Partitions
Mass storage devices are usually divided into several parts. Originally, this separation was done in order to increase performance for types of files that needed to be accessed frequently for reading and writing. Over time, the separation of a disk into logical units was continued for the purpose of isolating different uses of data from one another. To understand this evolution, we must consider how data were originally stored on mechanical hard drives compared to the way data are stored today.
Video Lecture
Addressing Data on Hard Disks
Hard disks were developed as a type of internal magnetic storage that promised to offer much larger capacities than were available on floppy disks. Hard disks consist of a stack of metal or metal-coated platters that revolve at high speed. As the stack of platters turns, a stack of drive heads moves in and out among the platters, reading and writing data by altering the magnetism on the surface of the platter.
For efficiency reasons, disks are designed to read and write data in chunks, instead of in individual bytes. These chunks are called sectors, and the historical canonical size of a single sector is 512 bytes. Modern storage devices have improved efficiency by increasing this sector size, and 4 KiB (4,096 bytes) is common as of late 2020.
The sectors inside the drive are laid out on the platters in circular rings, known as tracks (Figure 1). Tracks are normally found on both sides of each platter, and the locations of each track are such that the track on one side of the platter lines up the track on the opposite site. All the tracks on the other platters line up with the same tracks on the first platter. This configuration allows a single moving armature mechanism to hold all the drive heads, which move in and out together, staying aligned vertically.1
When the tracks on all sides of all platters are stacked and aligned vertically, they form a cylinder within the drive. Since each drive head moves in unison with the others, the drive is only capable of moving the stack of heads to particular offsets from the outer edge of the platters. At each of these offsets, all the drive heads will be positioned above or below the corresponding tracks on the platters. Conceptually, the drive looks like a bunch of concentric cylinders nested inside one another, as crudely illustrated in Figure 2.
Originally, reading or writing a sector on a hard disk required the operating system to specify the address in 3 parts, giving the cylinder, head, and sector (CHS) where the sector could be found. The cylinder address would move the drive heads in or out across the platter, aligning them with the corresponding tracks on each platter. Once the drive head armature had moved to the desired cylinder, the head number would specify which of the drive heads was to perform the operation, thereby selecting a single track. Finally, the drive would have to wait for the correct sector to rotate under the selected drive head, permitting the data access to occur.
CHS addressing was originally designed during an era of relatively small hard drives by today’s standards. As the size of drives grew, the addressing scheme was approaching its limits. A more general solution was developed, called logical block addressing (LBA). Instead of exposing the actual geometry of the disk to the outside world, controllers were added to the disk drives. Each controller contains firmware that translates from an abstract block address into the underlying geometry of the drive. Modern operating systems generally support 64-bit LBA addresses, which can support disks up to 8 ZiB in size using 512 byte blocks.
Modern mass storage devices use LBA, although the native block sizes might vary. LBA has the advantage of hiding the details of the storage device from the computer and operating system, meaning that it can be used with hard drives, solid state drives, and other types of block storage.
Partitions
In the old days, with relatively slow processors, even slower drives, and minimal cache sizes, there was a performance benefit for files that were stored near the outside edge of the drive. Since the stack of disk platters rotates at a fixed angular speed (in revolutions per minute, or RPM), the sectors on the outer edge of the disk platter move past the drive heads more quickly than do the sectors along the inner edge of the platter. This speed difference results from the fact that the circumference of the outside edge of the platter is larger than the inside edge.
Since certain types of files would benefit from extra speed, it was quickly realized that these files should be placed near the outer edge of the drive. A single file can be fragmented over several sectors, and these sectors can be spread out over more than one track, so performance is also helped by minimizing the distance the drive heads have to travel when changing tracks. For these reasons, disks were partitioned into logical, independent pieces (Figure 3). Files requiring high performance were placed near the outer edge of the drive, while files that were appropriate for slower accesses were placed near the inside edge.
Today, we aren’t as concerned with the speed difference between the inside edge of the disk platter and the outside edge. Hard disks are so much slower than modern processors and memory that this tiny speed difference is usually not particularly important. Furthermore, great speed increases can be realized by simply replacing the hard disk drive with a solid state drive.
We still use partitions, but the reason for doing so today is to isolate different uses of different parts of a drive. For example, we can put the operating system files in one partition and put user data into another partition. This way, if the user fills up the data partition, the operating system will not run of space to store software updates, log files, or similar data. We can also have other partitions for uses like system recovery or swap space. Partitioning provides a way for a single device to be used for multiple purposes with isolation between the different areas.
Partition Tables
Partitions on storage devices are normally defined by software and not by the underlying hardware. It is therefore necessary to store the starting and ending locations on the drive itself, using well-known logical block locations. The data structure used for this purpose is called the partition table. There are actually quite a few different types of partition table, and it is possible for an operating system designer to create a completely custom table for a system. However, two standard formats are widely in use and are most likely to be encountered in a forensic examination: DOS and GPT.
The DOS partition table is an old partitioning system that is still widely supported. With this type of partition table, the first sector (or the first 512 bytes of a larger sector) of the device contains a piece of data called the master boot record (MBR). This master boot record contains two major parts: some boot code to help load and start the operating system when the computer is first turned on, and the partition table that specifies where the partitions start and stop.
In a DOS partition table, the legacy CHS addressing scheme is used. Due to the limitations of this addressing scheme, the maximum supported partition size is 2 TiB. We now have storage devices that are larger than this limit. Using a DOS partition table on such devices would limit the usable space on the drive to the first 2 TiB. In addition, the relatively small size of the DOS partition table means that it can support a maximum of 4 primary partitions. Some hacks, such as extended partitions and logical drives, have been added over the years, but this type of partition table is rapidly becoming obsolete.
For newer (and especially larger) devices, the GUID Partition Table (GPT) is recommended. This type of table supports large partitions up to 8 ZiB in size, which is substantially larger than any currently available storage device. A protective MBR is placed at the beginning of the hard drive to prevent old partitioning tools from seeing the drive as empty. Unlike the DOS partition table, which was only stored in the MBR at the beginning of the device, GPT stores two copies of the table: one at the beginning and one at the end. This approach provides some redundancy to prevent data loss if one of the tables is damaged or erased.
Hidden Data
It is not strictly necessary to have a partition table or to have a storage device partitioned into multiple pieces. With low-level access to the storage device itself, it is possible to write data to it directly. A partitioning tool, or a forensic tool that is expecting to find a partition table, might see the drive as empty or unused. However, evidence could be present.
User data might also be hidden in unallocated space that may be present on the storage device. When adding partitions to a storage device, it is possible to leave parts of device out of the partition table entirely. While this unallocated space would not be visible as part of a drive on the system, a user could still employ special tools or techniques to store data there.
Finally, although a partition might appear to be used for a specific purpose, it is possible for the flags and other metadata that describe the use of the partition to be set in a deceptive manner. For example, a partition might be marked as a recovery partition that is used for reinstallation of the operating system. However, evidence might be hidden in that partition.
Notes
-
There are some enterprise-grade hard disks with the ability to move heads independently as a performance-improving feature. However, the performance of such drives would normally still be less than that of an SSD. ↩
