Project 3 - Disk Structure Analysis

Part "B" - Your Own Floppy Image

Due Date

Available online: Thursday November 12, 2009
Due date via web page upload: 10h00 AM on Thursday November 26, 2009
Upload your answers using the Web page upload.

Synopsis

This Project has you use DOS DEBUG to analyze the structure of a specially-formatted FAT12-style diskette. You are to locate some deleted subdirectories and files, trace their location on disk, and ultimately find the contents of the first data block of a deleted file located inside a deleted subdirectory.

Preparation - VMware Test

You should have done the VMWare Test before continuing. Contact your instructor if the above VMware test does not work. Don't wait until the day before the project is due.

Preparation - Download your Disk Image

1. If you haven't already done so, exit all programs under Windows95 and use the Windows95 START button to shut down Windows95 and close VMware.
2. Download from your Blackboard Digital DropBox your personal floppy diskette image with name template abcd0001.img (where abcd0001 is your userid) that has been specially formatted for you. Your disk image is custom-made uniquely for you; you cannot share it (or your answers) with your classmates. Every disk is different.
3. Write protect the disk file after you download it and before you begin your analysis. Since you are analyzing deleted file structures, anything you write to this diskette will over-write and damage the information for which you are looking. If you do write on your disk file, you will spend hours trying to find files that are no longer there. You will have to re-download a fresh copy of the disk image and start over.
4. Move or copy your downloaded diskette image into the VMware Project3 directory containing the other VMware files. Rename the existing disk image file dat2343.img to be dat2343.bak and then copy or rename your downloaded diskette image to be dat2343.img. Your downloaded diskette image must be named dat2343.img in the VMware Project3 directory, along with all the other VMware files.
5. Start your Windows95 virtual machine by using VMware to open the *.vmx file in the Project3 directory and then choosing "Power On" in the VMware menus. Wait until you see the Windows95 desktop appear. (In College labs, this can take several minutes.)
6. Once Windows95 has fully booted, inside the Windows95 virtual machine, use the Shortcut to Floppy A desktop icon to open up a window showing the contents of your floppy disk image inside Windows95. Two files will be visible on the disk.
7. Open the Readme.txt file. (If you double-click on the name, Notepad will open it.) In that file you should see a line saying that this disk image is built for your Algonquin userid and lines telling you your Personal Disk Code and the Windows Long Names of the deleted directory and of the deleted file inside that deleted directory that you must search for. Remember your 11-digit Personal Disk Code and these two names. You will need them later. Close Notepad.
8. Inside the Windows95 virtual machine, use the MS-DOS desktop icon to open up an MS-DOS terminal window inside Windows95. Use the DOS "MORE" command to display the contents of the README.TXT file on your "A:" virtual diskette: "more a:\readme.txt". You should see the same information as you saw in Notepad.

Project Steps

Course Notes References

• 19PhysicalFiles.htm
• 19File_StorageAccess.pps
• 19calculating_cylinder.htm
• 20MSDOSDiskStructure.htm
• 20Project_3_disk.pps

Summary

This is a brief summary of the steps that follow:

• Load the Boot Sector into DEBUG memory and display it.
• Use the Boot Sector information to locate the Root Directory of the disk.
• Load the Root Directory into DEBUG memory and display it.
• Scan the Root Directory using DEBUG until you find the deleted directory.
• Load the deleted directory into DEBUG memory and display it.
• Scan the deleted directory using DEBUG until you find the deleted file.
• Load the deleted file into DEBUG memory and display it.
• BINGO! You're done! Submit your answers.

Keep a record of all formulas used and calculations done!

Detailed Instructions

1. Write protect your disk. This is extremely important. No extensions are granted for overwritten disks. Keep a record of all formulas used and calculations done!
2. In an MS-DOS terminal window under Windows95, use DOS DEBUG to load a copy of the boot sector from your virtual floppy disk into memory. Display at least 64 bytes of the loaded sector.
3. Confirm that you see these items in the DEBUG output:
   1. The ASCII 8-byte string at Boot Sector memory offset 0x0003 (OEM name and version) is your Algonquin userid. Make sure you see your userid here. If you don't see your userid, you have the wrong disk - contact your professor!
   2. The hexadecimal 32-bit value starting at memory offset 0x0027 (i.e. 0027h/4 - DOS Volume ID) is 0xFEEDFACE followed by the eleven ASCII digits of your personal disk code (DOS Volume Label).
   Do not proceed until this is true. (Remember to adjust what you see in the dump for the endian-ness of your computer.)
4. Are you sure you have the right disk? Review that last step again.
5. Based on the table of MS-DOS Boot Sector Component Names and the values supplied by the DEBUG dump of the Boot Sector of your disk, extract the following information for your personal virtual floppy disk:

   MS-DOS Boot Sector Component Name	Offset (hex) / Length	My Value (hex)
   number of bytes per sector:	/
   number of sectors per file allocation unit (cluster):	/
   number of copies of the FAT:	/
   number of root directory entries:	/
   number of sectors used by each copy of the FAT:	/
   number of sectors per track:	/
   number of heads:	/

   (Remember to adjust what you see in the dump for the endian-ness of your computer.)
6. Using the Boot Sector information, above, fill in the following table:

   What is the layout of my Floppy Disk?
   Data Structure	Number of Sectors (hex)	Start Sector (hex)	End Sector (hex)
   Boot sector:
   FAT (___ copies):
   Root Directory:
   File Allocation Space:	___ sectors per cluster		...end of disk...

   (Remember to handle hexadecimal numbers with hexadecimal arithmetic.)
7. Using the absolute disk sector number of the first sector of the root directory, and the size of the root directory, load all the root directory sectors into memory. (Remember to use only hexadecimal numbers in your commands to DEBUG!) Use DEBUG to display what you just loaded. The very first entry in the root directory on your disk is an ASCII string Volume Label that matches the 11-digit number from your README file. Do not proceed until this is true. Your DEBUG dump will also show that this root directory once contained many odd file names, as well as holding the entries for the few not-deleted files you can still see left on your diskette (including the directory entry for your README.TXT file). Do not proceed until this is true.
8. Use DEBUG to keep displaying more and more of this root directory to locate the directory entry for the short DOS 8.3 name of the deleted subdirectory whose long name was given in your README.TXT file. The directory name given in the README.TXT file is the Windows95 Long Name of this deleted subdirectory; skip over the long name entries. You will have to locate its corresponding MS-DOS 8.3 short name.
9. When you have found in the DEBUG dump the root directory entry that contains the MS-DOS 8.3 short name of the deleted subdirectory, determine the starting cluster number of this deleted subdirectory. (Remember to adjust what you see in the dump for the endian-ness of your computer.)
10. Using the cluster number of the deleted subdirectory and information from the Boot Sector, determine the absolute disk sector number of the first sector of the deleted subdirectory. (Remember to handle hexadecimal numbers with hexadecimal arithmetic.)
11. Using the absolute disk sector number of the first sector of the deleted subdirectory, load the first few sectors of the deleted subdirectory into memory and display them. When you succeed, you will see that the dump shows that this deleted subdirectory itself contains almost all deleted items. The only two non-deleted items are the first two names in the directory, which should be "." and ".." (dot and dot-dot). Do not proceed until this is true.
12. Use DEBUG to keep displaying more and more of this subdirectory to locate the directory entry for the short DOS 8.3 name of the deleted file whose long name was given in your README.TXT file. The file name given in the README.TXT file is the Windows95 long name of this deleted file; skip over the long name entries. You will have to locate its corresponding MS-DOS 8.3 short name. (Warning: This same file name may appear in more than one directory. Make sure you are looking in the correct deleted directory!)
13. When you have found in the DEBUG dump the directory entry that contains the MS-DOS 8.3 short name of the deleted file, determine the starting cluster number of this deleted file. (Remember to adjust what you see in the dump for the endian-ness of your computer.)
14. Using the cluster number of the deleted file and information from the Boot Sector, determine the absolute disk sector number of the first sector of the deleted file. (Remember to handle hexadecimal numbers with hexadecimal arithmetic.)
15. Using the absolute disk sector number of the first sector of the deleted file, load the first few sectors of the deleted file into memory and display them. You will recognize that you have found the right sector of the right deleted file, because the ASCII dump of the first sector will mention something about "bingo" and finding the correct file.

Hand In

No marks are awarded for brute-force searching all of memory until you find something interesting. Marks are awarded for correct disk analysis. Record your formulas and all your calculations.

Due date via web page upload: 10h00 AM on Thursday November 26, 2009
Upload your answers using the Web page upload.

    *** Answers to Submit for Project 3 ***

    ** All answers and formulas must be in HEXADECIMAL **

     1. Personal Disk Code (11-digit number from the README file):

     2. number of bytes per sector:
     3. number of sectors per file allocation unit (cluster):
     4. number of copies of the FAT:
     5. number of root directory entries:
     6. number of sectors used by each copy of the FAT:
     7. number of sectors per track:
     8. number of heads:

     9. start sector of boot sector:
    10. end sector of boot sector:

    11. start sector of FAT copies:
    12. end sector of FAT copies:

    13. start sector of ROOT directory:
    14. end sector of ROOT directory:

    15. start sector of File Allocation Space:

    *** For the Deleted Directory ***

    16. start cluster number of the deleted subdirectory:

    17. Formula to calculate the absolute disk sector number of the first
	sector of the deleted subdirectory:

    18. absolute disk sector number of the first sector of the deleted
	subdirectory:

    *** For the Deleted File ***

    19. start cluster number of the deleted file:

    20. Formula to calculate the absolute disk sector number of the first
	sector of the deleted file:

    21. absolute disk sector number of the first sector of the deleted file: