20755: The Internet Lecture 3: Computer Systems II

1
20-755 The InternetLecture 3 Computer Systems
II

• David OHallaron
• School of Computer Science and
• Department of Electrical and Computer Engineering
• Carnegie Mellon University
• Institute for eCommerce, Summer 1999

2
Todays lecture

• Input/Output (I/O) (50 min)
• Break (10 min)
• Copenhefers blunder (50 min)
• Case studies in computer crime and forensics

3
The I/O subsystem (except the network)
Keyboard
Mouse
Printer
Modem
Processor
Interrupt controller
Serial port controller
Parallel port controller
Keyboard controller
Local/IO Bus
Network adapter
Video adapter
Memory
IDE disk controller
SCSI controller
SCSI bus
disk
Network
Display
disk
cdrom
4
Bus

• A bus is a shared medium that connects the
  processor, memory, and I/O devices
• Consists of control and data/address wires
• control requests, acks, type of data (address or
  data)
• data lines data, addresses
• address lines (optional) address
• Only one device at a time

control
address/data
OR
control
address
data
5
Bus types

• Processor-memory bus
• short, fast, proprietary
• fixed number of devices with known performance
• I/O bus
• longer, slower, open
• unknown number of devices with different
  performance
• disk 5 MB/s
• 4x CDROM 640 KB/s
• Examples SCSI II, PCI, ISA, EISA

6
PCI bus layout
processor
cache
bridge/memory controller
sound card
DRAM
PCI local bus
graphics card
LAN card
SCSI card
Bus interface
ISA bus
ISA card
7
Display
column
Display screen
pixel
Each pixel is painted with a color.
row
diagonal
8
Display
electron beam
control grid
vertical deflection
phosphor coated screen
heating filament
focusing system
horizontal deflection
9
Raster scan
horizontal retrace
vertical retrace
vertical
horizontal
10
Frame buffer (grayscale)
frame buffer
display
1
1
0
0
1
1
1
1
Key ideas The frame buffer is just an area of
memory that can be read and written.
11
The RGB color space
blue
cyan
white
magenta
1
green
black
0
red
yellow
12
Frame buffer with color map
frame buffer
color map
R G B
display
1
1
111
000
111
0
0
yellow
1
1
1
1
red
111
000
000
13
Display performance

• The quality of a display is measured by its
  resolution, which is the number of rows and
  columns of pixels.
• e.g., 640x480 (640 rows, 480 columns)
• Modern displays support multiple resolutions.
• The size of a display is measured by the size in
  inches (like a TV).
• e.g., 17
• Each pixel requires 1-4 bytes of display memory
  on the display controller.

14
Magnetic Disks
Disk surface spins at 36007200 RPM
read/write head
arm
The surface consists of a set of
concentric magnetized rings called tracks
The read/write head floats over the disk surface
and moves back and forth on an arm from track to
track.
Each track is divided into sectors
15
Disk Capacity

• Parameter 18 GB Example
• Number Platters 12
• Surfaces / Platter 2
• Number of tracks 6962
• Number sectors / track 213
• Bytes / sector 512
• Total Bytes 18,221,948,928

16
Disk Operation

• Operation
• Read or write complete sector
• Seek
• Position head over proper track
• Typically 6-9 ms
• Rotational Latency
• Wait until desired sector passes under head
• Worst case complete rotation
• 10,025 RPM ? 6 ms
• Read or Write Bits
• Transfer rate depends on bits per track and
  rotational speed
• E.g., 213 512 bytes _at_10,025RPM 18 MB/sec.
• Modern disks have external transfer rates of up
  to 80 MB/sec
• DRAM caches on disk help sustain these higher
  rates

17
Disk / System Interface
(1) Initiate Sector Read

• 1. Processor Signals Controller
• Read sector X and store starting at memory
  address Y
• 2. Read Occurs
• Direct Memory Access (DMA) transfer
• Under control of disk controller
• 3. Disk Controller Signals Completion
• Interrupts processor
• Can resume suspended process

Processor
Reg
(3) Read Done
Memory-I/O bus
(2) DMA Transfer
disk controller
Memory
Disk
Disk
18
Disk performance

• Disk size is given by the diameter of the surface
• e.g., 3 1/2 or 5 1/4
• Disk capacity is given by number of bytes
• e.g., 500 MB, 1GB
• Disk speed is given by seek time and throughput
• seek time average time for the read/write head
  to move from one track to another track in
  milliseconds (1/1000 seconds).
• e.g., typical seek time is 10 milliseconds.
• throughput once the read/write head is
  positioned correctly, throughput is the number of
  MBytes that can be transferred each second.
• e.g., typical throughput is 1 MByte/second.

19
Storage Trends
metric 1980 1985 1990 1995 1999 19991980 /MB
19,200 2,900 320 256 100 190 access
(ns) 300 150 35 15 3 100
SRAM
metric 1980 1985 1990 1995 1999 19991980 /MB
8,000 880 100 30 1.5 5,300 access
(ns) 375 200 100 70 60 6 typical size(MB)
0.064 0.256 4 16 64 1,000
DRAM
metric 1980 1985 1990 1995 1999 19991980 /MB
500 100 8 0.30 0.05 10,000 access
(ms) 87 75 28 10 8 11 typical size(MB)
1 10 160 1,000 9,000 9,000
Disk
(Culled from back issues of Byte and PC Magazine)
20
Storage Price /MB
21
Storage Access Times (nsec)
22
Processor clock rates
Processors
metric 1980 1985 1990 1995 1999 19991980 typica
l clock(MHz) 1 6 20 150 400 400 processor
8080 286 386 Pentium P-II
culled from back issues of Byte and PC Magazine
23
The CPU vs. DRAM Latency Gap (ns)
1.E03
1.E02
SRAM
DRAM
CPU cycle
1.E01
1.E00
1980
1985
1990
1995
1999
24
I/O Summary

• Key concept
• data travels between the processor, memory, and
  other I/O devices over a shared medium called a
  bus (not too unlike an ethernet)
• For both DRAMs and magnetic disks, cost per MB is
  decreasing much faster than access times.
• falling way behind processor speeds.

25
Break time! (10 min)
26
Todays lecture

• Input/Output (I/O) (50 min)
• Break (10 min)
• Copenhefers blunder (50 min)
• Case studies in computer crime and forensics

27
Copenhefers BlunderCase studies in computer
crimeand computer forensics

• Copenhefer capital murder case
• Steele mail fraud case

28
Copenhefer capital murder case

• June 17, 1988 (Erie, PA)
• Sally Weiner, wife of bank executive Harry
  Weiner, is kidnapped, held for ransom, and then
  murdered before the money can be delivered.
• June 27, 1988 (Erie, PA)
• State trooper notices computer-generated sign in
  the window of a bookstore owned by David
  Copenhefer that looks similar to the ransom note.
  Becomes the basis for a search warrant.
• Police obtain warrant, and the FBI finds deleted
  versions of the ransom note and the murder plan
  on the disk drives in the PCs in the bookstore
  and Copenhefers house.
• May, 1989 (Pittsburgh, PA)
• Copenhefer sentenced to die.
• Still in the appeals process (1997).

29
How did he get caught?

• He didnt understand the PCs DOS filesystem.
• The data in a deleted file is still on the disk!
• The FBI knew this and searched the tracks of the
  disk for the character string exactely, a
  misspelling that appears several times in the
  ransom note.
• In 1994, I examined both of Copenhefers
  computers as an expert witness to the
  Commonwealth of PA , undeleted the ransom note,
  and printed it out.

30
DOS File System

• The disk is treated as a linear sequence of n
  logical sectors, each 512 bytes in length
• sector 0, sector 1, sector 2, ...., sector n-2,
  sector n-1

31
DOS Disk Map
Reserved area
Logical sector 0
File Allocation Table (FAT)
Files area (files and directories)
32
Directory entries

• The eight parts of a directory entry
• filename (8 bytes) e.g., report.doc
• filename extension (3 bytes) e.g., report.doc
• attribute (1 byte) e.g., file or directory, read
  only or read/write
• unused (10 bytes)
• time (2 bytes)
• date (2 bytes)
• starting sector number (2 bytes)
• file size (4 bytes)

33
File Allocation Table (FAT)

• The FAT is a sequence of 16 bit entries. The ith
  FAT entry corresponds to the ith logical disk
  sector.
• The values of the entries form a chain that shows
  which logical sectors contain the data in a file
  or directory entry. 9999 ends the chain.

starting sector
size
Directory entry
report
doc
0003
2K
4
5
6
9999
FAT
2
3
4
5
6
7
8
9
10
34
Deleting a file

• When a file is deleted, the first word in the
  directory is changed to a special character
  (well call it ?) and the fat chain is cleared.
  However, data is intact.

size
starting sector
Directory entry
?eport
doc
0003
2K
0
0
0
0
FAT
2
3
4
5
6
7
8
9
10
35
Recovering a deleted file

• Look for occurances of ? to find deleted
  directories. Use starting sector and size fields
  in directory and assume contiguous sector
  allocation to recover the file data.

size
Starting sector
Directory entry
?eport
doc
2K
0003
0
0
0
0
FAT
2
3
4
5
6
7
8
9
10
36
Steele mail fraud case

• March 6, 1993 (Pittsburgh, PA)
• Phil McCalister, disgruntled associate at Pgh law
  firm Steele Hoffman, after watching the movie
  "The Firm", copies school board billing records
  from firm's laptops onto some diskettes, then
  resigns.
• July 29, 1993
• McCalister hands over 4 diskettes to postal
  instpectors as evidence of systematic overbilling
  of school systems by Charlie Steele, managing
  partner of Steele Hoffman.
• September, 1996
• I'm asked by defense to determine if the 4
  diskettes are the originals from March 6, 1993
  (they weren't).
• December, 1996
• Despite brilliant testimony by the computer
  expert witness, Charlie Steele convicted of mail
  fraud and sentenced to 3 years in federal pen and
  80,000 fine.

37
Internal fragmentation in DOS files
Files allocated in fixed size logical sectors
cluster
abc
data
slack (internal fragmentation)
38
How slack takes a picture of a disk when a file
is copied (1)
1. read source directory ("DE" is directory
entry)
DE1
DE2
DE3
DE4
disk buffer
abc
destination disk
source disk
39
How slack takes a picture of a disk when a file
is copied (2)
2. read file into disk buffer (notice that old
slack is not copied into disk buffer!)
DE1
DE2
DE3
DE4
abc
disk buffer
abc
destination disk
source disk
40
How slack takes a picture of a disk when a file
is copied (3)
3. write file to destination disk. Notice that
slack now contains a snapshot of the files on
the source disk when the file was copied.
DE1
DE2
DE3
DE4
abc
disk buffer
abc
DE1
DE2
DE3
DE4
abc
source disk
destination disk
41
Federal diskette F1 is not an original
Cluster 1,789, Sector 1,820 F11991-.IN
C1638-1789 Name .Ext Size Date
Time Cluster Arc R/O Sys Hid Dir
Vol ----------------------------------------------
------------------------------- ... YS
33430 11-11-91 500 am 2 R/O Sys
Hid MSDOS SYS 37394 11-11-91
500 am 5419 R/O Sys Hid CONFIG
SYS 57 10-26-92 847 am 8998
Arc AUTOEXEC BAT 24
10-26-92 847 am 8997 Arc
DOS 0 3-22-93 440 pm
19 Dir WININST
0 3-22-93 441 pm 597
Dir WINDOWS 0 3-22-93
443 pm 3042 Dir
COMMAND COM 47845 11-11-91 500 am
5429 Arc SCAN
0 3-22-93 450 pm 5570
Dir WINA20 386 9349 11-11-91
500 am 14
HARCHLRD REG 1492 6-14-93 1250 pm
5859 Arc ASP
0 3-23-93 1159 am 6242
Dir DO 0 3-23-93
1201 pm 6295 Dir GOLF
0 3-23-93 1201 pm 6361
Dir LOTUS 0
5-07-93 432 pm 5341 Dir
NORTON 0 3-23-93 1204 pm
6977 Dir
Source Norton Utilities Diskedit program
42
Federal diskette F2 is not an original
Cluster 501, Sector 532 F2CRIMALDI
C498-501 Name .Ext Size Date
Time Cluster Arc R/O Sys Hid Dir
Vol ----------------------------------------------
------------------------------- ... WP51
0 3-23-93 1205 pm 7242
Dir XTALK 0
3-23-93 1213 pm 8910 Dir
KATHY REL 2239 6-14-93 120 pm
5869 Arc FRECOVER DAT
101376 3-24-93 1129 am 8951 Arc R/O
GO BAT 198 10-26-92
847 am 8966 Arc MENU
BAT 947 10-26-92 847 am 8967
Arc SD INI 2497
10-26-92 847 am 8968 Arc
XMENU EXE 5521 10-26-92 847 am
8969 Arc XMENU PIF
296 10-26-92 847 am 8971 Arc
FRECOVER IDX 29 3-24-93
1129 am 41442 Arc R/O Sys Hid
?UMMINGS 4763 5-20-93 245 pm
6617 Arc ?UMMINGS BK!
4664 5-19-93 818 pm 5895 Arc
Source Norton Utilities Diskedit program
43
Summary

• Computer programs leave traces of themselves.
• These traces can be recovered using simple
  understanding of systems basics.