Friday, June 5, 2015

Working with media - Sectors

Sectors are the smallest unit of storage on a hard drive and typically is 512 bytes (active-undelete.com, n.d.). However, manufacturers of newer hard drive have started moving to disks with sector size of 4096 bytes (4K). These are considered more efficient (seagate.com, n.d.).  Sectors can be read from or written to in any order as this is a random process. However, the bytes within each sector is ordered sequentially (sawdust, 2012). 

In the example below, we have a drive which shows a sector starting at offset x15470000 and another starting at offset x15470200. I’ve also created a file which is less than 512 bytes (actually it is about 317 bytes) which should fit within one sector. However, as can be seen this file actually starts at offset x15470160 and spans two sectors. While the writing did not start at the beginning of any sector it is instead contiguous across the two sectors.




On a computer running Microsoft Windows, one can use either fsutil (technet.microsoft.com, 2012) or chkdsk (microsoft.com, n.d.) to see the sector information.


On a computer running Linux you can use “fdisk” utility to see your sector size
   


Hope you find this information helpful and please see the other posts in this series for additional information on working with media

Reference:
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/chkdsk.mspx?mfr=true
http://superuser.com/questions/432318/what-are-disk-sectors-for
http://www.seagate.com/ca/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/
https://technet.microsoft.com/en-us/library/cc788080.aspx

In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)

Forensic Imaging and their Formats - DD (raw)

No comments:

Post a Comment