Media and storage Session 17
Recapping • We have cover both Microsoft and Unix files system
Today • Introduction to ACW2 • Covering each ACW • ACW2 session (Needed to complete ACW) • expected deliveries • Dates both parts in and out
• Partitioning
Learning Outcomes • Be able to show and demonstrate knowledge the difference between • Physical drive • Primary partition • Logical partition
Media and storage
AC W2 INFOR MATI ON
Dates and times • • • •
Part1 out Week 17 Friday Part2 out Week 18 Friday Part3 out Week 20 Friday Final Hand in Week 24
Part1 in Week 19 Part2 in Week 21
• All submitting times will be Friday 16:00 on the weeks indicated above
ACW2 part1 • Crime scene • Write a brief report in order to prepair for a knock on the suspects address • The report should address the following areas • ACPO Guidelines • What equipment you migth need • Procedures to carry out • 1500Words
ACW2 part2 • Inspection and imaging • Scene recording • Working with a system removal and recording parts • Hopefully Looking at the crime scene (still trying to get authorization for the video use) • Imaging a device • 1500 words
ACW2 part3 • Forensic examination of a forensic image • Examining a Forensically sound image • Reporting your findings • 2000 words
Final handin • • • •
All three parts Critical commentary Copy of all notes Appendix
Media and storage
PARTI TIONS
Physical drive • In the current IBM PC architecture • there is a partition table in the drive's Master Boot Record • The MBR lists information about the partitions on the hard drive. • This partition table is then further split into 4 partition table entries • Due to this it is only possible to have four partitions.
Primary partition • These 4 partitions are typically known as primary partitions. • To overcome this restriction, system developers decided to add a new type of partition called the extended partition. • By replacing one of the four primary partitions with an extended partition, you can then make an additional 24 logical partitions within the extended one.
Primary/Logical partition • • • • •
Partition Table Primary Partition #1 Primary Partition #2 Primary Partition #3 Primary Partition #4 • (Extended Partition) • Logical Partition #1 • Logical Partition #2
• As you can see, this partition table is broken up into 4 primary partitions. • The fourth partition, though, has been flagged as an extended partition. • This allows us to make more logical partitions under that extended partition and therefore bypassing the 4 partition limit.
• Each hard drive also has one of its possible 4 partitions flagged as an active partition. • The active partition is a special flag assigned to only one partition on a hard drive that the Master Boot Record (MBR) uses to boot your computer into an operating system. • As only one partition may be set as the active partition, you may be wondering how people can have multiple operating systems installed on different partitions, and yet still be able to use them all.
• This is accomplished by installing a boot loader in the active partition. • When the computer starts, it will read the MBR and determine the partition that is flagged as active. • This partition is the one that contains the boot loader. • When the operating system boots off of this partition the boot loader will start and allow you to choose which operating systems you would like to boot from.
Recovery • GPart, Partition recovery tool • Can be use to Retrieve Partitions damaged or Altered • This will change the disc/image