91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.
-
Upload
paula-tappin -
Category
Documents
-
view
227 -
download
0
Transcript of 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.
![Page 1: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/1.jpg)
91.580.203 Computer & Network
Forensics
Xinwen Fu
Chapter 7Working with Windows
and DOS Systems
![Page 2: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/2.jpg)
BIS@DSU2
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
![Page 3: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/3.jpg)
BIS@DSU3
Understanding the Boot Sequence Avoid data contamination or modification Make sure computer boots from a floppy
disk Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12
![Page 4: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/4.jpg)
BIS@DSU4
Understanding the Boot Sequence (Cont.)
Who provides this setup screen for you?
![Page 5: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/5.jpg)
BIS@DSU5
BIOS - Basic Input/Output System A piece of firmware ("software on a chip") Support for the following devices and
features of your system Select and configure hard drives, floppy drives,
and CD-ROM drives Configure main and cache memory Support different CPU types, speeds, and
special features Support advanced operating systems, including
networks, Windows 9x, and Windows 2000 (Plug and Play)
Many others
![Page 6: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/6.jpg)
BIS@DSU6
BIOS on the Motherboard
BIOS
Battery
http://www.informit.com/articles/article.asp?p=130913&seqNum=4&rl=1
![Page 7: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/7.jpg)
BIS@DSU7
Two Components Supporting BIOS CMOS chip, also known as the RTC/NVRAM
(Real-Time-Clock/Non-Volatile RAM) Store setting Contain the system's Real-Time-Clock circuit
Battery Power CMOS to keep its settings
![Page 8: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/8.jpg)
BIS@DSU8
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
![Page 9: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/9.jpg)
BIS@DSU9
Floppy Disks Yes these still exist!
5.25 3.5
• Originally single sided
• Then became double sided
![Page 10: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/10.jpg)
BIS@DSU10
Original floppies were single-sided
Side View of Floppy in Disk Drive
0 Side 0
Single-sided Disk
Disk Drive
![Page 11: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/11.jpg)
BIS@DSU11
FD Densities & Capacity
Disk Size Density Sectors/Track Capacity
5.25 Low 9 360K
5.25 High 15 1200K
3.5 Low 9 720K
3.5 High 18 1,440K
![Page 12: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/12.jpg)
BIS@DSU12
Hard Disk Structure Hard disk drives are
organized as a concentric stack of disks or ‘platters’
Each platter has 2 surfaces
How a hard disk works? The platters rotate on the
spindle The heads move along
the radius of the platters This allows the head to
access all parts of the surfaces
![Page 13: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/13.jpg)
BIS@DSU13
Disassembling a Hard Drive
![Page 14: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/14.jpg)
BIS@DSU14
HD Elements 16 heads 8 Platters
![Page 15: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/15.jpg)
BIS@DSU15
HD Head Each platter has a
planar magnetic surface on which digital data may be stored
Information is written to the disk by transmitting an electromagnetic flux through read-write head (an antenna) that is very close to the magnetic material
![Page 16: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/16.jpg)
BIS@DSU16
HD Head Clearance
![Page 17: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/17.jpg)
BIS@DSU17
How Data is Organized on HD - Tracks
The data is stored on concentric circles on the surfaces known as tracks
Numbering starts with 0 at the outermost cylinder
![Page 18: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/18.jpg)
BIS@DSU18
How Data is Organized on HD Sectors/Blocks
A sector is a continuous linear stream of magnetized bits occupying a curved section of a track
Sectors are the smallest physical storage units on a disk- Each sector stores 512 bytes of data
Numbering physical sectors within a track starts with 1
Sector 1
Track 0
Sector 2
Track 0
![Page 19: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/19.jpg)
BIS@DSU19
How Data is Organized on HD - Cylinders
CYLINDER
Head Stack Assembly
Head 0
Head 1
Head 2
Head 3
Head 4
Head 5
TrackSector
Corresponding tracks on all platter surfaces make up a cylinder
On a floppy diskette, the pair of tracks that lie over/under each other are called a cylinder
![Page 20: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/20.jpg)
BIS@DSU20
Cluster (Blocks) 1 or more contiguous sectors The smallest pieces of storage that an OS can
place into data The bytes in a cluster varies according to the size
of the drive and the version of the OS 65,536 sector limit in DOS FAT16 (216) Using clusters allows for grouping multiple sectors Total number of sectors per cluster is always a power of 2
![Page 21: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/21.jpg)
BIS@DSU21
FAT16/FAT12 Number of Sectors/Cluster Low density 5.25 inch floppy diskette - 2 sectors High density 5.25 inch floppy diskette - 2 sectors Low density 3.5 inch floppy diskette - 2 sectors High density 3.5 inch floppy diskette - 1 sector Zero - 15MB logical hard drive partition - 8 sectors 16MB -127MB logical hard drive partition - 4 sectors 128MB - 255MB logical hard drive partition - 8 sectors 256MB - 512MB logical hard drive partition - 16 sectors 512MB - 1024MB logical hard drive partition - 32 sectors 1024MB - 2048MB logical hard drive partition - 64 sectors 2048MB - 4095MB logical hard drive partition - 128 sectors
![Page 22: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/22.jpg)
BIS@DSU22
What is this disk?
Disk Size
Density Sectors/Track Capacity
5.25 Low 9 360K
5.25 High 15 1200K
3.5 Low 9 720K
3.5 High 18 1,440K
If you cannot see Properties, clickView-> Properties
![Page 23: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/23.jpg)
BIS@DSU23
Hard Disk Addressing Older BIOSes in PC’s used 24 bit
addressing which could only access up to 8.4 GB (224 * 512 bytes).
Newer BIOSes can access 64 bits of addressing, which equals 9.4 Tera Gigabytes, or over a trillion times as large as an 8.4 GB drive.
![Page 24: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/24.jpg)
BIS@DSU24
C H S Each storage unit on a disk can be identified by a
3-coordinate system identifying the Cylinder Head/Side Sector
One method of calculating disk capacity is to multiply the number of cylinders, heads, and sectors (i.e. CHS) together, and then multiply by the block size of 512 Bytes: Eg. 12,495 cylinders * 16 heads * 63 sectors * 512 bytes
= approx. 6GB
![Page 25: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/25.jpg)
BIS@DSU25
Hard Disk Addressing (Cont.) Most Intel based mother boards use an ATA
(Advanced Technology Attachment) interface which connects to the hard disk - IDE disk
The BIOS will read the disk’s cylinders, heads, and sectors through this interface, and, depending on the size of the disk and the BIOS settings, will use the CHS sector size to determine the size of the disk and how it should be accessed.
![Page 26: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/26.jpg)
BIS@DSU26
Exception: LBA – Logical Block Addressing By industry agreement, large IDE disks (with
more than 16,514,064 sectors) will return c=16383, h=16, s=63, for a total of 16514064 sectors (7.8GB) independent of their actual size, but give their actual size in LBA capacity
As such the BIOS must know to use the LBA capacity The total number of accessible sectors Eg. A disk with an LBA value of 156,301,488 has a
capacity of 156,301,488 * 512 = 80GB
![Page 27: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/27.jpg)
BIS@DSU27
File Slack The area between the end of the file and
the end of the last cluster allocated for that file
![Page 28: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/28.jpg)
BIS@DSU28
File Slack Illustration
![Page 29: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/29.jpg)
BIS@DSU29
NTFS Clusters and Cluster Sizes
Partition Size Range (GiB)
Default Number of Sectors Per Cluster
Default Cluster Size (kiB)
<= 0.5 1 0.5
> 0.5 to 1.0 2 1
> 1.0 to 2.0 4 2
> 2.0 to 4.0 8 4
> 4.0 to 8.0 16 8
> 8.0 to 16.0 32 16
> 16.0 to 32.0 64 32
> 32.0 128 64
http://www.pcguide.com/ref/hdd/file/ntfs/archCluster-c.html
![Page 30: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/30.jpg)
BIS@DSU30
A Computer test.csv Two questions:
1. What is the cluster size of the partition?
2. What is the partition size range?
![Page 31: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/31.jpg)
BIS@DSU31
Summary of Hard Disk Data on a HD are stored on tracks Corresponding tracks on all surfaces
make up a cylinder Data is stored in sectors and usually read
in blocks or clusters A storage unit can be identified by CHS LBA is used for drives in excess of 7.8 GB
![Page 32: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/32.jpg)
BIS@DSU32
Outline Understanding the boot sequence Understanding disk drives Understanding partitioning and formatting
![Page 33: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/33.jpg)
BIS@DSU33
Key things The function of the FDISK program Primary partition, extended partition, active
partition, and logical drive How logical partitions can be hidden The necessity of understanding the suspect’s
partitioning scheme
![Page 34: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/34.jpg)
BIS@DSU34
This represents all the available surface area on a hard drive that can be used for storage
Initializing a Hard Drive
The first thing to do is magnetically create a
system of unique storage areas
![Page 35: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/35.jpg)
BIS@DSU35
Step 1: Use a low-level format program to create a magnetic structure of sectors
Low-level (Factory) Format
One 512-byte sector
• Low-level formatting is usually done at the factory.• Low-level formatting establishes the communication,
or hand-shaking, between the drive and its controller.
![Page 36: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/36.jpg)
BIS@DSU36
The sectors are organized by tracks
All the sectors on one track
Results of Low-level Format
![Page 37: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/37.jpg)
BIS@DSU37
MBR
Initializing a Hard Drive with FDiskStep 2: FDISK writes partition information in the Master
Boot Record at Cylinder-0, Head-0, Sector-1
Master Boot Record 1. Master Boot Code 2. Master Partition Table
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
The remainder of that track is “Reserved”
![Page 38: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/38.jpg)
BIS@DSU38
Master Partition Table Maximum of 4 entries Valid entries contain essential information about
the partition Partition type/code Active (yes or no) Partition start and end information
Unused entries are blank
![Page 39: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/39.jpg)
BIS@DSU39
Types of Entries in Master Partition Table
Primary Partition(s) - up to 4 allowed Contains one logical drive Only one may be marked as “Active”
Extended Partition (only 1 allowed) Contains one or more logical drives Each logical drive is defined by its own partition
table which may contain a second entry pointing to the next logical drive within that extended partition (at most two entries)
Partition ‡ logical drive
Total number of entries may not exceed four!
![Page 40: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/40.jpg)
BIS@DSU40
Partition Type CodesFile systems are assigned characteristic
type codes that are listed in partition table entries
DOS/Windows operating systems recognize specific type codes, and assign a drive letter to those supported
DOS/Windows systems will not assign a drive letter to partition types not supported
![Page 41: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/41.jpg)
BIS@DSU41
Common Partition Type Codes
![Page 42: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/42.jpg)
BIS@DSU42
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Single Primary Partition
![Page 43: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/43.jpg)
BIS@DSU43
Hard drive with one active primary partition (single logical drive)
Single Primary Partition (Cont.)
Hub
Logical Drive
![Page 44: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/44.jpg)
BIS@DSU44
Master Partition Table - DiskEdit View
Single Primary Partition (Cont.)
“Yes” indicates “Active”
![Page 45: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/45.jpg)
BIS@DSU45
One Primary with Extended Partition
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
Primary Partition Extended Partition
![Page 46: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/46.jpg)
BIS@DSU46
Each partition table points to the next
Partition Tables
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
MBR
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Partition Table
![Page 47: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/47.jpg)
BIS@DSU47
Master Partition Table – DiskEdit View
One Primary & One Extended
Primary Partition Entry
![Page 48: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/48.jpg)
BIS@DSU48
Extended Partition Table – DiskEdit View
One Primary & One Extended
The Extended Partition entry points to Cyl 80, Side/Head 0, Sector 1. This is the location of the partition table that defines the next logical drive.
Extended Partition Entry
![Page 49: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/49.jpg)
BIS@DSU49
Partitions and More Than One Logical Drives Extended partition may contain more than one
logical partitions
Primary, Extended and Logical Partitions Primary, Extended and Logical Partitions
Graphical depiction of the partitioning
Primary Partition
Extended Partition with Three Logical Drives
c: d: e: f:
![Page 50: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/50.jpg)
BIS@DSU50
Why Care about Partitioning? Important Point: When
examining a suspect’s hard drive, why is it necessary to know how it's partitioned?
![Page 51: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/51.jpg)
BIS@DSU51
PartitioningReasons to examine the partition tables:
To make sure all space on the drive is accounted for
To look for multiple operating systems To look for hidden partitions
![Page 52: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/52.jpg)
BIS@DSU52
Hidden Partitions
View of a hidden partition using the PART utility
DOS/Windows partitions can be “hidden” by changing the partition-type code
![Page 53: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/53.jpg)
BIS@DSU53
Hidden Partitions
This partition disappears!
![Page 54: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/54.jpg)
BIS@DSU54
Partition Table Doctor Link: http://www.ptdd.com/
The only limitation is that DEMO version can not write to disk.
Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
Displays complete physical and logical drive information. Fix the Boot Sector of FAT and NTFS partition. Preview boot files and boot directories of each partition
before recovery. Backup MBR (Master Boot Record), Partition Table, Boot
Sectors. Restore MBR, Partition Table and Boot Sectors from a backup
file if they are damaged. Support IDE / ATA / SATA / SCSI drives.
![Page 55: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/55.jpg)
BIS@DSU55
Main Window
![Page 56: 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7 Working with Windows and DOS Systems.](https://reader035.fdocuments.us/reader035/viewer/2022081504/5517a5bf5503463e368b5c68/html5/thumbnails/56.jpg)
BIS@DSU56
Partition->Edit Properties