Block 3 Part 1 - Data on your Computer

Question 1

Memory - Hard Disk

In a computer system, storage devices are categorized into two main types:

1. _________________
2. _________________

Answer 1

1. Primary
2. Secondary

Question 2

Memory - Hard Disk

What is primary storage used for, and give an example.

Answer 2

Used for temporary data storage during active tasks.

RAM

Question 3

Memory - Hard Disk

What is secondary storage used for, and give two examples.

Answer 3

Used for long-term storage of data even when the power is off.

Hard disk, external drives, solid state drives

Question 4

Memory - Hard Disk

What is a Hard Disk (HD)?

A hard disk, or hard drive, is a data storage device used in computers to store and retrieve digital information. It consists of one or more r________ d_______ coated with m__________ material, and data is stored on these disks in a digital format. Hard disks provide n___-v________ storage, meaning the data is retained even when the power is turned off.

Answer 4

rotating disks
magnetic
non-volatile

Question 5

Memory - Hard Disk

True or false?
It is safe to open the casing of a HD.

Answer 5

False

Hard disks are sealed in a clean environment to minimise dust entering the casing.
Even a particle of dust could cause it to crash!

Question 6

Memory - Hard Disk

What are the circular disks inside the HD called?

Answer 6

platters

Question 7

Memory - Hard Disk

Platters rotate on a central s________

Answer 7

spindle

Question 8

Memory - Hard Disk

Platters are covered on both sides with a metal that can be magnetised in tiny areas to represent z______ and o_______.

Answer 8

zeros and ones

Question 9

Memory - Hard Disk

Each platter has a h_____ that can pass over every part of the disk as it is spinning.

This h____ is able to detect and c_______ the magnetic areas, and so can read and write the zeros and ones

Answer 9

head
head
change

Question 10

Memory - Hard Disk

Most hard disks now rotate at 7200 revolutions per minute, and of course each point on the disk has this same rotational speed.

Does a spot on the outside of the platter move faster than one closer to the middle?

Answer 10

Yes

A spot on the outside of the platter will move further in one revolution than one on the inside, as it has to rotate through a circle with a greater radius in the same time – so it moves faster.

Question 11

Memory - Hard Disk

The __________ ____________ manages the data on the hard drive.

Answer 11

Operating system

Question 12

Memory - Hard Disk

How is data organised?

Answer 12

data is stored in files

Question 13

Memory - Hard Disk

The operating system runs something called a f_____ s________.

The f________ s________ dictates how data is w________ to – and r_________ from – a disk, and also records the l__________ of the file stored on the disk.

Answer 13

file system
file system
written to and recovered from
location

Question 14

Memory - Hard Disk

As there are lots of different operating systems, each with its own kind of file system, do you need a different kind of disk drive for each?

Answer 14

No

We can prepare almost any hard disk drive to work with any operating system and its file system.

Question 15

Memory - Hard Disk

How do we prepare a hard disk drive to work with any operating system and its file system?

Answer 15

We ‘format’ it.
The process is called formatting.

Question 16

Memory - Hard Disk

The most important thing that happens when a disk is formatted is that at least one area of the disk must be loaded with the operating system’s f_____ s________ in readiness for it to store data.

Answer 16

file system

Question 17

Memory - Hard Disk

The areas of a disk are called p__________.

Answer 17

partitions

Question 18

Memory - Hard Disk

True or false?
You need at least one partition on the drive, and if you have more than one partition, the formatting process will cause them to be displayed as separate drives by your operating system

Answer 18

True

E.g. C drive, E drive …

Question 19

Memory - Hard Disk

True or false?
Formatting procedures do not check the physical structure of the disk for errors, this is down to the engineer.

Answer 19

False

Formatting procedures may indeed check the physical structure of the disk for errors, recording their location so that data is not written to these locations

Question 20

Memory - Hard Disk

How is the space organised on the hard drive, once it is formatted (1)?

All hard disks are formed of a series of t________ – sometimes called r_______ – that can contain data.

Answer 20

tracks
rings

Question 21

Memory - Hard Disk

How is the space organised on the hard drive, once it is formatted (2)?

A disk track is too l______ to manage the data effectively as a single storage unit. (An individual disk track can store more than a megabyte of data.

It would be very i___________ for storing small files, so, as part of the formatting process, tracks are divided into several numbered, e_______ divisions known as s__________.

Answer 21

large
inefficient
equal
sectors

Question 22

Memory - Hard Disk

The sectors are a___-shaped pieces of a track. Almost all file systems create sectors that can hold _____ bytes of data.

Answer 22

arc
512

Question 23

Memory - Hard Disk

The sectors are grouped together in c______.
So a cluster is a larger u____ of m_______ whose size depends on the particular file system being used.

A cluster always consists of one or more c____________ sectors, but typically there are 4 or 8 (or some other power of 2) sectors in a cluster.

Answer 23

clusters
unit of memory
consecutive sectors

Question 24

Memory - Hard Disk

True or false?
When a file is written to the hard disk, it always takes up a whole number of clusters.”

Answer 24

True

Question 25

Memory - Hard Disk

True or False
A sector is the second smallest physical storage unit on the disk

Answer 25

False
It is the smallest.

Question 26

Memory - Hard Disk

Given that a sector is 512 bytes in size, how many bytes of storage are there in a cluster composed of 4 sectors?

Answer 26

2048 bytes

Question 27

Memory - Hard Disk

Once a file has been written to one or more clusters, how does the operating system know where to find the file again?

It searches the F______ A______ T________.(FAT)
It is the area of the hard disk that is used as an index of every cluster on the disk and records whether a cluster is being used or not.

Answer 27

File Allocation Table

Question 28

Memory - Hard Disk

The space that is available for files to be written to is referred to as u__________ s_________ on the disk, and of course this is always a whole number of clusters’ worth of bytes

Answer 28

unallocated space

Question 29

Memory - Deleting data from an HD

When a file is deleted, the operating system doesn’t erase the file; it simply makes the clusters that the file occupies available for r________________. So the data is still there until it is o______________.

Answer 29

reallocation
overwritten

Question 30

Memory - Deleting data from an HD

Once the clusters have been prepared for reallocation, we say that the file has been ‘dereferenced’.

Why?

Answer 30

Because there is no longer any reference to it in the file allocation table (FAT)

Question 31

Memory - Deleting data from an HD

Even when the cluster has been overwritten there may still be part of the old file left behind.

Answer the following questions to reveal how this happens.

1. Why is the physical size of a file almost always bigger than it’s actual size (logical size) when it is saved?
2. What do we call the remaining space in the cluster?
3. What happens if the newly allocated file does not occupy the whole of the cluster or clusters?
4. This leftover data, which is called l_______ data or a_______ data, can provide investigators with clues as to what was originally stored in the whole cluster, which may in turn provide leads for other enquiries.

Answer 31

1. Because a file has to be saved in a discrete number of clusters (i.e. whole number) The file size may only be 1280 bytes, but in order to be stored in a discrete number of clusters (a cluster being made up of sectors, with each sector containing 512 bytes) In a system where a cluster contains 4 sectors, a file of size 1280, would not use up all of the space. There would be 768 bytes remaining.
2. slack space
3. The data in the slack space is not overwritten.
4. latent or ambient data

Question 32

Memory - Deleting data from an HD

There are only three ways to permanently delete data from a hard disk. They are:

1. O_______________
2. D_______________
3. P_________ d__________

Answer 32

1. Overwriting
2. Degaussing
3. Physical destruction

Question 33

Fragmentation (1)

If your operating system tries to save a file that cannot be stored in a single cluster, the file system breaks up the file in cluster-sized chunks and tries to save them in c_______ clusters.

Answer 33

contiguous

Question 34

Fragmentation (2)

If contiguous clusters are not available, the file is f______________, which means that the remaining clusters are written elsewhere on the same disk.

Answer 34

fragmented

Question 35

Fragmentation (3)

True or false?
Fragmentation can slow down system performance.

Answer 35

True

Question 36

Fragmentation (4)

Why does fragmentation slow down system performance?

Answer 36

Because the file system must direct the heads to several different areas of the disk to find all the data in the file you want to read.

Question 37

Fragmentation

Can you change the cluster size of your hard disk drive when you format it, to avoid fragmentation?

Answer 37

Yes - a larger cluster size reduces the potential for fragmentation, and reduces the amount of disk space needed to store information about the used and unused areas on the disk

Question 38

Fragmentation

What is the downside of increasing the cluster size?

A larger cluster size will also increase the likelihood of unused s_______ s__________.

Answer 38

slack space

Question 39

Fragmentation

Recap - What is slack space?

“slack space” refers to the u______ p_______ of a storage unit, such as a disk sector or cluster, that is not fully utilized by the data it contains.

Answer 39

unused portion

Question 40

Fragmentation

Given that a cluster size on a particular disk is 2 KB, what is the physical size of a file with a logical size of 69 KB? What is the slack space in this case?

Answer 40

1KB

Question 41

Defragmentation

When you defragment a hard disk, you are using a s_________ utility that moves the chunks of files to try to arrange them in contiguous clusters.

Answer 41

software utility

Question 42

Solid State Drives (SSD)

Solid-state drives, which use integrated c__________ to store data

Answer 42

circuits

Question 43

Solid State Drives (SSD)

SSDs use a technology called f______ memory, which is a solid-state c____ that maintains stored data without any external power source.

Answer 43

flash memory
chip

Question 44

Solid State Drives (SSD)

True or false?

SSDs are commonly used in portable electronics and removable storage devices?

Answer 44

True

Question 45

Solid State Drives (SSD)

True or false?
The physical form of a solid-state drive is the same as the hard disk’s spinning disks.”

Answer 45

False

The physical form of a solid-state drive is very different to that of a spinning disk.

Question 46

Solid State Drives (SSD)

True or false?
In a SSD, the file and operating systems still maintain the same system of dividing the memory into logical sectors and clusters.

Answer 46

True

Question 47

Solid State Drives (SSD)

Hard disks and SSDs are physically very different. How then do they both use the same memory systems?

a_____________

Answer 47

abstraction

The operating system doesn’t need to know what physical type of drive it is reading data from, or writing to, as long as it understands the logical file storage structure defined by the file system.

Question 48

Flash Memory Drive

True or false?
HDDs use flash memory.

Answer 48

False - SDDs use flash memory.

HDDs use magnetic storage.

Question 49

Flash Memory Drive

Flash memory is a type of n____-v______ storage technology that retains data even when the power is turned off.
It is widely used in various electronic devices for data storage.

Answer 49

non-volatile

Question 50

Flash Memory Drive

On a microscopic level, SSDs are made up of s__________________ materials that are configured so that they create a whole series of tiny electrically insulated boxes, which act as m_________ cells.

Answer 50

semiconducting
memory

Question 51

Flash Memory Drive

With regards to these tiny electrically insulated boxes, additional electrons can be attracted into them, giving them an overall negative charge.
Because the box is insulated, the electrons are trapped there even when the power is switched off. In this state, the insulated box has a bit value of 1.

How can we attract additional electrons into them?

Answer 51

By applying a small electrical voltage at the top of them.

Question 52

Flash Memory Drive

True or false?
If there are no additional electrons in the box, it has a bit value of 0.

Answer 52

True

Question 53

Flash Memory Drive

True or false?
A memory cell can be reset to 0 by forcing the additional electrons to flow out of the box by using an electrical voltage in the other direction.

Answer 53

True

Question 54

Writing data to an SSD

What does it mean when we call a box ‘leaky?’

Answer 54

Continual reading and writing of the value of a box causes the insulation enclosing it to degrade over time – and when that happens, the box starts to get ‘leaky’, so it can’t hold the negative charge. This means that it cannot distinguish between a 0 or a 1 any longer, which means it becomes unreliable.

Question 55

Writing data to an SSD

Which can endure the most read/write cycles?

HDDs or SDDs?

Answer 55

HDDs

Even though an SSD has no moving parts to break down, but it will endure far fewer cycles – say, between a few thousand to a few hundreds of thousands.

HDDs can tolerate millions of read/write cycles!

Question 56

Deleting data from an SSD

You can still physically destroy the drive, but d___________ does not work because SSDs do not rely on magnetism to store zeros and ones.

Answer 56

degaussing

Question 57

Deleting data from an SSD

Most SSD m____________ have a utility for managing and securely erasing their SSDs using a command called ATA Secure Erase.

Answer 57

manufacturers

Question 58

Deleting data from an SSD

The ATA Secure Erase command resets the whole of the SSD by applying a spike of v________ to all of the memory cells s___________, flushing out all of the stored electrons and forcing the drive to ‘forget’ all of its data.

Answer 58

voltage
simultaneously

Question 59

Copying the hard drive and allocating a hash code

Remove the hard disk from a s_______ o___ computer.

Data is represented by bits in computer storage, we must copy it, bit for bit.
This copy is called a ‘disk i______’ of the hard drive.

This process called ‘d_______ system imaging’, because we have removed the hard disk from a switched off computer.

Answer 59

switched off
image
dead

Question 60

Copying the hard drive and allocating a hash code

The piece of software that is used to make the disk image will also run an a________ that calculates a number, called a hash code, from all of the 0s and 1s on the original disk.

This h____ c_________ provides a single number that is much smaller than the total number of bits on the disk.

Answer 60

algorithm
hash code

Question 61

Copying the hard drive and allocating a hash code

Once we have made the disk image, we will use the same process to calculate the hash code for that too. If the hash codes m________, we can be certain that the disk image is a true b___-for-b____ copy of the original disk

Answer 61

match
bit for bit

Question 62

Reading the hard drive

What piece of software does an OS need to read a disk image?

Answer 62

an image mounter

Question 63

Timestamps and other metadata

Metadata is a set of data that describes and gives information about other d_______.

The important pieces of metadata about a file kept by any file system include the file’s name, size and path, as well as lots of other information.

Answer 63

data

Question 64

Timestamps and other metadata

Timestamps tell you when a file was c____________, m________ or d__________

Answer 64

created, modified or deleted

Question 65

Timestamps and other metadata

Physical and logical file sizes
Which of the physical file size or the logical file size would you expect to be larger?

Answer 65

The logical size of the file (the number of bytes of data) will always be less than (or equal to) the physical size (the space allocated to store it on the disk).

Question 66

Timestamps and other metadata

Physical and logical file sizes
Why is the logical file size smaller than the physical file space?

Answer 66

Physical file space includes not only the actual data but also additional space for file system structures and metadata. The logical file size represents only the size of the actual data without considering the extra space used by the file system.

Question 67

True or false?

The operating system does not keep a log file of events such as logins, logouts, device changes, system changes, etc.

Answer 67

False - it does

Question 68

The Recycle Bin and soft deletes

A soft delete is when a file is deleted, either by pressing the delete button or dragging it to the ____________ __________.

Answer 68

recycle bin

Question 69

The Recycle Bin and soft deletes

In a soft delete the data is marked as deleted or archived.
in fact the file stays exactly where it is on the physical disk, whether it is an HDD or an SSD.

On a Windows machine, the operating system renames the deleted file with a name that starts with $R and creates an associated file, the $I file, to contain m_________ about the deleted file.

It then stores this new file in a h_________ location on the hard drive.”

Answer 69

metadata
hidden

Question 70

The Recycle Bin and soft deletes

The deleted file is renamed with a name starting with _ _

Answer 70

$R

Question 71

The Recycle Bin and soft deletes

The OS creates an associated file beginning with _ _ to store the metadata about the deleted file.

Answer 71

$l

Question 72

The Recycle Bin and soft deletes

What m__________ is kept about the deleted file?

Header
F_____ S_________
Deleted Timestamp
File Name Length
O__________ File Name (including path)

Answer 72

metadata
file size
original File Name

Question 73

The Recycle Bin and soft deletes

The metadata may be presented like so:

Offset Size (in bytes) Description
0 8 Header
8 8 File Size
16 8 Deleted Tim…

What is the offset?

Answer 73

An offset is a position relative to another point. So if we think about this file starting at a particular memory address and each piece of data is in consecutive chunks of memory, then the offset tells us how far from that starting point a particular piece of data can be found.

So the Header field is the start of the file because it has an offset of 0. The 8-byte binary value for the header is always 00000010 00000000 00000000 00000000 00000000 00000000 00000000 00000000, and it is this that identifies it as a $I file.

Question 74

The Recycle Bin and soft deletes

True or False?
$l is a metadata file?

Answer 74

True

Question 75

The Recycle Bin and soft deletes

True or False?
$R is a renamed deleted file.

Answer 75

True

Question 76

The manufacturer claims that data can be written to a particular high-performing hard disk at around 100 MB/s.

Recalling that 1 GB = 1,000 MB, and 1 MB = 1,000,000 bytes

How long will it take, in seconds, to write 10 GB of zeros to such a disk?

Answer 76

100 sec

Question 77

Offset Size (in bytes) Description
0 8 Header
8 8 File Size
16 8 Deleted Timestamp
24 4 File Name Length
28 240 Original File Name

Suppose the size of the file name of the 10 GB file is 240 bytes. Determine the size of the $I file if it has the format shown in the Table above

Answer 77

From Table 1.2, and the fact that the file name has a size of 240 bytes, we can deduce that the $I file has a size of
8 + 8 + 8 + 4 + 240 = 268 bytes.

Question 78

Given that 100 MB of data can be written to the disk in 1 second, how long will it take, in seconds, to write zeros over every bit in the $I file? Write your answer in scientific notation.

Answer 78

A rate of 100 MB/s is equivalent to 100 × 1,000,000 = 100,000,000 bytes per second. So the $I file would take 268 / 100,000,000 = 0.00000268 seconds to overwrite. In scientific notation, this is
2.68 × 10–6 seconds.

Question 79

It is the case that hard disks tend to take longer to read and write small amounts of data, so writing a zero to a disk might be done at more like 1 MB/s. [This is because a bigger proportion of the processing time needed to transfer a small amount of data (compared to a large file) is the time-consuming input/output operations.] Calculate again the time it would take to overwrite the $I file using a writing rate of 1 MB/s.

Answer 79

It will be 100 times slower than previously, so it would take 2.68 × 10–4 seconds. (Note that this is still a substantial saving of time compared to overwriting the 10 GB file.)

Question 80

File Carving

File carving is a process used in digital forensics and data recovery to extract files or data from a storage device without relying on the f_______ s_______.

It involves searching for and extracting files based on their c_________, rather than relying on file m___________ or the file system structure.

This t___________ is particularly useful when dealing with damaged or corrupted file systems, or when files have been deleted or lost.

Answer 80

file system
content
metadata
technique

Question 81

File Carving

What is a ‘characteristic signature’ AKA ‘a magic number’?

Answer 81

A characteristic signature refers to a unique sequence of bytes or patterns within a file that can be used to identify the beginning (header) or end (footer) of that specific file type.

Question 82

File Carving - Characteristic signatures

Header Signature: The beginning of a file often has a characteristic pattern of bytes that identifies the file t_____. This header signature is like a fingerprint for the file and distinguishes it from other types of files. For example, a JPEG image file might have a specific set of bytes at the beginning that indicates it is a JPEG file.

Answer 82

type

Question 83

File Carving - Characteristic signatures

Footer Signature: Some file types have recognizable patterns at the e____ of the file, known as the footer. The footer signature helps in accurately determining the end of the file during the carving process.

Answer 83

end

Question 84

File Carving

True or False?
There is no such thing as file carving software.

Answer 84

False

Question 85

Data Carving

True or False?
Data Carving always works, even if the files are heavily fragmented.

Answer 85

False

Question 86

If a file on a hard disk drive is hard deleted, which two of these statements are true:

a) Meta data about the file continues to be
stored on the disk.

b) The sooner the user tries to recover the
file using special software, the more
likely they are to be able retrieve it.

c) It is completely impossible to recover
the file.

d) The space the file occupied in memory is
overwritten with 0s.

e) The file will stay in memory until
another file is allocated to that memory
location.

Answer 86

b, e

Question 87

Recap

True or False?
In SSDs, the TRIM function will ensure that the unallocated and slack space is overwritten with zeros.

Answer 87

True

Question 88

File Carving

File carving doesn’t work on SSDs.
Why not?

Answer 88

Because the TRIM function will ensure that the unallocated and slack space will be overwritten with zeros, so there is nothing to find.”

Question 89

Analysing main memory (RAM)

What is a RAM Dump?
A RAM dump, also known as a memory dump or core dump, is a snapshot or c____ of the contents of a computer’s random access memory (RAM) at a specific point in time.

Answer 89

copy

Question 90

RAM data recovery