1 Hard Drives, Storage Media and File Systems
Interface • Two most common types of interfaces – SCSI: Small Computer Systems Interface (servers and high-performance desktops) – IDE/ATA: Integrated Drive Electronics (PC workstation) 2
3 Physical Hard Drive
Computer Disk • Track – Each platter is divided into concentric rings called tracks • Sector – Track are further divided to sectors • Cluster – A combination of one or more sectors 4
Basic concepts • Clusters – The basic storage unit of a disk – The piece of storage that an operating system can actually place data into – Different disk formats have different cluster sizes • Slack space – If they are not filled up-which, the last one almost never is –this excess capacity in the last cluster Old Data Old New Data Overwrites 5
Partition • One hard drive can be logically divided into more than one partition – e.g., one partition has Windows 2000, one partition has windows 2000 data, one partition has Linux . • Partition table – Maintain partition information • Check Table 3.1 for different partition types • Check at the partition table on the drive – fdisk – PowerQuest’s partitionMagic – Partinfo (cannot change any of the partitions, it is free) 6
7 Partition
Unix/Linux - Partitions and file systems • Every partition has an associated file system. The file system is actually created by the mkfs command. In DOS systems, it is customary to devote the entire file system to the FAT (File Allocation Table) based file system. • In UNIX, it is normal to use multiple partitions in the file system structure, and for the file system structure to spread over many partitions and devices from different type of file systems. • UNIX recognizes many types of file systems including minix, ext, ext2, umsdos, msdos, proc, nfs, phfs etc. 8
Partitions • In Unix, every disk must be partitioned. Partitions divide up the disk, and each segment acts as a complete disk by itself. Once a partition is full, it cannot (without special software) automatically flow into another partition. • Under Linux, each disk is given its own device name. IDE disks start with the name /dev/hdX, where X can range from a through z. When partitions are created, new devices are created. They take the form /dev/hdXY, where now Y is the partition number. • When installing the OS, it created partitions for you. A command that exists that can create partitions for you is, the fdisk command. fdisk can be used at anytime by root to partition the hard-drives. – fdisk -l 9
Partitions and Blocks • The smallest unit of information that can be read from or written to a disk is a block. • When partitions are created, the first block of every partition is reserved as the boot block. However, only one partition may act as a boot partition. BIOS checks the partition table of the first hard disk at boot time to determine which is the boot partition. In the boot block of the boot partition there exists a small program called the bootstrap loader. On Linux, this is called the lilo. 10
Partitions and Blocks • The second block on the partition is called the superblock. It contains all the information about the partition, including –size of the partition –physical address of the first data block –number and list of free blocks –info about the file system –when the partition was last modified. • The remaining blocks are data blocks. • In order to use these partitions and file systems, they are logically attached (mounted) to the directory structure. 11
Format • The process of turning a partition into a recognizable filesystem • Windows – format command • Unix/Linux – mkfs 12
File System • It is a set of data objects that can be referenced and manipulated externally. • It is the place where an operating system stores files, making it easy for you to access them by name, location, date, or other characteristic. • File System Format – The process of turning a partition into a recognizable file system. 13
14 File System
15 Data Structures used in File System
File System • File Allocation Table (FAT) – Simplest file system – FAT 12 – FAT 16 – FAT 32 – VFAT • NTFS, a file system for Windows NT/2K 16
Things to remember about FAT • A sector is the smallest addressable unit of a hard disk. • A cluster is a fixed number of contiguous sectors (but not necessarily physically contiguous). • To a certain extent, you can decide how many sectors are in a cluster. • All files are allocated space in clusters of sectors using a file allocation table (FAT). • As you use files, increase and decrease their size and create new files, formerly contiguous clusters are now scattered randomly across your hard disk, which is referred to as fragmentation. • Most operating systems, including Windows, have their own defragmentation utilities. • Periodic defragmentation of your hard disk will reduce the risk of data loss and improve overall system performance. 17
18 FAT32 File System Layout
NTFS • Supported by WinNT, Win2000, and WinXP • Also commonly supported by most distributions of Linux • No published specification from Microsoft • MFT – Master File Table: the heart of NTFS – contains information about all files and directories – Every file and directory have at least one entry in the table 19
Layout of a Freshly Formatted NTFS Volume From page 4 of http://data.linux-ntfs.org/ntfsdoc.pdf 20
NTFS Volume Boot Sector • The first block of information created on the partition • Begins in the first sector of the partition, can use up to 16 sectors • Contains – Information of volume label and size, the location of the key metadata files – Program code to load the OS (It will generally load NTLDR) 21
Master File Table • A system file created during the formatting of an NTFS volume. • Record every files on the volume, including an entry for itself. • Record 16 metadata files. 22
Master File Table (Con’t) • Each file record store attributes – $FILENAME-Up to 255 characters – $STANDARD_INFORMATION • MAC time, file characteristics – $DATA – Attribute list – A flag for allocation status If the MFT grows too large, it can point to other locations for additional MFT info. 23
MetaFiles • The first 16 files are system files • Are inaccessible to the operating system • They are the only part of the disk having the fixed position • The first file is MTF itself • Responsible for some aspect of system operation • Start with a name character “$” • Locate in the NTFS disk root directory 24
BITMAP File • Keeps track of cluster usage • It uses one bit to record the status of each cluster on the volume – If a cluster is used, the corresponding bit is changed to one – Else, the bit is zero 25
MAC TIMES • Windows records the date and time of a file’s – creation (Created) – last modification (Modification) – the date that a file was last accessed (Accessed) 26
Where is the Data? • Files – May contain stray data as well • Slack space – In last cluster of file – File slack – RAM slack • Unallocated blocks – Contain deleted data • Unused partitions • Boot track 27
Swapping Image for p i Swap p i out Swap p i out Swap p j in Image for p j Primary Memory Secondary Memory 28
Swap Files in Windows • Window 2000 & WinXP – c:\pagefile.sys – To see it: • Folder Options | View set to ‘Show Hidden and System files’ • not to ‘Hide Protected mode System files’ • Win98 – C:\win386.swp 29
Virtual Memory Physical Address Space Secondary Memory 0 Virtual Address Space for p i Virtual Address Space for p j Virtual Address Space for p k • Complete virtual address space is stored in secondary memory n-1 • Each address space is fragmented Primary Memory • Fragments of the virtual address space are dynamically loaded into primary memory at any given time 30
Configure Virtual Memory Control Panel -> System -> Advanced -> Performance -> Setting -> Advanced 31
Windows Investigation (Before Looking for Deleted Files!) • Check Application Logs (WinXP) – C:\WINDOWS\system32\config\AppEvent.evt • Programs from start > run menu HKEY_CURRENT_USER\software\microsoft \windows\currentversion\explorer\RunMRU • Windows Temp Files – C:\Documents and Settings\User\Local Settings\Temp 32
Windows Registry • Contains information on every Windows-compatible program • Central hierarchical, configuration database • Operating system relies on it • Contains information about – Hardware including plug and play devices – Users information, preferences • Support multiple users – Applications – Network information 33
Registry • How to view: – Regedit • Root key – HKEY_CLASSES_ROOT – HKEY_CURRENT_USER – HKEY_LOCAL_MACHINE – HKEY_USERS – HKEY_CURRENT_CONFIG • Key – Is a folder that contains subkeys – Contains zero or more settings (values) 34
Recommend
More recommend