4096 byte sector drives, NTFS and forensic tools
24 May 2012
- Created on Friday, 25 May 2012 22:34
One of the topics that came up during Kevin Ripa's DFIROnline presentation was the concept of 4k sectors, or really sectors larger than 512 bytes. I have been aware of these
for a few years, as far as I am aware Western Digital started using them on their 1TB drives around 2009.
At this time we were buying these drives by the box load and they were our main case working drives. Our main analysis OS was windows XP, which uses the MBR and by default creates the first partition at sector 63. This creates performance issues with 4k sector drives, as while they use 4k sectors internally they use logical translation in the firmware to present 512byte sectors to the operating systems. With a partition starting at sector 63 this means that the clusters are not aligned with the drive sectors resulting in at least twice as many reads and writes as necessary.
However I had not really thought about all this from a forensic perspective until Adam posted a MFT carver and started asking questions on the win4n6 mailing list about 4k sectors and their impact on the MFT. I checked the large drive on my system (which is using 1TB WD caviar blacks) and sure enough I had 4k sectors. I then checked the MFT and found it was using 4k File Record Segments.
My theory at the time was that the file record segment would match the sector size if the sector was 1024 or over. This was sort of confirmed by Troy, one of the other win4n6 folk. Troy also pointed out that Microsoft have reported that they are not yet supporting 4k sectors, as mentioned in this blog post from the Microsoft storage team.
This of course got my interest up, as I had a drive clearly reporting 4k sectors, as did Adam. Upon rebooting my system I realized/remembered that I was in fact using a Highpoint Rocket RAID,not connecting directly to the drive (why I did not notice this in windows I don't know). So I copied everything off the RAID, wiped the three 1TB drives and then configured a new RAID, at which point I found that the controller will let you set the sector size from 512, 1024, 2048, 3072 or 4096 bytes (hows that for cool?). I then created a 2TB RAID using 4k sectors. This was then formatted as NTFS on this was on Windows 7 pro SP1. I confirmed once again that the MFT file record segments were 4k in size. By default it still used a 4k cluster size, so there goes file slack space! The picture below shows the BPB of the partition. The key values are Bytes/Sector (0x0100 or 4096), sectors per cluster (1) and Clusters per file record segment (1).
Now the interesting part, what tools can handle a disk using 4k sectors?
x-ways 16.1 SR-3 has no problem
FTK imager 188.8.131.524 will mount the drive or image, but does not recognize any file system.*
Encase 6.19.4 & 6.16.2 crash when it starts processing the MFT, apparently encase 7 works*
SIFT 2.13 will mount it and show/access files correctly, although mmls appears to be hard coded to report 512 sectors, so the offsets it provides for the start of the partition are wrong.
analyzeMFT 1.7 does not support it. Adam pointed out the following comment in the code:
# 1024 is valid for current version of Windows but should really get this value from somewhere and David Kovar has confirmed that he was aware of this a potential issue.
I have not had the time to test anything else, so I figured I would put the test image out there for everyone to play with. If you have the time please download the test image, try it out in your favourite tools and post your results in the comments. You can download it here: https://docs.google.com/open?id=0BxubffSxLhRkU21ybXNsQ1pNTk0. Since the RAID were pretty much all 0x00 once acquired it compresses down to 2GB.
In the meantime I have investigated a few hard drive spec sheets and have not found any individual drives that are using 4096 byte sectors yet. In mycase it was the RAID card and in Adam's case it was the controller in the WD my book. So I guess you would have to be unlucky to run across this in the field, but it is something to be aware of. If you do know of any drives using 4k sectors please let me know. Even if you do run across one you should still be able to acquire it (as long as you are not using encase) and then get a copy of x-ways or SIFT for the analysis ;-).
* I have contacted both Guidance and AccessData, the inital response from AccessData is that they cannot reproduce the problem and will look into it. The thread on the Guidance forums can be found here:https://support.guidancesoftware.com/forum/showthread.php?p=176615#post176615 at this point they have not responded, but I imagine they may have been a little distracted with CEIC last week....
On 27 May 2012 versions of all software tested were added.