, which is still 0:04:54.740000 --> 0:05:03.180000 fairly common. However, in about 2010, we adapted the advanced format 0:05:03.180000 --> 0:05:09.540000 and that advanced format increases our default sector sizes to 4 kilobytes 0:05:09.540000 --> 0:05:16.880000 or 4096 bytes. And most, if not all hard drives, manufactured in 2010 0:05:16.880000 --> 0:05:22.700000 and beyond have those 4 kilobytes sectors. 0:05:22.700000 --> 0:05:26.820000 This is very important because the sectors are the smallest segment of 0:05:26.820000 --> 0:05:30.160000 a hard disk that can be read or written to. 0:05:30.160000 --> 0:05:34.340000 And sometimes, that means that say you buy a hundred gigabyte hard drive, 0:05:34.340000 --> 0:05:39.780000 and you notice that when you format it in windows, that maybe you actually 0:05:39.780000 --> 0:05:47.340000 have like 900 or 950 megabytes available for storage space, that's because 0:05:47.340000 --> 0:05:53.120000 it's going by the 4k or the 512 byte sector assignment. 0:05:53.120000 --> 0:05:57.020000 So all of that might not always be there and keep in mind that you still 0:05:57.020000 --> 0:05:59.920000 have to fill those sectors up, right? 0:05:59.920000 --> 0:06:03.080000 So what it's going to be, what that really means is that no matter how 0:06:03.080000 --> 0:06:07.880000 big or small a file is, it's always going to take up that round number 0:06:07.880000 --> 0:06:13.560000 of sectors. For example, on a disk with a 512 byte sector size, a file 0:06:13.560000 --> 0:06:19.100000 that is 513 bytes in size will take up two sectors. 0:06:19.100000 --> 0:06:24.620000 Thus, that means that you're going to have, you know, 511 bytes of unused 0:06:24.620000 --> 0:06:26.780000 space that's just never going to get used. 0:06:26.780000 --> 0:06:29.340000 And that's how the disk space, as I mentioned previously, it seems to 0:06:29.340000 --> 0:06:36.340000 get smaller faster for kilobytes sectors, allow for more data to be read 0:06:36.340000 --> 0:06:39.500000 and written at the same time. 0:06:39.500000 --> 0:06:41.560000 So it's more efficient. 0:06:41.560000 --> 0:06:47.340000 Now, to support legacy hard disks and and for legacy operating systems 0:06:47.340000 --> 0:06:52.020000 also, we can do 512 byte emulation. 0:06:52.020000 --> 0:06:57.780000 So what that's going to do is it's going to logically store a legacy 512 0:06:57.780000 --> 0:07:02.560000 byte sectors in one four kilobyte sectors. 0:07:02.560000 --> 0:07:06.100000 So the standard is going to allow for operating systems that don't support 0:07:06.100000 --> 0:07:07.460000 the four kilobytes. 0:07:07.460000 --> 0:07:11.520000 So I mentioned that hard drive started seeing the advanced format in 2010. 0:07:11.520000 --> 0:07:16.920000 However, we started seeing adoption of the advanced format ahead of time 0:07:16.920000 --> 0:07:20.420000 in about 2009 to 2012. 0:07:20.420000 --> 0:07:25.460000 And that's going to start seeing advanced format support and 4k sector 0:07:25.460000 --> 0:07:30.340000 size support in operating system starting with Windows eight, Linux kernel 0:07:30.340000 --> 0:07:35.340000 2.6.3, one, and then Mac OS X Tiger. 0:07:35.340000 --> 0:07:37.980000 So at this point, those are all old operating systems. 0:07:37.980000 --> 0:07:42.260000 So we can fully assume that a modern operating systems and modern file 0:07:42.260000 --> 0:07:50.060000 systems, the four kilobyte sector format is fully supported. 0:07:50.060000 --> 0:07:53.160000 So what's a solid state drive? 0:07:53.160000 --> 0:07:59.560000 The biggest thing on it is that a solid state drive has absolutely no 0:07:59.560000 --> 0:08:01.180000 moving parts in it. 0:08:01.180000 --> 0:08:07.160000 They're called SSDs and they utilize flash storage instead of a mechanical 0:08:07.160000 --> 0:08:13.300000 spinning disk. They were first introduced in 1991, but they were way too 0:08:13.300000 --> 0:08:20.400000 expensive to enter into we see a lot of solid state drives out there. 0:08:20.400000 --> 0:08:24.640000 And as a forensic practitioner, it's very, very important to know how 0:08:24.640000 --> 0:08:32.420000 an SSD differs from an HDD just to ensure that they're handled properly. 0:08:32.420000 --> 0:08:41.080000 Here is what an SSD looks like. 0:08:41.080000 --> 0:08:46.200000 So as you can see on this board, it has no moving parts. 0:08:46.200000 --> 0:08:51.780000 Most of them are going to use MLC, NAND-based flash memory. 0:08:51.780000 --> 0:08:55.380000 This is a non volatile type of flash memory. 0:08:55.380000 --> 0:09:00.920000 So it definitely, it retains its data even when it's powered off. 0:09:00.920000 --> 0:09:07.140000 And instead of sectors, this kind of memory uses structures called pages 0:09:07.140000 --> 0:09:16.100000 and blocks. So if we think in the form of page by page and block by block, 0:09:16.100000 --> 0:09:19.300000 what we have, it's going to be very similar to what we talked about before. 0:09:19.300000 --> 0:09:26.720000 We have 512 kilobyte blocks that are in pages that equal about four kilobytes. 0:09:26.720000 --> 0:09:29.120000 And that's 128 pages. 0:09:29.120000 --> 0:09:33.280000 And pages are going to be the smallest unit of readable memory. 0:09:33.280000 --> 0:09:36.580000 Right. And then we group them into those segments called blocks. 0:09:36.580000 --> 0:09:42.820000 And and the the block is going to be the smallest erasable unit. 0:09:42.820000 --> 0:09:50.060000 So typically there's going to be 128 pages in each block. 0:09:50.060000 --> 0:09:53.380000 And and there we are kind of in an expanded view. 0:09:53.380000 --> 0:09:56.920000 And and kind of think about this in that when we want to erase things 0:09:56.920000 --> 0:10:03.400000 on an SSD, SSDs can only be erased by the block and not by the page. 0:10:03.400000 --> 0:10:09.360000 What that means is unlike hard HDDs, solid state drives cannot directly 0:10:09.360000 --> 0:10:14.800000 overwrite data where it sits, which means every file changes, every file 0:10:14.800000 --> 0:10:20.160000 change you make causes the file to be rewritten to a new location. 0:10:20.160000 --> 0:10:23.280000 And what that's going to do is that's going to trigger a process called 0:10:23.280000 --> 0:10:24.880000 garbage collection. 0:10:24.880000 --> 0:10:27.460000 What is garbage collection? 0:10:27.460000 --> 0:10:29.920000 And how does this work? 0:10:29.920000 --> 0:10:36.320000 A little bit bigger view here so we can see what we have is a so file 0:10:36.320000 --> 0:10:41.380000 one exists in in block A and then pages K through P. 0:10:41.380000 --> 0:10:46.160000 If we want to write and then we write file two to block a pages A through 0:10:46.160000 --> 0:10:51.620000 E, we're going to have to edit that whole thing. 0:10:51.620000 --> 0:10:54.860000 And then the garbage the garbage collection process is going to move in. 0:10:54.860000 --> 0:10:58.320000 And it's going to move all those files to block B and then it's going 0:10:58.320000 --> 0:11:02.800000 to completely erase block A and then make block A available to be written 0:11:02.800000 --> 0:11:05.900000 to again. And it's going to keep on doing that. 0:11:05.900000 --> 0:11:11.720000 And and that that is essentially how garbage collection works. 0:11:11.720000 --> 0:11:15.760000 But it's basically just the process that where SSDs clean up the stale 0:11:15.760000 --> 0:11:17.180000 data left behind. 0:11:17.180000 --> 0:11:21.480000 And then we're also going to use an algorithm called Wear Level Protection. 0:11:21.480000 --> 0:11:23.940000 And that's just an algorithm that sits on top of all of this. 0:11:23.940000 --> 0:11:28.880000 And it makes sure that it does this garbage collection process cleanly 0:11:28.880000 --> 0:11:30.940000 and evenly throughout the disk. 0:11:30.940000 --> 0:11:36.400000 So kind of like your tires on your car, these blocks are worn down on 0:11:36.400000 --> 0:11:42.620000 an even basis because you know our SSD drives, they do have a finite amount 0:11:42.620000 --> 0:11:45.860000 of reason rights, even though it's an incredibly large number. 0:11:45.860000 --> 0:11:48.240000 So how is garbage collection triggered? 0:11:48.240000 --> 0:11:52.900000 Garbage collection is triggered either automatically by the SSD firmware 0:11:52.900000 --> 0:11:59.800000 during low utilization times or when the file system sends a trim command. 0:11:59.800000 --> 0:12:05.760000 And what that means is the file system is going to tell the hard disk 0:12:05.760000 --> 0:12:10.860000 that this block no longer contains useful information and that the SSD 0:12:10.860000 --> 0:12:16.000000 drive can go ahead and clean that up. 0:12:16.000000 --> 0:12:19.720000 One thing that I want to be very, very clear on is this. 0:12:19.720000 --> 0:12:25.820000 Once a block is wiped away, that data is gone forever and it is completely 0:12:25.820000 --> 0:12:31.620000 unrecoverable. So let's talk about different kind of plug types that we're 0:12:31.620000 --> 0:12:35.460000 going to see. Storage drive won't be too much use if it isn't accessible 0:12:35.460000 --> 0:12:36.920000 to the operating system. 0:12:36.920000 --> 0:12:40.760000 And these are the connectors that are going to make you useful to the 0:12:40.760000 --> 0:12:41.600000 operating system. 0:12:41.600000 --> 0:12:46.000000 You're going to be looking at your SATA, your M.1, 2s, your SCSI, and 0:12:46.000000 --> 0:12:48.940000 then a PETA or IDE connection. 0:12:48.940000 --> 0:12:56.880000 So you might be actually thinking about why you don't see USB on this 0:12:56.880000 --> 0:13:04.200000 list. Well, the big secret is here is that most USB drives use an internal 0:13:04.200000 --> 0:13:08.680000 adapter and they're going to convert to SATA or to USB. 0:13:08.680000 --> 0:13:12.540000 But you do need to be aware that USB is going to be the interface that 0:13:12.540000 --> 0:13:16.260000 will transfer the data from a SATA drive. 0:13:16.260000 --> 0:13:21.100000 And that's going to happen significantly slower because that's just you 0:13:21.100000 --> 0:13:25.680000 have a higher level operating system drivers interacting with the data 0:13:25.680000 --> 0:13:32.120000 transfer rather than the main board and the CPU and the bus and the hardware 0:13:32.120000 --> 0:13:35.100000 facilitating that data transfer. 0:13:35.100000 --> 0:13:38.300000 So it will be considerably slower. 0:13:38.300000 --> 0:13:41.680000 So you need to think about those data transfer technologies. 0:13:41.680000 --> 0:13:45.020000 And you need to understand the interfaces. 0:13:45.020000 --> 0:13:48.620000 And if you need to go and do a collection or whatnot, then you need to 0:13:48.620000 --> 0:13:54.000000 make sure that you take all of the interfaces and adapters that you're 0:13:54.000000 --> 0:13:59.380000 going to pack for your collections. 0:13:59.380000 --> 0:14:04.720000 Okay. So looking at abstraction layers, on the full left hand side of 0:14:04.720000 --> 0:14:06.260000 the slide, we have the hard disc. 0:14:06.260000 --> 0:14:08.260000 That's the first thing you're going to look at. 0:14:08.260000 --> 0:14:12.820000 When we move from the hard disc and we want to look at the different layers 0:14:12.820000 --> 0:14:18.360000 that are on this hard disc, we start with the physical media analysis. 0:14:18.360000 --> 0:14:23.640000 And so that's where we're going to look at the ones in the zeros in hexadecimal 0:14:23.640000 --> 0:14:27.420000 form. And we're going to look at the sectors of the data. 0:14:27.420000 --> 0:14:32.140000 The sectors, the data are then going to be split into volumes, right? 0:14:32.140000 --> 0:14:36.820000 And then on that volume is where you're going to find your file systems, 0:14:36.820000 --> 0:14:39.820000 and then your files on the file system. 0:14:39.820000 --> 0:14:44.260000 And then at that point, you can perform a file analysis. 0:14:44.260000 --> 0:14:48.160000 So a lot happens when we're converting this data to information in these 0:14:48.160000 --> 0:14:49.100000 abstraction layers. 0:14:49.100000 --> 0:14:54.280000 But just know that it all starts with a physical media analysis. 0:14:54.280000 --> 0:14:58.700000 And then we work through this process into a file analysis. 0:14:58.700000 --> 0:15:03.880000 And that's why it can take a considerable amount of time to process modern 0:15:03.880000 --> 0:15:08.100000 hard drives with forensic software, because we're having to do all of 0:15:08.100000 --> 0:15:10.020000 these different things. 0:15:10.020000 --> 0:15:12.320000 And what you're going to have to do is sometimes you might have to dig 0:15:12.320000 --> 0:15:16.200000 into the details on your file analysis. 0:15:16.200000 --> 0:15:21.060000 So understanding how each data layer kind of interacts is going to be 0:15:21.060000 --> 0:15:25.020000 really important when you're conducting your investigation. 0:15:25.020000 --> 0:15:28.900000 And it might also be incredibly important to have the ability to explain 0:15:28.900000 --> 0:15:32.800000 these layers if you have to take a case to court. 0:15:32.800000 --> 0:15:38.180000 Okay. So we have a hard disk installed. 0:15:38.180000 --> 0:15:41.660000 And what happens when we turn a system on? 0:15:41.660000 --> 0:15:45.360000 Well, what that means is that we have to go through the BIOS. 0:15:45.360000 --> 0:15:49.960000 Okay. That that BIOS stands for basic input output system. 0:15:49.960000 --> 0:15:52.480000 It's firmware that sits on your motherboard. 0:15:52.480000 --> 0:15:58.340000 And basically, it's a very, very small rudimentary operating system that 0:15:58.340000 --> 0:16:01.380000 helps your hardware figure out what it's going to do. 0:16:01.380000 --> 0:16:05.900000 And it gives basic runtime services to make sure that your computer gets 0:16:05.900000 --> 0:16:07.500000 running properly. 0:16:07.500000 --> 0:16:11.480000 The BIOS powers on as soon as you hit that power button. 0:16:11.480000 --> 0:16:14.600000 Here's what our BIOS look a basic BIOS looks like. 0:16:14.600000 --> 0:16:19.300000 And and from this screen, you can control your boot sequences, you can 0:16:19.300000 --> 0:16:23.380000 control security, you can control some processor overclocking, you can 0:16:23.380000 --> 0:16:27.780000 even rewrite the firmware on your BIOS through some of these interfaces. 0:16:27.780000 --> 0:16:36.860000 After the BIOS does do its task of initializing, it'll pass control over. 0:16:36.860000 --> 0:16:39.900000 And one of the things it does as part of the initialization is it figures 0:16:39.900000 --> 0:16:41.680000 out the boot order. 0:16:41.680000 --> 0:16:47.160000 And what it that means is it's going to try and boot up your system, utilizing 0:16:47.160000 --> 0:16:49.300000 a default order. 0:16:49.300000 --> 0:16:52.460000 And typically, that order is going to be it's going to try optical media 0:16:52.460000 --> 0:16:56.880000 first, and then USB, and then SATA. 0:16:56.880000 --> 0:17:00.720000 And it's looking for the first device in that order to give it a file 0:17:00.720000 --> 0:17:04.440000 system and an operating system that it can boot to. 0:17:04.440000 --> 0:17:08.980000 And if it can't find things like optical media, USB or SATA, sometimes 0:17:08.980000 --> 0:17:12.780000 it can figure out how to boot from the network. 0:17:12.780000 --> 0:17:17.160000 Okay, so why does all of this matter? 0:17:17.160000 --> 0:17:23.140000 Forensic tools can boot from a bootable flash drive or a CD or a DVD. 0:17:23.140000 --> 0:17:27.880000 So that means one of your first stops when when image system physically 0:17:27.880000 --> 0:17:32.220000 is the BIOS, you need to get into that BIOS, you need to figure out the 0:17:32.220000 --> 0:17:36.780000 boot order, you need to document those things in your forensic notes. 0:17:36.780000 --> 0:17:41.600000 And you have to make a determination whether you're going to pull the 0:17:41.600000 --> 0:17:45.660000 hard drive out, physically disconnect the hard drive from the computer, 0:17:45.660000 --> 0:17:47.200000 and then take an image from it. 0:17:47.200000 --> 0:17:50.340000 Or you can always change the boot order. 0:17:50.340000 --> 0:17:55.000000 So you can boot to one of your bootable flash drives or CD DVDs. 0:17:55.000000 --> 0:17:57.260000 And then you can do your forensics from there.