Understand Disk Drives (HDD & SSD)

 

Different Types of Disk Drives and their Characteristics.

While investigating cybercrime, it is important for the investigators to understand the structure and workings of a disk drive, as these are the major sources of data storage. Attackers generally hide their tracks to evade detection after committing a crime. Hence, analyzing the hard disks is an important aspect of cybercrime investigation. This section discusses various aspects of HDDs, SSDs, and the disk interfaces.

 

Hard Disk Drive (HDD)

  • The HDD is a non-volatile, random access digital data storage device used in any laptop, DVR and computer system.
  • Reads and writes data using a disk mechanism.
  • Stores data magnetically.

Solid-state Drive (SSD)

  • The SSD is a data storage device that uses solid-state memory to store data and provides access to the stored data in the same manner as HDD.
  • SSD uses microchips to hold data in non-volatile memory chips and does not contain any moving parts.
  • It is very expensive per gigabyte (GB).
  • It uses two memories:
    • NAND-based flash memory: It retains memory even without power. 
    • Volatile RAM: It provides faster access.

Physical Structure of a hard Disk

The components of a Hard Disk Drive:

  • Platters: Hard disk drives consist of one or more spinning disks known as platters. These platters are typically made of aluminum or glass and are coated with a magnetic material. Data is stored on these platters in the form of magnetic patterns.
  • Read/write heads: Above each platter, there are read/write heads attached to an actuator arm. These heads read and write data to the platters by changing the magnetic orientation of tiny areas on the surface of the platters.
  • Actuator arm: The actuator arm is responsible for positioning the read/write heads over the correct track on the platters. This arm moves rapidly to access different areas of the disk as needed.
  • Cylinders, tracks, and sectors: Data on an Hard Disk is organized into concentric circles called tracks, which are further divided into sectors. The combination of all tracks with the same diameter on all platters is referred to as a cylinder. This organization allows for efficient data storage and retrieval.
  • Spindle motor: The platters are mounted on a spindle, which is rotated by the spindle motor. The speed at which these platters spin is measured in RPM, with common speeds being 5,400 RPM and 7,200 RPM.
  • Controller and firmware: The Hard disk has a built-in controller and firmware that manages data reading, writing, error correction, and other operations. The firmware also handles various features like power management and bad sector management.
  • Cache:  Many modern Hard Disk Drives have a small amount of high-speed cache (RAM) to temporarily store frequently accessed data. This helps improve overall reading and writing performance.
  • Interface:  Hard Disk Drives connect to a computer’s motherboard through various interfaces, with serial advanced technology attachment (SATA) and serial attached SCSI (SAS) being common for traditional Hard Drives.

Hard Disk Interfaces

Here’s an overview of common disk interfaces, along with images to illustrate them:

  1. Parallel ATA (Advanced Technology Attachment) (PATA):
    • PATA is also known as IDE (Integrated Drive Electronics).
    • Older interface standard for connecting Hard Drives and optical drives.
    • Wide, flat ribbon cable with 40-pin connectors.
    • Limited data transfer rates (up to 130 MB/s).
    • Female type connector  
  1. Serial ATA (SATA):
    • Modern standard for connecting HDDs, SSDs, and optical drives.
    • Slimmer, 7-pin cable with faster transfer rates (up to 600 MB/s).
    • Hot-swappable (drives can be connected or disconnected while the computer is running).
    • Female type connector
  1. Small Computer System Interface (SCSI):
    • High-performance interface is often used in servers and workstations.
    • Supports multiple devices on a single bus.
    • 50-80 pins
    • Data transfer Speed up to 310 MB/s
  1. Serial Attached SCSI (SAS):
    • Evolution of SCSI, using serial technology for faster speeds and reliability.
    • Compatible with SATA drives, but SAS drives cannot be used on a SATA interface.
    • 29 pin cable with faster speed up to 12 Gbps.
  1. Fiber Channel:
    • High-speed network technology is often used in storage area networks.
    • Supports long-distance connections and high-performance data transfer.
    • Primarily used in enterprise-level storage environments.
    • Male type connector with 2-16 pins cable with faster speed up to 128 Gbps
  1. NVMe (Non-Volatile Memory Express):
    • High-speed interface designed specifically for SSDs connected via the PCIe bus.
    • Offers fast transfer rates (up to 30 GB/s) and low latency.
    • Becoming popular for high-performance computing and gaming systems.
  1. USB (Universal Serial Bus):
    • Versatile interface for connecting various devices like external hard drives and optical drives.
    • Data transfer rates vary depending on the USB version (USB 3.0 offers up to 5 Gbps).
  1. Thunderbolt:
    • High-speed interface developed by Intel and Apple.
    • Combines PCIe and DisplayPort technologies, offering fast data transfer and video output over a single cable.
    • Used for connecting external drives, displays, and other peripherals.

Tracks

  • Tracks are concentric circles on platters where all the information/data is stored.
  • Drive head can access these circular rings in one position at a time.
  • Tracks are numbered for identification purposes.
  • Read-write is done by rolling headers from inner to outermost part of the disk.

Track Numbering

  • Track numbering on a hard disk begins at 0 from the outer edge and moves towards the center, typically reaching a value of 1023.
  • The read/write heads on both surfaces of a platter are tightly packed and locked together on an assembly of head arms.
  • The arms move in and out together to physically locate all heads at the same track number.
  • Therefore, a track location is often referred to by a cylinder number rather than a track number0
  • A cylinder is a group of all tracks that start at the same head position on the disk.

Sector

  • Sectors: Smallest storage units on a hard drive.
  • Size: Typically, 512 bytes each, plus extra for control and error correction.
  • Location: Each sector has a unique physical address.
  • Best storage: Files ideally stored in consecutive sectors.
  • Example: A 600-byte file needs two 512-byte sectors.

 

Advanced Format: Sectors

  • New hard drives use 4096 byte (4 KB or 4K) advanced format sectors.
  • Generation-one Advanced Format, also called 4K sector technology, efficiently uses the storage surface media of a disk efficiently by merging eight 512-byte sectors into one single sector (4096 bytes or 4K).
  • After merging, the structure of the 4K sector does not disturb the key design elements of the traditional 512-byte sector.

Clusters

  • A cluster is the smallest logical storage unit on a hard disk. It is a set of track sectors, ranging from 2 to 32 or more, depending on the formatting scheme in use.
  • The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage and performance. These chunks are called clusters.
  • The process by which files are allocated to clusters is called allocation, so clusters are also known as allocation units.
  • In the File Allocation Table (FAT) file system, the clusters linked with a file keep track of file data in the hard disk’s file allocation table

Cluster Size

  • Cluster sizing has a significant impact on the performance of an operating system and disk utilization.
  • The size of a cluster depends on the size of the disk partition and type of file system installed on the hard drive.
  • Larger cluster size (greater than one sector):
  • Minimizes the fragmentation problem
  • Increases the probability of unused space in the cluster
  • Reduces disk storage area to save information
  • Reduces the unused area on the disk

Slack Space

  • Slack space is the area of a disk cluster between the end of the file and the end of the cluster
  • If the file size is less than the cluster size, still a full cluster is assigned to that file. The remaining space remains unused and is called slack space.

For example, if the partition size is 4 GB, each cluster will be 32 KB. Even if a file requires only 10 KB, the entire 32 KB will be allocated to that file, resulting in 22 KB of slack space

Lost Clusters

  • When the operating system marks clusters, as used, but does not allocate them to any file, such clusters are known as lost clusters.
  • A lost cluster is a FAT file system error that results from in what manner the FAT file system allocates space and chains files together.
  • It is mainly the result of a logical structure error and not a physical disk error.
  • They usually occur because of interrupted file activities such as, ‘the file is not correctly completed and closed’ thus, the clusters have involved never linked correctly to a file.
  • CHKDSK is a system tool in Windows, that authenticates the file system reliability of a volume and repairs logical file system errors.

Bad Sectors

  • Bad sector is a damaged portion of a disk on which no read/write operation can be performed
  • Formatting a disk enables the operating system to identify unusable sectors and mark them as bad
  • Bad sectors are formed due to configuration problems or any physical disturbances to the disk
  • If data is in a sector that becomes bad, then it might not be recoverable Data can be recovered using software tools such as Chkdsk

Understanding Bit, Nibble and Byte

BitIt is the smallest unit of data stored in a computer and is represented as a binary value, either 1 (true) or 0 (false).

Nibble: It is a group of 4 bits and is half the size of a Byte

Byte:

  • It is a group of 8 bits and twice the size of a Nibble.
  • One single character typed from a keyboard takes one byte of storage.

Measuring the Hard Disk Performance

  • Data is stored on the hard disk in the form of files.
  • When the running program requests the file, hard disk recovers the byte content of the file and sends them to the CPU one at a time for further processing.
  • Hard disk performance is measured by these factors:
  • Data rate: It is a ratio of the number of bytes per second that hard disk sends to the CPU
  • Seek time: It is the amount of time required to send the first byte of the file to the CPU, when it requests the file.

Disk Partitions

The HDD partitioning is the creation of logical divisions upon a hard disk that allows user to apply operating system-specific logical formatting

  • Primary Partition: It is a drive that holds the information regarding operating system, system area, and other information required for booting in MS-DOS and earlier versions of Microsoft Windows systems, the first partition (C:) must be a “primary partition”.
  • Extended Partition: It is the logical drive that holds the information regarding stored data and files in the disk.

Master Boot Record (MBR)

  • A master boot record is the first sector (“sector zero”) of a data storage device, such as a hard disk.
  • The information regarding the files on the disk, their location, size, and other important data is stored in the MBR file.
  • MBR is used for:
  • Holding a partition table which refers to the partitions of a hard disk
  • The process of loading the basic components of an operating system into a computer’s memory after it’s turned on.

 

Globally Unique Identifier (GUID)

  • Global Unique Identifier (GUID) is a 128-bit unique reference number used as an identifier in computer software.
  • Generally, GUIDs are displayed as 32 hexadecimal digits with groups separated by hyphens.

GUID Partition Table (GPT)

  • Unified Extensible Firmware Interface (UEFI) replaces legacy BIOS firmware interfaces
  • UEFI is a specification that defines a software interface between an OS and platform firmware
  • It uses a partition system known as GUID Partition Table (GPT) that replaces the traditional MBR

Advantages of GPT disk layout:

  • Supports up to 128 partitions.
  • Supports maximum partition size from 2 Tebibyte (TiB) to 8 Zebibyte (ZiB)
  • Provides primary and backup partition tables for redundancy

Understanding Solid-State Drive (SSD)

 A Solid-State Drive is a non-volatile storage device that implements solid-state memory technology to store data. SSDs use the following two types of memory:

 

NAND-based SSDs: These SSDs use solid-state NAND memory microchips to store data. NAND memory is non-volatile in nature and retains memory even without power. It does not need any moving parts. NAND memory was created to reduce the cost per bit of data storage. However, it is still more expensive than optical memory (CDs & DVDs) and HDDs. NAND-based memory is widely used today in mobile devices, most digital devices, etc. It can use the following types of NAND flash memory:

o Single-level cell (SLC): It provides higher durability and performance but is more expensive and stores the least amount of data per chip.

o Multi-level cell (MLC): It provides a good balance of cost, storage capacity, and performance.

o Triple-level cell (TLC): It provides higher capacity but has bit lower durability and performance as compared to SLC or MLC.

o Quad-level cell (QLC): It provides higher capacity but may have reduced lifespan and slightly lower performance.

o Volatile RAM-based SSDs: SSDs based on volatile memory such as dynamic RAM (DRAM) are used when applications require quick data access. These SSDs include backup power source, as well as backup storage. Data resides in the DRAM during data access and is stored in the backup storage in case of any power failure.

 

Components of SSD

  1. NAND flash memory: It is the main data storage where all your files, programs, and operating systems are stored. It uses non-volatile storage technology to store data.
  2. Controller: It is a powerful processor that acts as a bridge between the NAND flash memory components and the system by executing firmware-level software.
  3. DRAM: It is a volatile memory and requires power to retain data. DRAM is like a short-term memory boost for the SSD, making it even faster at read/write performance.
  4. Host interface: This is how the SSD connects to our computer. It’s the physical connection and the communication standard used based on performance requirements, where various host interfaces are used in SSDs. Commonly used SSD host interfaces include SATA, peripheral component interconnect express (PCIe), and SCSI.
  5. Power Port: This is the connector where the SSD receives electrical power.
  6. SSD PCB: This refers to the printed circuit board that houses all the components of the SSD.

Advantages of SSD

The three major advantages of SSD over magnetic hard drives are as follows:

▪ Faster booting and data access

▪ Lower power usage

▪ Trim support to optimize the overall performance


reference

1. Ec-Council CHFI Ebook