Data on your computer

Hard disk: part of a unit that stores and provides quick access to large amounts of data on
an electromagnetically charged surface.

 We can prepare any hard disk drive to work with any operating system and its file system
by going through a process, called formatting it, before we try to save any data to it.
The most important thing that happens when a disk is formatted is that at least one area of
the disk must be loaded with the operating system’s file system in readiness for it to store
data. These areas are called partitions.

 Once a disk has been formatted, you can write data to it.
Components of a hard disk:
1. Each platter of a hard disk is divided into several concentric tracks.
2. Each track is divided into several sectors, each of which can store the same
amount of data. A sector is the smallest physical storage unit on the
disk, and on most file systems it is fixed at 512 bytes in size.
3. A cluster can consist of one or more consecutive sectors, a cluster will have 4
or 8 sectors.

In older hard disk drives, the sectors on the outside of the disk had a larger area than
those closer to the center.

On modern disks, each sector has the same area so they each store the same number of
bits per unit area.

 FAT, which stands for File Allocation Table, is the area of the hard disk that is used as an
index of every cluster on the disk and records whether a cluster is being used or not. It
used to be used by Windows operating systems, but is now mainly used with solid-state
memory, such as flash. It can only cope with a maximum file size of 4 GB.
Windows computers now mainly use a file system called New Technology File System
(NTFS), where a table called a Master File Table (MFT) does a similar job.
 Apple has a file system that is unimaginatively called The Apple File System, and the
Linux file system is called ext4. They each have similar tables.
Unallocated space on the disk: The space that is available for files to be written to.
When a file is deleted, the operating system doesn’t erase the file, it makes the clusters
that the file occupies available for reallocation.

However, the operating system at some point might allocate a new file to one of those
clusters, which overwrites the original data.

The logical size of a file: a measure of the number of bytes of data a file actually contains.
Its physical size of a file: is always bigger than this because it has to be stored in a discrete
number of clusters.
Example: a file that has a logical size of 1280 bytes. In a system where
there are 4 sectors of 512 bytes in a cluster, the file takes up a whole
cluster (4 x 512 = 2048 bytes), which means that the physical size of the
file is 2048 bytes. The difference between 2048 and 1280 is 768, which
means that there is a slack space of 768 bytes.

Latent data (ambient data): leftover data, which can provide investigators with clues as to
what was originally stored in the whole cluster, which may in turn provide leads for other
enquiries.

How to Permanently Delete Data From An HDD:

 Overwriting (wiping or shredding): Some disk management programs provide an

‘overwrite’ utility that fills every part of the disk with zeros or ones or a random mix
of the two.
 Degaussing: Data on HDDs is stored in patterns of magnetization. These patterns can
be disrupted by a powerful magnetic field, and a powerful field can erase an entire
disk in a few minutes – a process known as degaussing.
 Physical destruction: Some people and organizations require that their disks are
completely destroyed when no longer needed.
Fragmentation: when contiguous clusters are not available, the file is fragmented, which
means that the remaining clusters are written elsewhere on the same disk.
Defragging: When you defragment a hard disk, you are using a
software utility that moves the chunks of files to try to arrange them
in contiguous clusters.
SSDs: are solid-state drives, which use integrated circuits to store data. They use a
technology called flash memory.
There are many advantages for SSDs over HDDs:

 The access time for an SSD is the same as HDD, regardless of the location of the data,
and so fragmentation does not lead to the same problems as for an HDD.
 SSDs are less susceptible to mechanical failure.
 SSDs are more resistant to shock and vibration.
 SSDs have lower power consumption
SSDs are made up of semiconducting materials that are configured so that they create a
whole series of tiny electrically insulated boxes, which act as memory cells.
In flash memory, where cells are initially set to 1, a writing operation can only change a 1 to
a 0. The use of a high-voltage pulse to reset a block of cells to 1 causes damage to the
structure of the cells where the data is stored and limits flash memory’s lifetime to a finite
number of write cycles.

 You can still physically destroy the drive, but degaussing does not work because SSDs
do not rely on magnetism to store zeros and ones.
ATA Secure Erase command: resets the whole of the SSD by applying a spike of voltage to all
of the memory cells simultaneously, flushing out all of the stored electrons and forcing the
drive to ‘forget’ all of its data.
Data is represented by bits in computer storage and we are going to make what is called a
disk image of the hard drive, we are going to copy it, bit for bit. This is a process called dead
system imaging, because we have removed the hard disk from a switched off computer.
Write blocker: it is a piece of software that makes the image disk read-only.
Hash code: an algorithm that calculates a number, from all of the 0s and 1s on the original
disk. This hash code provides a single number that is much smaller than the total number of
bits on the disk.
Collision: When two sequences of bits have the same hash code.
To read a hard drive, we need an image mounter: This is a piece of software that enables the
operating system to read and write data to a disk image.
Metadata: a set of data that describes and gives information about other data. It also keeps
timestamps, which tell you when a file was created, modified or deleted.
Soft delete: when a file is deleted, either by pressing the delete button or dragging it to the
Recycle Bin.

 Deleted files in the recycle bin are retrievable by selecting the file and restoring it.
Hard delete: This is done when either:
 Emptying the Recycle Bin.
 Pressing shift as you select delete.

File carving or data carving software:

 Once the software finds a file format it recognizes, it checks on the subsequent bytes
to see if they are compatible with the kind of file identified.
 The software tries to find the end of the file.
 If the end of the file can’t be found, or if the beginning of the file has been
overwritten or if all else fails, the file carving software will at least guess where the
file ends, knowing where the next header starts.
 However, if the header is missing, these basic data carving techniques won’t work.

 File carving doesn’t work on SSDs, because the TRIM function will ensure that the
unallocated and slack space will be overwritten, so there is nothing to find.

The rule for forensic investigations: that if a computer is running when it is first
encountered, then leave it running. If it is not running, then don’t boot it up (Live
acquisition).
RAM(random access memory): the memory that is used to store instructions and data just
before they are required by the processor. it’s also is the place where the operating system is
loaded. So it contains information about what processes and programs are running, which
networks the computer is connected to, passwords, files that have been decrypted and the
keys that were used to decrypt them.
Then there are registry hives:

The registry is an area of RAM that is used to store the lowest-level settings of
the operating system.
 A hive is just a space within this registry area. Each time a new user logs onto a
computer, a new hive is created for that user that contains registry information
about their profile, such as their settings, desktop, environment, network
connections and printers.
 RAM analysis can reveal a lot of important information about a system and its users.

 The data stored in RAM disappears when the power is switched off.

 That is why we have to use ‘live acquisition’ if we want to find evidence in RAM.