Difference between pages "Advanced Format" and "1-Page Report"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with '=The Technology= Hard drive manufacturers have moved to a new standard: 4KB (4,096 bytes) sectors, replacing 512B sectors. This is a good thing; it means that the signal-to-noise…')
 
(Created page with "The idea of a 1-Page Forensics Report is to have a single page that conveys information about a piece of media, a network capture, or a file. ==Disk Forensics 1-Page Report==...")
 
Line 1: Line 1:
=The Technology=
+
The idea of a 1-Page Forensics Report is to have a single page that conveys information about a piece of media, a network capture, or a file.
Hard drive manufacturers have moved to a new standard: 4KB (4,096 bytes) sectors, replacing 512B sectors. This is a good thing; it means that the signal-to-noise ratio improves, and less space is needed for error correction. Long-term improvements in speed, density, and overall capacity. Western Digital has started releasing drives with 4KB sectors under the name "Advanced Format" (not to be confused with the [[Advanced Forensic Format]]).
+
  
=The Problem: Death of LBA 63=
+
==Disk Forensics 1-Page Report==
Operating systems written before the transition, particularly XP, have trouble with the new drives. XP makes an assumption about where the format should start (LBA 63), but this doesn't work well with the translation software that maps from logical 512B blocks to physical 4K blocks.
+
Thoughts about what should go on the report:
 
+
* OS Release, Version and Patch Level
The nutshell is that XP should not be used to format these drives, and some assumptions made by tools and users need to be corrected.
+
* Kernel Release
 
+
* Language
=The Solution=
+
* Distribution
 
+
* Last Boot
=Links=
+
* Installation Date
[http://www.anandtech.com/storage/showdoc.aspx?i=3691 A Good Overview at AnandTech]
+
* Per-user information --- how many users? When was each logged on last
 +
* IP addresses assigned.
 +
* DHCP information
 +
* ISPs that were in use
 +
* DNS information
 +
* Where the connections came from

Revision as of 10:09, 18 July 2013

The idea of a 1-Page Forensics Report is to have a single page that conveys information about a piece of media, a network capture, or a file.

Disk Forensics 1-Page Report

Thoughts about what should go on the report:

  • OS Release, Version and Patch Level
  • Kernel Release
  • Language
  • Distribution
  • Last Boot
  • Installation Date
  • Per-user information --- how many users? When was each logged on last
  • IP addresses assigned.
  • DHCP information
  • ISPs that were in use
  • DNS information
  • Where the connections came from