Drive Geometry, File Systems, and How Criminals Hide Data
Drive Geometry, File Systems, and How
Criminals Hide Data
Drive geometry and file
systems are important concepts in computing, as they determine how data is
stored and accessed on a storage device, such as a hard drive or flash drive. Understanding
these concepts can be useful not only for managing data effectively, but also
for detecting and preventing criminal activity.
Drive geometry refers to
the physical layout of a storage device, including the number of platters, the
number of heads, and the number of sectors per track. These physical
characteristics determine the capacity and performance of the device.
File systems are the
logical structures that are used to organize and manage the data on a storage
device. They specify how data is stored, named, and accessed on the device.
Common file systems include NTFS (used by Windows), HFS+ (used by macOS), and
ext4 (used by Linux).
Criminals may use drive
geometry and file systems to hide data in order to avoid detection. One way
they may do this is by using a technique called "disk slicing," which
involves dividing a storage device into multiple virtual partitions, each with
its own file system. This makes it difficult to determine the size and contents
of the device, as the data is spread across multiple partitions.
Another technique that
criminals may use is "file system tunneling," which involves creating
a hidden file system within a standard file system. This can be done using
tools that create a "virtual" file system within a file, allowing the
criminal to store data within the file without altering the file's size or
appearance.
Criminals may also use
encryption to conceal data on a storage device. Encryption involves encoding
data using a secret key or password, making it unreadable without the key. This
can be an effective way to hide data, as it requires specialized tools and
knowledge to decrypt the data. However, encryption can also be a double-edged
sword, as it can be used by law enforcement and cybersecurity professionals to
track and identify criminal activity.
In order to detect and
prevent criminal activity involving hidden data, it is important to understand
drive geometry and file systems, as well as the tools and techniques that
criminals may use to conceal data. This can involve analyzing the physical
characteristics of storage devices, examining the file systems and partition
structures, and using forensic tools to identify hidden or encrypted data.
Now let’s take a deeper
look at each concept.
Hard Disk Drives (HDD)
A Hard Disk Drive (HDD),
also known simply as a Hard Drive, is a type of data storage device that uses
spinning disks, or platters, to store and retrieve data. The disks are coated
with a magnetic material, and data is stored on the disk in the form of tiny magnetic
particles.
At the center of the HDD is
a spindle that holds the disks in place and spins them at high speeds,
typically ranging from 5,400 to 15,000 revolutions per minute (RPM). The disks
are divided into concentric circles, or tracks, and each track is further
divided into sectors.
A read/write head is
mounted on an arm that extends from a movable actuator. The head is positioned
over a specific track on the disk by the actuator, and is used to read data
from or write data to the disk. When the head is over a track, it can detect
the magnetic field of the individual particles on the disk, and use this
information to interpret the data stored there.
To read or write data, the HDD first locates the desired track using the actuator, and then waits for the track to rotate underneath the head. Once the track is in position, the head reads or writes the data to the appropriate sector on the track.
HDDs are typically accessed
via a computer's motherboard, which sends commands to the HDD to read or write
data. The data is transferred between the HDD and the computer via an
interface, such as SATA or PATA, which connects the HDD to the motherboard.
Cylinder-Head-Sector (CHS) Addressing
Cylinder-Head-Sector (CHS)
addressing is a method of addressing individual sectors on a hard disk drive
(HDD) or other mass storage device. It is based on the physical layout of the
disks in the HDD, and is used to map logical block addresses (LBAs) to the
physical location of the data on the device.
In CHS addressing, each
sector on the HDD is identified by its cylinder, head, and sector number. The
cylinder number represents the number of the disk platter on which the sector
is located, the head number represents the read/write head that is used to
access the sector, and the sector number represents the specific sector on the
track.
For example, if a sector is
identified as cylinder 2, head 3, sector 4, this means that it is located on
the second disk platter, is accessed by the third read/write head, and is the
fourth sector on the track.
CHS addressing was commonly used in older
HDDs and other mass storage devices, but it has largely been replaced by
Logical Block Addressing (LBA) in modern devices. LBA addressing allows the
operating system and software to access data on the HDD without having to know
the physical location of the data, whereas CHS addressing requires the
operating system and software to be aware of the physical layout of the disks
in the HDD.
Logical Block Addressing (LBA)
Logical Block Addressing
(LBA) is a method of addressing individual sectors on a hard disk drive (HDD)
or other mass storage device. It is used to map logical block addresses (LBAs),
which are used by the operating system and application software, to the
physical location of the data on the device.
In LBA addressing, each
sector on the HDD is assigned a unique LBA. The LBAs are numbered
consecutively, starting from zero, and are used by the operating system and
software to access specific sectors on the HDD.
For example, if a file is
stored on sector 100 of the HDD, the operating system or software can use the
LBA 100 to access the data. The LBA is translated by the device's firmware or
operating system into the physical location of the data on the HDD, which might
be on a specific track and sector of a spinning disk.
LBA addressing allows the
operating system and software to access data on the HDD without having to know
the physical location of the data. This makes it easier to manage and access
data on the HDD, as the operating system and software can simply use the LBAs
to access the data, rather than having to know the specific track and sector on
the disk where the data is stored.
Solid State Drives (SSD)
A Solid State Drive (SSD)
is a type of data storage device that uses flash memory to store data. Unlike a
hard disk drive (HDD), which uses spinning disks to store data, an SSD has no
moving parts and stores data on interconnected flash memory chips.
An SSD is made up of one or
more flash memory chips, a controller chip, and a connection to the computer,
such as SATA or PCI Express. The controller chip manages the flow of data to
and from the flash memory chips, and also performs tasks such as error
correction and wear leveling (a technique used to extend the lifespan of the
SSD by evenly distributing write operations across the memory cells).
When data is written to an
SSD, the controller chip divides the data into blocks and stores it in the available
memory cells. When data is read from the SSD, the controller retrieves the data
from the memory cells and sends it to the computer.
One of the key benefits of an SSD
is its speed. Because it has no moving parts, an SSD can access data much
faster than an HDD, which has to physically locate the data on a spinning disk.
SSDs are also generally more durable and reliable than HDDs, as they are not
susceptible to mechanical failure or damage from physical shocks.
Wear Leveling
Wear leveling is a
technique used in flash memory to ensure that no memory cell is worn out before
the others, as this can significantly reduce the lifespan of the device. Flash
memory has a limited number of write cycles, so if the same memory cell is
written to repeatedly, it will eventually wear out and become unreliable. Wear
leveling helps to distribute the write operations evenly across all the memory
cells, so that no single cell is subjected to a disproportionate number of
write cycles.
There are several ways that
wear leveling can be implemented in flash memory. One common method is to use a
wear leveling algorithm that tracks the number of write operations to each
memory cell, and then redistributes the data to other cells when a cell reaches
a certain threshold. This can be done by moving the data to a less-used cell,
or by writing the data to a new, empty cell and then updating the mapping table
to reflect the new location of the data.
Another method is to use a technique called overprovisioning, which involves reserving a portion of the flash memory for wear leveling purposes. This reserved memory can be used to store data that needs to be written to a memory cell that has already reached its maximum number of write cycles.
Hybrid Drives
A hybrid drive, also known
as a solid state hybrid drive (SSHD), is a type of data storage device that
combines the features of a hard disk drive (HDD) and a solid state drive (SSD).
It combines the high capacity and low cost of an HDD with the fast access
speeds of an SSD.
Hybrid drives work by using
a small amount of flash memory, similar to an SSD, as a cache for frequently
accessed data. When the computer needs to access data that is stored on the
HDD, it first checks the cache to see if the data is there. If it is, the data
is retrieved from the cache, which is much faster than accessing the data on
the slower HDD. If the data is not in the cache, it is retrieved from the HDD
and stored in the cache for future access.
This hybrid approach allows the drive to take advantage of the fast access speeds of an SSD for frequently accessed data, while still being able to store large amounts of data at a lower cost than a pure SSD.
Quantum Computing
Quantum computing is a type
of computing that uses quantum-mechanical phenomena, such as superposition and
entanglement, to perform operations on data. Quantum computers use quantum
bits, or qubits, to store and process information, which allows them to perform
certain types of calculations much faster than classical computers.
In a classical computer, a
hard disk drive (HDD) is a type of data storage device that uses spinning disks
to store and retrieve data. In a quantum computer, there is no equivalent to an
HDD, as quantum computers do not use physical disks to store data.
Instead, quantum computers
use quantum bits, or qubits, to store and process information. Qubits can exist
in a superposition of 0 and 1 simultaneously, which allows quantum computers to
perform certain types of calculations much faster than classical computers.
Quantum computers also use
quantum gates and quantum circuits to manipulate and process the qubits. These
gates and circuits are the equivalent of transistors and logic gates in a
classical computer, and are used to perform operations on the qubits. In a
classical computer, information is stored in bits, which can have a value of 0
or 1. In a quantum computer, information is stored in qubits, which can exist
in a superposition of 0 and 1 simultaneously. This allows a quantum computer to
perform multiple calculations at the same time, a process known as parallelism.
Quantum computers also use
a phenomenon called entanglement, in which two or more qubits become correlated
and can influence each other's state, even when separated by large distances.
This allows quantum computers to perform certain types of calculations much
faster than classical computers, by taking advantage of the properties of
quantum mechanics.
Quantum computing has the potential
to solve certain types of problems much faster than classical computers, such
as certain optimization problems and certain types of machine learning tasks.
However, quantum computers are still in the early stages of development, and
many challenges remain in building and programming them.
File Systems
A file system is a set of
rules and data structures that are used to store, organize, and manage files on
a computer or other storage device. It determines how the files are stored on
the disk, how they are organized, and how they can be accessed.
There are several different
types of file systems, each with its own set of rules and data structures, and
each with its own strengths and weaknesses. Some common file systems include:
·
NTFS (New Technology File System) is a file
system used by Windows operating systems. It is a journaling file system, which
means it keeps track of changes to the file system in a log, allowing it to
recover from errors or corruption. NTFS supports large files and volumes, and
is generally considered to be more reliable and secure than other file systems.
However, it is not compatible with some older operating systems or devices.
·
exFAT (Extended File Allocation Table) is a file
system used by Windows and some other operating systems. It is similar to
FAT32, but supports larger files and volumes. exFAT is known for its
compatibility with a wide range of operating systems and devices, and is often
used to transfer large files between different systems. However, it is not as
reliable or secure as other file systems, and does not support features such as
file compression or encryption.
·
HFS+ (Hierarchical File System
Plus) is a file system used by macOS and some other operating systems. It is a
journaling file system, which means it keeps track of changes to the file
system in a log, allowing it to recover from errors or corruption. HFS+
supports large files and volumes, and is generally considered to be reliable
and secure. However, it is not compatible with some older operating systems or
devices, and does not support features such as file compression or encryption.
Master File Table (MFT)
The Master File Table (MFT)
is a database that is used by the NTFS (New Technology File System) to store
information about the files and directories on a hard disk drive (HDD). It is
used to track the location of each file and directory on the HDD, as well as
other information about the file or directory, such as its size, date and time
of creation, and permissions.
The MFT is divided into a
series of records, each of which represents a file or directory on the HDD.
Each record contains information about the file or directory, such as its name,
size, and location on the HDD.
When a file or directory is
created, modified, or deleted on the HDD, the MFT is updated to reflect the
changes. This allows the file system to keep track of the location and status
of each file and directory on the HDD.
HFS+ Catalog File
On a Mac computer, the equivalent of the Master File Table (MFT) is
the HFS+ (Hierarchical File System Plus) catalog file. Like the MFT, the HFS+
catalog file is a database that is used to store information about the files
and directories on the hard disk drive (HDD). It is used to track the location
of each file and directory on the HDD, as well as other information about the
file or directory, such as its size, date and time of creation, and permissions.
When a file or directory is
created, modified, or deleted on the HDD, the HFS+ catalog file is updated to
reflect the changes. This allows the file system to keep track of the location
and status of each file and directory on the HDD.
Registry
The registry is a database used by the Windows operating system to
store configuration information about the system and installed programs. It is
used to store information such as system settings, hardware and software
configuration, and user preferences.
On a computer using the NTFS (New Technology File System), the
registry is stored as a set of files on the hard disk drive (HDD). The main
registry file is called "ntuser.dat" and is located in the user's
profile folder. There are also several other registry files that store specific
types of information, such as "system.dat" for system settings and
"software.dat" for software configuration.
The registry is organized into a hierarchical structure, with keys
and values at different levels of the hierarchy. Keys are similar to folders in
the file system, and contain values, which are similar to files. Each value
stores a specific piece of information, such as a setting or preference.
The registry is used by the
operating system and installed programs to access and modify configuration information.
When you make changes to the system or install new programs, the registry is
updated to reflect the changes.
How Criminals Hide Data on a Computer
There are several ways that criminals can hide files on a computer
in order to conceal their activities or avoid detection. Some of these methods
include:
Hiding files in plain sight: Criminals can hide files within
legitimate directories or folders on the computer, such as within the
"Documents" or "Downloads" folder. These files may be
disguised as other types of files, such as image or audio files, or may be
given misleading names to avoid detection.
· Using hidden file attributes: Some file systems
allow users to mark files as hidden, which means they are not shown by default
when browsing the file system. Criminals can use this feature to hide files on
the computer.
· Encrypting files: Criminals can use encryption
to protect the contents of a file, making it unreadable without the proper
decryption key. This can make it difficult for law enforcement or other
investigators to access the contents of the file.
· Partitioning: Criminals also hide partitions
using the Windows disk partition utility, diskpart. By using the
diskpart remove letter command, it unassigns the partition’s letter and
hides it from view in file explorer. Investigators must analyze all disk space
in areas containing space that is unaccounted for to determine if this has been
performed. Though not common now, other examples include using FAT file systems
to place sensitive or incriminating evidence in free or slack space on disk
partition clusters.
· File System Tunneling: File system tunneling is
a technique used to create a hidden file system within a standard file system.
It involves creating a "virtual" file system within a file, allowing
the user to store data within the file without altering the file's size or
appearance.
· Using Steganography: Steganography is the
practice of hiding data within other data, such as by embedding a message
within an image file. Criminals can use steganography to hide files on the
computer, making them difficult to detect.
Encryption
Encryption is a process of
converting data into a form that is unreadable to anyone who does not have the
proper decryption key. It is often used to protect sensitive data, such as
personal information or financial records, from unauthorized access.
On a hard disk drive (HDD),
encryption can be used to protect the data stored on the HDD from being
accessed by anyone who does not have the decryption key. This can be useful,
for example, if the HDD contains sensitive information that should not be
accessed by unauthorized users.
There are several different
types of encryption that can be used on an HDD, each with its own strengths and
weaknesses. Some common types of encryption include:
Symmetric encryption:
This type of encryption uses the same key for both encryption and decryption.
It is relatively fast, but requires that the key be kept secret in order to
maintain the security of the data.
Asymmetric encryption:
This type of encryption uses a pair of keys, a public key and a private key, to
encrypt and decrypt data. The public key is used to encrypt the data, and the
private key is used to decrypt it. Asymmetric encryption is generally more
secure than symmetric encryption, but it is also slower.
Encryption algorithms:
There are many different algorithms that can be used to encrypt data, each with
its own strengths and weaknesses. Some common algorithms include AES (Advanced
Encryption Standard), RSA (Rivest-Shamir-Adleman), and Blowfish.
Partitioning
Partitioning is the process
of dividing a hard disk drive (HDD) into separate logical storage units, called
partitions. Partitions allow you to organize your data and allocate specific
amounts of space for different purposes, such as installing multiple operating
systems or separating personal and work files.
When you partition an HDD,
you create one or more partitions on the disk, and then format each partition
with a file system, such as NTFS or exFAT. Each partition is treated as a
separate drive by the operating system, and can be assigned a drive letter,
such as C: or D:.
There are several reasons
why you might want to partition an HDD:
· To install multiple operating systems: You can
create separate partitions for different operating systems, allowing you to
boot into different operating systems on the same computer.
· To separate personal and work files: You can
create separate partitions for your personal and work files, which can help you
keep your files organized and prevent accidental deletion of important files.
· To allocate specific amounts of
space for different purposes: You can create partitions of different sizes and
assign them to different purposes, such as storing personal files, storing work
files, or installing programs.
File System Tunneling
File system tunneling is a
technique used to create a hidden file system within a standard file system. It
involves creating a "virtual" file system within a file, allowing the
user to store data within the file without altering the file's size or
appearance.
To create a file system
tunnel, the user must first create a file that will act as the container for
the hidden file system. This file is typically given a standard file extension,
such as .txt or .doc, to make it appear as a normal document. However, the file
is actually a special type of file called a "sparse file," which is a
file that contains blocks of zeros that are not actually stored on the storage
device.
The user can then use a
tool to create a file system within the sparse file. This file system can have
its own structure and organization, just like a standard file system on a
storage device. The user can then store data within the file system by creating
files and directories within the sparse file.
File system tunneling can
be used for a variety of purposes, including the secure storage of sensitive
data, the protection of intellectual property, and the detection of
unauthorized use of copyrighted material. However, it can also be used for
nefarious purposes, such as the concealment of illegal or malicious content.
One of the advantages of
file system tunneling is that it can be difficult to detect, as the hidden file
system appears as a normal file within the standard file system. To uncover a
file system tunnel, forensic tools and specialized knowledge may be required to
analyze the contents of the file and identify the presence of a hidden file system.
Steganography
Steganography is the
practice of concealing a message, image, or file within another message, image,
or file. The goal of steganography is to hide the existence of the message or
to make it appear as something else, such as a harmless image or a
normal-sounding audio file.
There are several ways to
achieve this, but one common method is to use a carrier file, such as a picture
or audio file, and alter the bits of data within the carrier file to encode the
message. The changes made to the carrier file may be subtle and difficult to
detect, especially if the carrier file is large or the message is encoded using
sophisticated techniques.
For example, an image file
is made up of pixels, each of which is represented by a certain number of bits.
The color and intensity of each pixel is determined by these bits. By altering
the values of these bits in a subtle way, it is possible to encode a message
within the image without significantly altering the appearance of the image.
Another method of
steganography involves embedding a message within the whitespace or unused
areas of a document, such as the margins of a page or the extra space within an
image file. This technique is known as "subliminal messaging."
Steganography has a variety of
uses, including the secure communication of sensitive information, the
protection of intellectual property, and the detection of unauthorized use of
copyrighted material. However, it can also be used for nefarious purposes, such
as the distribution of illegal or malicious content.
Summary
In summary, drive geometry and file systems play a crucial role in how data is stored and accessed on a storage device. By understanding these concepts and the tools and techniques used to conceal data, it is possible to detect and prevent criminal activity involving hidden data.
There are several ways that
law enforcement and cybersecurity professionals can detect and prevent criminal
activity involving hidden data. One way is to analyze the physical
characteristics of storage devices, such as the number of platters and heads,
to determine the capacity and performance of the device. This can help to
identify devices that may have been manipulated or altered in order to conceal
data.
Another way is to examine
the file systems and partition structures of a storage device to identify any
unusual or suspicious activity. This can involve using forensic tools to
analyze the contents of the device and identify hidden or encrypted data.
Finally, it is important to
stay up-to-date on the latest tools and techniques used by criminals to conceal
data, as well as the methods used by law enforcement and cybersecurity
professionals to detect and prevent this activity. By understanding drive
geometry, file systems, and the various methods used to conceal data, it is
possible to effectively detect and prevent criminal activity involving hidden
data.
Comments
Post a Comment