Drive Geometry, File Systems, and How Criminals Hide Data
Drive Geometry, File Systems, and How Criminals Hide Data
Drive geometry and file systems are important concepts in computing, as they determine how data is stored and accessed on a storage device, such as a hard drive or flash drive. Understanding these concepts can be useful not only for managing data effectively, but also for detecting and preventing criminal activity.
Drive geometry refers to the physical layout of a storage device, including the number of platters, the number of heads, and the number of sectors per track. These physical characteristics determine the capacity and performance of the device.
File systems are the logical structures that are used to organize and manage the data on a storage device. They specify how data is stored, named, and accessed on the device. Common file systems include NTFS (used by Windows), HFS+ (used by macOS), and ext4 (used by Linux).
Criminals may use drive geometry and file systems to hide data in order to avoid detection. One way they may do this is by using a technique called "disk slicing," which involves dividing a storage device into multiple virtual partitions, each with its own file system. This makes it difficult to determine the size and contents of the device, as the data is spread across multiple partitions.
Another technique that criminals may use is "file system tunneling," which involves creating a hidden file system within a standard file system. This can be done using tools that create a "virtual" file system within a file, allowing the criminal to store data within the file without altering the file's size or appearance.
Criminals may also use encryption to conceal data on a storage device. Encryption involves encoding data using a secret key or password, making it unreadable without the key. This can be an effective way to hide data, as it requires specialized tools and knowledge to decrypt the data. However, encryption can also be a double-edged sword, as it can be used by law enforcement and cybersecurity professionals to track and identify criminal activity.
In order to detect and prevent criminal activity involving hidden data, it is important to understand drive geometry and file systems, as well as the tools and techniques that criminals may use to conceal data. This can involve analyzing the physical characteristics of storage devices, examining the file systems and partition structures, and using forensic tools to identify hidden or encrypted data.
Now let’s take a deeper look at each concept.
Hard Disk Drives (HDD)
A Hard Disk Drive (HDD), also known simply as a Hard Drive, is a type of data storage device that uses spinning disks, or platters, to store and retrieve data. The disks are coated with a magnetic material, and data is stored on the disk in the form of tiny magnetic particles.
At the center of the HDD is a spindle that holds the disks in place and spins them at high speeds, typically ranging from 5,400 to 15,000 revolutions per minute (RPM). The disks are divided into concentric circles, or tracks, and each track is further divided into sectors.
A read/write head is mounted on an arm that extends from a movable actuator. The head is positioned over a specific track on the disk by the actuator, and is used to read data from or write data to the disk. When the head is over a track, it can detect the magnetic field of the individual particles on the disk, and use this information to interpret the data stored there.
To read or write data, the HDD first locates the desired track using the actuator, and then waits for the track to rotate underneath the head. Once the track is in position, the head reads or writes the data to the appropriate sector on the track.
HDDs are typically accessed via a computer's motherboard, which sends commands to the HDD to read or write data. The data is transferred between the HDD and the computer via an interface, such as SATA or PATA, which connects the HDD to the motherboard.
Cylinder-Head-Sector (CHS) Addressing
Cylinder-Head-Sector (CHS) addressing is a method of addressing individual sectors on a hard disk drive (HDD) or other mass storage device. It is based on the physical layout of the disks in the HDD, and is used to map logical block addresses (LBAs) to the physical location of the data on the device.
In CHS addressing, each sector on the HDD is identified by its cylinder, head, and sector number. The cylinder number represents the number of the disk platter on which the sector is located, the head number represents the read/write head that is used to access the sector, and the sector number represents the specific sector on the track.
For example, if a sector is identified as cylinder 2, head 3, sector 4, this means that it is located on the second disk platter, is accessed by the third read/write head, and is the fourth sector on the track.
CHS addressing was commonly used in older HDDs and other mass storage devices, but it has largely been replaced by Logical Block Addressing (LBA) in modern devices. LBA addressing allows the operating system and software to access data on the HDD without having to know the physical location of the data, whereas CHS addressing requires the operating system and software to be aware of the physical layout of the disks in the HDD.
Logical Block Addressing (LBA)
Logical Block Addressing (LBA) is a method of addressing individual sectors on a hard disk drive (HDD) or other mass storage device. It is used to map logical block addresses (LBAs), which are used by the operating system and application software, to the physical location of the data on the device.
In LBA addressing, each sector on the HDD is assigned a unique LBA. The LBAs are numbered consecutively, starting from zero, and are used by the operating system and software to access specific sectors on the HDD.
For example, if a file is stored on sector 100 of the HDD, the operating system or software can use the LBA 100 to access the data. The LBA is translated by the device's firmware or operating system into the physical location of the data on the HDD, which might be on a specific track and sector of a spinning disk.
LBA addressing allows the operating system and software to access data on the HDD without having to know the physical location of the data. This makes it easier to manage and access data on the HDD, as the operating system and software can simply use the LBAs to access the data, rather than having to know the specific track and sector on the disk where the data is stored.
Solid State Drives (SSD)
A Solid State Drive (SSD) is a type of data storage device that uses flash memory to store data. Unlike a hard disk drive (HDD), which uses spinning disks to store data, an SSD has no moving parts and stores data on interconnected flash memory chips.
An SSD is made up of one or more flash memory chips, a controller chip, and a connection to the computer, such as SATA or PCI Express. The controller chip manages the flow of data to and from the flash memory chips, and also performs tasks such as error correction and wear leveling (a technique used to extend the lifespan of the SSD by evenly distributing write operations across the memory cells).
When data is written to an SSD, the controller chip divides the data into blocks and stores it in the available memory cells. When data is read from the SSD, the controller retrieves the data from the memory cells and sends it to the computer.
One of the key benefits of an SSD is its speed. Because it has no moving parts, an SSD can access data much faster than an HDD, which has to physically locate the data on a spinning disk. SSDs are also generally more durable and reliable than HDDs, as they are not susceptible to mechanical failure or damage from physical shocks.
Wear leveling is a technique used in flash memory to ensure that no memory cell is worn out before the others, as this can significantly reduce the lifespan of the device. Flash memory has a limited number of write cycles, so if the same memory cell is written to repeatedly, it will eventually wear out and become unreliable. Wear leveling helps to distribute the write operations evenly across all the memory cells, so that no single cell is subjected to a disproportionate number of write cycles.
There are several ways that wear leveling can be implemented in flash memory. One common method is to use a wear leveling algorithm that tracks the number of write operations to each memory cell, and then redistributes the data to other cells when a cell reaches a certain threshold. This can be done by moving the data to a less-used cell, or by writing the data to a new, empty cell and then updating the mapping table to reflect the new location of the data.
Another method is to use a technique called overprovisioning, which involves reserving a portion of the flash memory for wear leveling purposes. This reserved memory can be used to store data that needs to be written to a memory cell that has already reached its maximum number of write cycles.
A hybrid drive, also known as a solid state hybrid drive (SSHD), is a type of data storage device that combines the features of a hard disk drive (HDD) and a solid state drive (SSD). It combines the high capacity and low cost of an HDD with the fast access speeds of an SSD.
Hybrid drives work by using a small amount of flash memory, similar to an SSD, as a cache for frequently accessed data. When the computer needs to access data that is stored on the HDD, it first checks the cache to see if the data is there. If it is, the data is retrieved from the cache, which is much faster than accessing the data on the slower HDD. If the data is not in the cache, it is retrieved from the HDD and stored in the cache for future access.
This hybrid approach allows the drive to take advantage of the fast access speeds of an SSD for frequently accessed data, while still being able to store large amounts of data at a lower cost than a pure SSD.
Quantum computing is a type of computing that uses quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. Quantum computers use quantum bits, or qubits, to store and process information, which allows them to perform certain types of calculations much faster than classical computers.
In a classical computer, a hard disk drive (HDD) is a type of data storage device that uses spinning disks to store and retrieve data. In a quantum computer, there is no equivalent to an HDD, as quantum computers do not use physical disks to store data.
Instead, quantum computers use quantum bits, or qubits, to store and process information. Qubits can exist in a superposition of 0 and 1 simultaneously, which allows quantum computers to perform certain types of calculations much faster than classical computers.
Quantum computers also use quantum gates and quantum circuits to manipulate and process the qubits. These gates and circuits are the equivalent of transistors and logic gates in a classical computer, and are used to perform operations on the qubits. In a classical computer, information is stored in bits, which can have a value of 0 or 1. In a quantum computer, information is stored in qubits, which can exist in a superposition of 0 and 1 simultaneously. This allows a quantum computer to perform multiple calculations at the same time, a process known as parallelism.
Quantum computers also use a phenomenon called entanglement, in which two or more qubits become correlated and can influence each other's state, even when separated by large distances. This allows quantum computers to perform certain types of calculations much faster than classical computers, by taking advantage of the properties of quantum mechanics.
Quantum computing has the potential to solve certain types of problems much faster than classical computers, such as certain optimization problems and certain types of machine learning tasks. However, quantum computers are still in the early stages of development, and many challenges remain in building and programming them.
A file system is a set of rules and data structures that are used to store, organize, and manage files on a computer or other storage device. It determines how the files are stored on the disk, how they are organized, and how they can be accessed.
There are several different types of file systems, each with its own set of rules and data structures, and each with its own strengths and weaknesses. Some common file systems include:
· NTFS (New Technology File System) is a file system used by Windows operating systems. It is a journaling file system, which means it keeps track of changes to the file system in a log, allowing it to recover from errors or corruption. NTFS supports large files and volumes, and is generally considered to be more reliable and secure than other file systems. However, it is not compatible with some older operating systems or devices.
· exFAT (Extended File Allocation Table) is a file system used by Windows and some other operating systems. It is similar to FAT32, but supports larger files and volumes. exFAT is known for its compatibility with a wide range of operating systems and devices, and is often used to transfer large files between different systems. However, it is not as reliable or secure as other file systems, and does not support features such as file compression or encryption.
· HFS+ (Hierarchical File System Plus) is a file system used by macOS and some other operating systems. It is a journaling file system, which means it keeps track of changes to the file system in a log, allowing it to recover from errors or corruption. HFS+ supports large files and volumes, and is generally considered to be reliable and secure. However, it is not compatible with some older operating systems or devices, and does not support features such as file compression or encryption.
Master File Table (MFT)
The Master File Table (MFT) is a database that is used by the NTFS (New Technology File System) to store information about the files and directories on a hard disk drive (HDD). It is used to track the location of each file and directory on the HDD, as well as other information about the file or directory, such as its size, date and time of creation, and permissions.
The MFT is divided into a series of records, each of which represents a file or directory on the HDD. Each record contains information about the file or directory, such as its name, size, and location on the HDD.
When a file or directory is created, modified, or deleted on the HDD, the MFT is updated to reflect the changes. This allows the file system to keep track of the location and status of each file and directory on the HDD.
HFS+ Catalog File
On a Mac computer, the equivalent of the Master File Table (MFT) is the HFS+ (Hierarchical File System Plus) catalog file. Like the MFT, the HFS+ catalog file is a database that is used to store information about the files and directories on the hard disk drive (HDD). It is used to track the location of each file and directory on the HDD, as well as other information about the file or directory, such as its size, date and time of creation, and permissions.
When a file or directory is created, modified, or deleted on the HDD, the HFS+ catalog file is updated to reflect the changes. This allows the file system to keep track of the location and status of each file and directory on the HDD.
The registry is a database used by the Windows operating system to store configuration information about the system and installed programs. It is used to store information such as system settings, hardware and software configuration, and user preferences.
On a computer using the NTFS (New Technology File System), the registry is stored as a set of files on the hard disk drive (HDD). The main registry file is called "ntuser.dat" and is located in the user's profile folder. There are also several other registry files that store specific types of information, such as "system.dat" for system settings and "software.dat" for software configuration.
The registry is organized into a hierarchical structure, with keys and values at different levels of the hierarchy. Keys are similar to folders in the file system, and contain values, which are similar to files. Each value stores a specific piece of information, such as a setting or preference.
The registry is used by the operating system and installed programs to access and modify configuration information. When you make changes to the system or install new programs, the registry is updated to reflect the changes.
How Criminals Hide Data on a Computer
There are several ways that criminals can hide files on a computer in order to conceal their activities or avoid detection. Some of these methods include:
Hiding files in plain sight: Criminals can hide files within legitimate directories or folders on the computer, such as within the "Documents" or "Downloads" folder. These files may be disguised as other types of files, such as image or audio files, or may be given misleading names to avoid detection.
· Using hidden file attributes: Some file systems allow users to mark files as hidden, which means they are not shown by default when browsing the file system. Criminals can use this feature to hide files on the computer.
· Encrypting files: Criminals can use encryption to protect the contents of a file, making it unreadable without the proper decryption key. This can make it difficult for law enforcement or other investigators to access the contents of the file.
· Partitioning: Criminals also hide partitions using the Windows disk partition utility, diskpart. By using the diskpart remove letter command, it unassigns the partition’s letter and hides it from view in file explorer. Investigators must analyze all disk space in areas containing space that is unaccounted for to determine if this has been performed. Though not common now, other examples include using FAT file systems to place sensitive or incriminating evidence in free or slack space on disk partition clusters.
· File System Tunneling: File system tunneling is a technique used to create a hidden file system within a standard file system. It involves creating a "virtual" file system within a file, allowing the user to store data within the file without altering the file's size or appearance.
· Using Steganography: Steganography is the practice of hiding data within other data, such as by embedding a message within an image file. Criminals can use steganography to hide files on the computer, making them difficult to detect.
Encryption is a process of converting data into a form that is unreadable to anyone who does not have the proper decryption key. It is often used to protect sensitive data, such as personal information or financial records, from unauthorized access.
On a hard disk drive (HDD), encryption can be used to protect the data stored on the HDD from being accessed by anyone who does not have the decryption key. This can be useful, for example, if the HDD contains sensitive information that should not be accessed by unauthorized users.
There are several different types of encryption that can be used on an HDD, each with its own strengths and weaknesses. Some common types of encryption include:
Symmetric encryption: This type of encryption uses the same key for both encryption and decryption. It is relatively fast, but requires that the key be kept secret in order to maintain the security of the data.
Asymmetric encryption: This type of encryption uses a pair of keys, a public key and a private key, to encrypt and decrypt data. The public key is used to encrypt the data, and the private key is used to decrypt it. Asymmetric encryption is generally more secure than symmetric encryption, but it is also slower.
Encryption algorithms: There are many different algorithms that can be used to encrypt data, each with its own strengths and weaknesses. Some common algorithms include AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman), and Blowfish.
Partitioning is the process of dividing a hard disk drive (HDD) into separate logical storage units, called partitions. Partitions allow you to organize your data and allocate specific amounts of space for different purposes, such as installing multiple operating systems or separating personal and work files.
When you partition an HDD, you create one or more partitions on the disk, and then format each partition with a file system, such as NTFS or exFAT. Each partition is treated as a separate drive by the operating system, and can be assigned a drive letter, such as C: or D:.
There are several reasons why you might want to partition an HDD:
· To install multiple operating systems: You can create separate partitions for different operating systems, allowing you to boot into different operating systems on the same computer.
· To separate personal and work files: You can create separate partitions for your personal and work files, which can help you keep your files organized and prevent accidental deletion of important files.
· To allocate specific amounts of space for different purposes: You can create partitions of different sizes and assign them to different purposes, such as storing personal files, storing work files, or installing programs.
File System Tunneling
File system tunneling is a technique used to create a hidden file system within a standard file system. It involves creating a "virtual" file system within a file, allowing the user to store data within the file without altering the file's size or appearance.
To create a file system tunnel, the user must first create a file that will act as the container for the hidden file system. This file is typically given a standard file extension, such as .txt or .doc, to make it appear as a normal document. However, the file is actually a special type of file called a "sparse file," which is a file that contains blocks of zeros that are not actually stored on the storage device.
The user can then use a tool to create a file system within the sparse file. This file system can have its own structure and organization, just like a standard file system on a storage device. The user can then store data within the file system by creating files and directories within the sparse file.
File system tunneling can be used for a variety of purposes, including the secure storage of sensitive data, the protection of intellectual property, and the detection of unauthorized use of copyrighted material. However, it can also be used for nefarious purposes, such as the concealment of illegal or malicious content.
One of the advantages of file system tunneling is that it can be difficult to detect, as the hidden file system appears as a normal file within the standard file system. To uncover a file system tunnel, forensic tools and specialized knowledge may be required to analyze the contents of the file and identify the presence of a hidden file system.
Steganography is the practice of concealing a message, image, or file within another message, image, or file. The goal of steganography is to hide the existence of the message or to make it appear as something else, such as a harmless image or a normal-sounding audio file.
There are several ways to achieve this, but one common method is to use a carrier file, such as a picture or audio file, and alter the bits of data within the carrier file to encode the message. The changes made to the carrier file may be subtle and difficult to detect, especially if the carrier file is large or the message is encoded using sophisticated techniques.
For example, an image file is made up of pixels, each of which is represented by a certain number of bits. The color and intensity of each pixel is determined by these bits. By altering the values of these bits in a subtle way, it is possible to encode a message within the image without significantly altering the appearance of the image.
Another method of steganography involves embedding a message within the whitespace or unused areas of a document, such as the margins of a page or the extra space within an image file. This technique is known as "subliminal messaging."
Steganography has a variety of uses, including the secure communication of sensitive information, the protection of intellectual property, and the detection of unauthorized use of copyrighted material. However, it can also be used for nefarious purposes, such as the distribution of illegal or malicious content.
In summary, drive geometry and file systems play a crucial role in how data is stored and accessed on a storage device. By understanding these concepts and the tools and techniques used to conceal data, it is possible to detect and prevent criminal activity involving hidden data.
There are several ways that law enforcement and cybersecurity professionals can detect and prevent criminal activity involving hidden data. One way is to analyze the physical characteristics of storage devices, such as the number of platters and heads, to determine the capacity and performance of the device. This can help to identify devices that may have been manipulated or altered in order to conceal data.
Another way is to examine the file systems and partition structures of a storage device to identify any unusual or suspicious activity. This can involve using forensic tools to analyze the contents of the device and identify hidden or encrypted data.
Finally, it is important to stay up-to-date on the latest tools and techniques used by criminals to conceal data, as well as the methods used by law enforcement and cybersecurity professionals to detect and prevent this activity. By understanding drive geometry, file systems, and the various methods used to conceal data, it is possible to effectively detect and prevent criminal activity involving hidden data.