Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
6 views23 pages

Data Storage and File Systems Guide

The document discusses different types of data that can be found on computer systems including active data, latent data, archival data, and legacy archival data. It also covers various file systems like FAT, NTFS, and HFS+ and concepts such as allocated and unallocated space, page files, and whole disk encryption.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
6 views23 pages

Data Storage and File Systems Guide

The document discusses different types of data that can be found on computer systems including active data, latent data, archival data, and legacy archival data. It also covers various file systems like FAT, NTFS, and HFS+ and concepts such as allocated and unallocated space, page files, and whole disk encryption.

Uploaded by

dungnthe172688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 23

Data types

Active Data

• Data the operating system can "see" and use


• Files and folders that appear in Windows
Explorer
• Reside in allocated space
• Can be acquired by copying files
Latent Data

• Data that has been deleted or partially


overwritten
• Invisible to OS
• Does not appear in Windows Explorer
• A bitstream or forensic image is required to
acquire this data
Archival Data

• Also called Backups


• Commonly stored on
– External hard drives
– DVDs
– Magnetic tapes
– Cloud backup services like Iron Mountain or Symform
Legacy Archival Data

• Made with software or hardware that is no


longer in production
• To acquire the data, you need to get old
devices
– User's groups
– eBay
• Image: PDP-11 at
Defcon 17
Computer File Systems
File System

• Keeps track of used and free sectors


• Location of each file
• Filename
• Last modified date
• Permissions
FAT (File Allocation Table)

• Oldest and simplest file system


• FAT12 (for floppy disks)
• FAT16 (2 GB max. partition size)
– 4 GB on Win 2000 (link Ch 2p)
• FAT32 (Common on USB drives)
– Not used on Windows XP or later
• FATX for the X-Box
• exFAT used for Windows CE
NTFS (New Technology File
System)

• Used by Win XP, 7, and Server


• Advantages
– Journaling (recovers from errors)
– Encryption
– Permissions
– Uses B-Trees for fast searches
HFS+ (Hierarchical File System)

• Used by Apple products


• Also uses B-Trees
• Related versions
– HFS
– HFSX
B-Tree

• An way of storing objects so they can


be searched quickly
– Image From Wikipedia
Allocated and Unallocated
Space
Space on a Hard Drive

• Allocated
– Active data
– In use
– Can be seen by OS
• Unallocated
– No longer in use
– Slack space (Drive slack)
– Invisible to OS
Space on a Hard Drive

• Host Protected Area and Device


Configuration Overlays
– Hidden area on a hard drive
– Difficult to detect
– Not used by OS
– Stores device firmware and data
– Accessed by firmware update routines, which can be reverse
engineered
Data Persistence

• Old Data is Left in Slack Space


– Unallocated clusters
– Remains on drive until overwritten
– Can be years
• Even an Overwrite may not get it all
– If the new file doesn't use all the sectors
Magnetic Drive Storage

• Sector = 512 bytes


– All data is read and written a sector at a time
• Cluster
– Varies, often 4096 bytes = 8 sectors
– OS can only use space a cluster at a time
Example

• BIG file: 4000 bytes


– Written onto disk
– Nearly fills 8 sectors = 1 cluster
• Delete BIG file
• Save SMALL file on same cluster
– SMALL file: 1000 bytes
– Only uses 2 clusters
Drive Slack

Sector Before After


------ ------ ------
200 BIG SMALL
201 BIG SMALL
202 BIG BIG
203 BIG BIG
204 BIG BIG
205 BIG BIG
206 BIG BIG
207 BIG BIG
Page File (Swap Space)

• Used for virtual memory


– Temporary storage when your computer runs out of
available RAM
– Windows puts data here even when RAM is not full
– It also loads old data from swap back into RAM
– I once found something years old in my RAM
Potential Page File Contents

• Passwords
• Fragments of images or documents
• Anything else from RAM
• BUT there is no timestamp, so it will be hard
to connect to a specific user or event
Hiberfil.sys

• Contains entire RAM contents


– Filled when a computer hibernates
Whole Disk Encryption

• Because of the Page file and the Hiberfil


– You can never be sure where your data is
• Whole Disk Encryption
– The only way to be sure all your data is protected
– Microsoft BitLocker
– Apple FileVault
– TrueCrypt (Open Source)
Q&A

http://fpt.edu.vn 05/20/24 23

You might also like