Disk file organization

The main function of the file management services provided by an operating system is to store the information content of a file on disk in such a manner that it can be found quickly when needed. In essence, irrespective of the type of computer operating system, whether it is a UNIX-style operating system or a Microsoft Windows operating system, the way in which the information content of a file is arranged on disk is remarkably similar.

Information is invariably stored in 512 byte sectors in concentric circular tracks of decreasing radius. The outermost track includes the first disk sector, that is, the sector with an identifying number or sector address of zero and the remaining sectors on that track then have sector addresses ranging in a sequence from 1 upwards. The number of sectors per track varies with the particular disk technology being used. The last disk sector of the innermost

disk track on a recording surface (a disk may consist of one or moreplatters, each with two recording surfaces) is then the last sector on that recording surface and has a sector address ofn21 wherenis the storage capacity (in sectors) of one surface of the disk (Figure 2.1). Sector numbers on successive surfaces are then logically numbered from n, 2n, 3n,. . . upwards. Finding information on a disk is then, in principle, a case of the file management software keeping a record (referred to later as the filemap record) of each filename and the sector addresses of the sectors holding the information content of that file; we refer to the collection of these records as thefilemap. Note that the sectors constituting the content of any particular file may be fragmented (i.e., scattered all over the disk), they do not necessarily follow on from one another. It is precisely for this reason that defrag utilities are so useful and popular. The more fragmented or scattered are the files on a disk, the less efficient they are to access, so a defrag utility will attempt to reorganize the sectors of each file as much as possible to be contiguous on the disk, hence making sequential processing of a particular file that much more efficient. Of course, for each particular file, the filemap lists the sector addresses in file logical order, that is, the first sector address in the filemap record for a particular file is the sector address of the first sector of the file, the last sector address in the record is the sector address of the last sector of the file. It follows that the list of sector addresses for any one file will

Figure 2.1 Schematic of disk organization.

generally not be in arithmetic order; using a defrag utility will update the filemap accordingly.

For readers interested in more detail regarding disk addressing, we point out that the simple sector addressing scheme that we have outlined above is somewhat more complicated in order to cope with concepts of disk cylinders and heads, as well sectors, and the differentdisk geometriesof different disks. This leads in practice to an addressing scheme which is called CHS addressing—CHS being an acronym for cylinder, head, sector. A related complication which can conceivably affect an investigation is that the physical CHS geometry of the disk is generally hidden from the application by disk address translation logic which is part of the system BIOS. For an informative and detailed account of disk geometry and disk access at the hardware level, the reader is referred to Sammes and Jenkinson [19]. James Holley presents the case for developing a standard methodology for assessing computer forensic software tools and provides an interesting account of how different tools portray a different view of the logical CHS structure of the same physical disk [20].

In summary, the file management software of the operating system maps filenames to disk (sector) addresses using information stored in what we call a filemap. It does so in a way which allows for the fact that file content will typically require many disk sectors and which allows for the fact that these disk sectors will not necessarily be at contiguous locations of the disk. This noncontiguity or fragmentation occurs as the natural outcome of dealing efficiently with the fact that files expand and contract dynamically. Sectors are relatively small; they are typically formatted to be 512 bytes in size (i.e., they can accommodate 512 bytes of information). As a result, when allocating or deallocating disk space on file expansion or contraction, it turns out to be more efficient to allocate/deallocate in larger units which are called clusters. A cluster consists of a fixed number of physically contiguous sectors. Cluster size is configuration dependent and has a significant effect both on performance (file access times) and on disk store utilization. A large cluster size favors performance; a small cluster size favors disk utilization. On average, given randomly distributed file sizes, only half of the last cluster of a file is used for bonafide data, the rest of the cluster is wasted. However,end of file over-run problems are avoided as the system information for a file includes the actual size of the file excluding the waste at the end of the last cluster and the operating system observes that actual size by not reading beyond it. Typical cluster sizes are 8 and 16 sectors.

The filemap is itself stored on the disk, at a known fixed sector address on the disk, usually near the start of the disk. Furthermore, a physical disk may be subdivided into a number of separatelogical diskscalled partitions, each of

which can then accommodate a distinct file system and each of which has its own filemap situated at the start of that partition. For instance, a single physical disk may comprise two partitions, one formatted for a File Allocation Table (FAT) file system, the other for a New Technology File System (NTFS). This allows the user to use both file systems from a single platform. (FAT and NTFS are discussed further later.) Information is stored usually in the first sector(s) of a physical disk that lists the number, type, and size of the partitions on the disk. A physical disk may have just a single partition, which is commonly the case, or it may have a number of partitions. Note that disk partitions may be configured so as not to cover the entire disk thereby providing a potential hiding place for data between partitions.

In UNIX and UNIX-like systems, the role of the filemap is fulfilled by the index node list (i-list). Microsoft Windows systems support a number of different file management systems including both FAT and NTFS. In the case of FAT file systems, it is the FAT that fulfils the function of the filemap while in the case of NTFS file systems, it is the Master File Table (MFT) which does so. As an aside, it is worth noting that the directories or folders maintained by a user in order to keep related files together are essentially just data files, which contain the names of those related files. Therefore, directories or folders are treated for the most part just like any other regular application file or data file, and the information contained in a directory or folder simply comprises the names of application data files and subdirectories or subfolders.

2.2.3 Disk and file imaging and analysis