MEDIA AND STORAGE

Session 17
Recapping
 We have cover both Microsoft and Unix
files system
Today
 Introduction to ACW2
 Covering each ACW
 ACW2 session (Needed to complete ACW)
 expected deliveries
 Dates both parts in and out

 Partitioning
Learning Outcomes
 Be able to show and demonstrate
knowledge the difference between
 Physical drive
 Primary partition
 Logical partition
ACW2 information

ACW2 information
Media and storage
ACW2 part3
 Forensic examination of a forensic image
 Examining a Forensically sound image
 Reportingyour findings
 2000 words
Final handin

 Allthree parts
 Critical commentary
 Copy of all notes
 Appendix
partitions

partitions
Media and storage
Physical drive

 In the current IBM PC architecture

 there is a partition table in the drive's Master
Boot Record
 The MBR lists information about the
partitions on the hard drive.
 This partition table is then further split into 4
partition table entries
 Due to this it is only possible to have four
partitions.
Primary partition

 These 4 partitions are typically known as

primary partitions.
 To overcome this restriction, system
developers decided to add a new type of
partition called the extended partition.
 By replacing one of the four primary
partitions with an extended partition, you
can then make an additional 24 logical
partitions within the extended one.
Primary/Logical partition
 Partition Table
 Primary Partition #1
 Primary Partition #2
 Primary Partition #3
 Primary Partition #4
 (Extended Partition)
 Logical Partition #1
 Logical Partition #2
 As you can see, this partition table is broken
up into 4 primary partitions.
 The fourth partition, though, has been flagged
as an extended partition.
 This allows us to make more logical partitions
under that extended partition and therefore
bypassing the 4 partition limit.
 Each hard drive also has one of its
possible 4 partitions flagged as an active
partition.
 The active partition is a special flag
assigned to only one partition on a hard
drive that the Master Boot Record (MBR)
uses to boot your computer into an
operating system.
 As only one partition may be set as the
active partition, you may be wondering
how people can have multiple operating
systems installed on different partitions,
and yet still be able to use them all.
 This is accomplished by installing a boot
loader in the active partition.
 When the computer starts, it will read the
MBR and determine the partition that is
flagged as active.
 This partition is the one that contains the
boot loader.
 When the operating system boots off of
this partition the boot loader will start and
allow you to choose which operating
systems you would like to boot from.
Recovery
 GPart, Partition recovery tool
 Can be use to Retrieve Partitions damaged
or Altered
 This will change the disc/image