Block 3 Part 1 - Data on your Computer Flashcards
Memory - Hard Disk
In a computer system, storage devices are categorized into two main types:
- _________________
- _________________
- Primary
- Secondary
Memory - Hard Disk
What is primary storage used for, and give an example.
Used for temporary data storage during active tasks.
RAM
Memory - Hard Disk
What is secondary storage used for, and give two examples.
Used for long-term storage of data even when the power is off.
Hard disk, external drives, solid state drives
Memory - Hard Disk
What is a Hard Disk (HD)?
A hard disk, or hard drive, is a data storage device used in computers to store and retrieve digital information. It consists of one or more r________ d_______ coated with m__________ material, and data is stored on these disks in a digital format. Hard disks provide n___-v________ storage, meaning the data is retained even when the power is turned off.
rotating disks
magnetic
non-volatile
Memory - Hard Disk
True or false?
It is safe to open the casing of a HD.
False
Hard disks are sealed in a clean environment to minimise dust entering the casing.
Even a particle of dust could cause it to crash!
Memory - Hard Disk
What are the circular disks inside the HD called?
platters
Memory - Hard Disk
Platters rotate on a central s________
spindle
Memory - Hard Disk
Platters are covered on both sides with a metal that can be magnetised in tiny areas to represent z______ and o_______.
zeros and ones
Memory - Hard Disk
Each platter has a h_____ that can pass over every part of the disk as it is spinning.
This h____ is able to detect and c_______ the magnetic areas, and so can read and write the zeros and ones
head
head
change
Memory - Hard Disk
Most hard disks now rotate at 7200 revolutions per minute, and of course each point on the disk has this same rotational speed.
Does a spot on the outside of the platter move faster than one closer to the middle?
Yes
A spot on the outside of the platter will move further in one revolution than one on the inside, as it has to rotate through a circle with a greater radius in the same time – so it moves faster.
Memory - Hard Disk
The __________ ____________ manages the data on the hard drive.
Operating system
Memory - Hard Disk
How is data organised?
data is stored in files
Memory - Hard Disk
The operating system runs something called a f_____ s________.
The f________ s________ dictates how data is w________ to – and r_________ from – a disk, and also records the l__________ of the file stored on the disk.
file system
file system
written to and recovered from
location
Memory - Hard Disk
As there are lots of different operating systems, each with its own kind of file system, do you need a different kind of disk drive for each?
No
We can prepare almost any hard disk drive to work with any operating system and its file system.
Memory - Hard Disk
How do we prepare a hard disk drive to work with any operating system and its file system?
We ‘format’ it.
The process is called formatting.
Memory - Hard Disk
The most important thing that happens when a disk is formatted is that at least one area of the disk must be loaded with the operating system’s f_____ s________ in readiness for it to store data.
file system
Memory - Hard Disk
The areas of a disk are called p__________.
partitions
Memory - Hard Disk
True or false?
You need at least one partition on the drive, and if you have more than one partition, the formatting process will cause them to be displayed as separate drives by your operating system
True
E.g. C drive, E drive …
Memory - Hard Disk
True or false?
Formatting procedures do not check the physical structure of the disk for errors, this is down to the engineer.
False
Formatting procedures may indeed check the physical structure of the disk for errors, recording their location so that data is not written to these locations
Memory - Hard Disk
How is the space organised on the hard drive, once it is formatted (1)?
All hard disks are formed of a series of t________ – sometimes called r_______ – that can contain data.
tracks
rings
Memory - Hard Disk
How is the space organised on the hard drive, once it is formatted (2)?
A disk track is too l______ to manage the data effectively as a single storage unit. (An individual disk track can store more than a megabyte of data.
It would be very i___________ for storing small files, so, as part of the formatting process, tracks are divided into several numbered, e_______ divisions known as s__________.
large
inefficient
equal
sectors
Memory - Hard Disk
The sectors are a___-shaped pieces of a track. Almost all file systems create sectors that can hold _____ bytes of data.
arc
512
Memory - Hard Disk
The sectors are grouped together in c______.
So a cluster is a larger u____ of m_______ whose size depends on the particular file system being used.
A cluster always consists of one or more c____________ sectors, but typically there are 4 or 8 (or some other power of 2) sectors in a cluster.
clusters
unit of memory
consecutive sectors
Memory - Hard Disk
True or false?
When a file is written to the hard disk, it always takes up a whole number of clusters.”
True
Memory - Hard Disk
True or False
A sector is the second smallest physical storage unit on the disk
False
It is the smallest.
Memory - Hard Disk
Given that a sector is 512 bytes in size, how many bytes of storage are there in a cluster composed of 4 sectors?
2048 bytes
Memory - Hard Disk
Once a file has been written to one or more clusters, how does the operating system know where to find the file again?
It searches the F______ A______ T________.(FAT)
It is the area of the hard disk that is used as an index of every cluster on the disk and records whether a cluster is being used or not.
File Allocation Table
Memory - Hard Disk
The space that is available for files to be written to is referred to as u__________ s_________ on the disk, and of course this is always a whole number of clusters’ worth of bytes
unallocated space
Memory - Deleting data from an HD
When a file is deleted, the operating system doesn’t erase the file; it simply makes the clusters that the file occupies available for r________________. So the data is still there until it is o______________.
reallocation
overwritten
Memory - Deleting data from an HD
Once the clusters have been prepared for reallocation, we say that the file has been ‘dereferenced’.
Why?
Because there is no longer any reference to it in the file allocation table (FAT)
Memory - Deleting data from an HD
Even when the cluster has been overwritten there may still be part of the old file left behind.
Answer the following questions to reveal how this happens.
- Why is the physical size of a file almost always bigger than it’s actual size (logical size) when it is saved?
- What do we call the remaining space in the cluster?
- What happens if the newly allocated file does not occupy the whole of the cluster or clusters?
- This leftover data, which is called l_______ data or a_______ data, can provide investigators with clues as to what was originally stored in the whole cluster, which may in turn provide leads for other enquiries.
- Because a file has to be saved in a discrete number of clusters (i.e. whole number) The file size may only be 1280 bytes, but in order to be stored in a discrete number of clusters (a cluster being made up of sectors, with each sector containing 512 bytes) In a system where a cluster contains 4 sectors, a file of size 1280, would not use up all of the space. There would be 768 bytes remaining.
- slack space
- The data in the slack space is not overwritten.
- latent or ambient data
Memory - Deleting data from an HD
There are only three ways to permanently delete data from a hard disk. They are:
- O_______________
- D_______________
- P_________ d__________
- Overwriting
- Degaussing
- Physical destruction
Fragmentation (1)
If your operating system tries to save a file that cannot be stored in a single cluster, the file system breaks up the file in cluster-sized chunks and tries to save them in c_______ clusters.
contiguous
Fragmentation (2)
If contiguous clusters are not available, the file is f______________, which means that the remaining clusters are written elsewhere on the same disk.
fragmented
Fragmentation (3)
True or false?
Fragmentation can slow down system performance.
True
Fragmentation (4)
Why does fragmentation slow down system performance?
Because the file system must direct the heads to several different areas of the disk to find all the data in the file you want to read.
Fragmentation
Can you change the cluster size of your hard disk drive when you format it, to avoid fragmentation?
Yes - a larger cluster size reduces the potential for fragmentation, and reduces the amount of disk space needed to store information about the used and unused areas on the disk
Fragmentation
What is the downside of increasing the cluster size?
A larger cluster size will also increase the likelihood of unused s_______ s__________.
slack space
Fragmentation
Recap - What is slack space?
“slack space” refers to the u______ p_______ of a storage unit, such as a disk sector or cluster, that is not fully utilized by the data it contains.
unused portion
Fragmentation
Given that a cluster size on a particular disk is 2 KB, what is the physical size of a file with a logical size of 69 KB? What is the slack space in this case?
1KB
Defragmentation
When you defragment a hard disk, you are using a s_________ utility that moves the chunks of files to try to arrange them in contiguous clusters.
software utility
Solid State Drives (SSD)
Solid-state drives, which use integrated c__________ to store data
circuits
Solid State Drives (SSD)
SSDs use a technology called f______ memory, which is a solid-state c____ that maintains stored data without any external power source.
flash memory
chip
Solid State Drives (SSD)
True or false?
SSDs are commonly used in portable electronics and removable storage devices?
True
Solid State Drives (SSD)
True or false?
The physical form of a solid-state drive is the same as the hard disk’s spinning disks.”
False
The physical form of a solid-state drive is very different to that of a spinning disk.
Solid State Drives (SSD)
True or false?
In a SSD, the file and operating systems still maintain the same system of dividing the memory into logical sectors and clusters.
True
Solid State Drives (SSD)
Hard disks and SSDs are physically very different. How then do they both use the same memory systems?
a_____________
abstraction
The operating system doesn’t need to know what physical type of drive it is reading data from, or writing to, as long as it understands the logical file storage structure defined by the file system.
Flash Memory Drive
True or false?
HDDs use flash memory.
False - SDDs use flash memory.
HDDs use magnetic storage.
Flash Memory Drive
Flash memory is a type of n____-v______ storage technology that retains data even when the power is turned off.
It is widely used in various electronic devices for data storage.
non-volatile
Flash Memory Drive
On a microscopic level, SSDs are made up of s__________________ materials that are configured so that they create a whole series of tiny electrically insulated boxes, which act as m_________ cells.
semiconducting
memory
Flash Memory Drive
With regards to these tiny electrically insulated boxes, additional electrons can be attracted into them, giving them an overall negative charge.
Because the box is insulated, the electrons are trapped there even when the power is switched off. In this state, the insulated box has a bit value of 1.
How can we attract additional electrons into them?
By applying a small electrical voltage at the top of them.
Flash Memory Drive
True or false?
If there are no additional electrons in the box, it has a bit value of 0.
True
Flash Memory Drive
True or false?
A memory cell can be reset to 0 by forcing the additional electrons to flow out of the box by using an electrical voltage in the other direction.
True
Writing data to an SSD
What does it mean when we call a box ‘leaky?’
Continual reading and writing of the value of a box causes the insulation enclosing it to degrade over time – and when that happens, the box starts to get ‘leaky’, so it can’t hold the negative charge. This means that it cannot distinguish between a 0 or a 1 any longer, which means it becomes unreliable.
Writing data to an SSD
Which can endure the most read/write cycles?
HDDs or SDDs?
HDDs
Even though an SSD has no moving parts to break down, but it will endure far fewer cycles – say, between a few thousand to a few hundreds of thousands.
HDDs can tolerate millions of read/write cycles!
Deleting data from an SSD
You can still physically destroy the drive, but d___________ does not work because SSDs do not rely on magnetism to store zeros and ones.
degaussing
Deleting data from an SSD
Most SSD m____________ have a utility for managing and securely erasing their SSDs using a command called ATA Secure Erase.
manufacturers
Deleting data from an SSD
The ATA Secure Erase command resets the whole of the SSD by applying a spike of v________ to all of the memory cells s___________, flushing out all of the stored electrons and forcing the drive to ‘forget’ all of its data.
voltage
simultaneously
Copying the hard drive and allocating a hash code
Remove the hard disk from a s_______ o___ computer.
Data is represented by bits in computer storage, we must copy it, bit for bit.
This copy is called a ‘disk i______’ of the hard drive.
This process called ‘d_______ system imaging’, because we have removed the hard disk from a switched off computer.
switched off
image
dead
Copying the hard drive and allocating a hash code
The piece of software that is used to make the disk image will also run an a________ that calculates a number, called a hash code, from all of the 0s and 1s on the original disk.
This h____ c_________ provides a single number that is much smaller than the total number of bits on the disk.
algorithm
hash code
Copying the hard drive and allocating a hash code
Once we have made the disk image, we will use the same process to calculate the hash code for that too. If the hash codes m________, we can be certain that the disk image is a true b___-for-b____ copy of the original disk
match
bit for bit
Reading the hard drive
What piece of software does an OS need to read a disk image?
an image mounter
Timestamps and other metadata
Metadata is a set of data that describes and gives information about other d_______.
The important pieces of metadata about a file kept by any file system include the file’s name, size and path, as well as lots of other information.
data
Timestamps and other metadata
Timestamps tell you when a file was c____________, m________ or d__________
created, modified or deleted
Timestamps and other metadata
Physical and logical file sizes
Which of the physical file size or the logical file size would you expect to be larger?
The logical size of the file (the number of bytes of data) will always be less than (or equal to) the physical size (the space allocated to store it on the disk).
Timestamps and other metadata
Physical and logical file sizes
Why is the logical file size smaller than the physical file space?
Physical file space includes not only the actual data but also additional space for file system structures and metadata. The logical file size represents only the size of the actual data without considering the extra space used by the file system.
True or false?
The operating system does not keep a log file of events such as logins, logouts, device changes, system changes, etc.
False - it does
The Recycle Bin and soft deletes
A soft delete is when a file is deleted, either by pressing the delete button or dragging it to the ____________ __________.
recycle bin
The Recycle Bin and soft deletes
In a soft delete the data is marked as deleted or archived.
in fact the file stays exactly where it is on the physical disk, whether it is an HDD or an SSD.
On a Windows machine, the operating system renames the deleted file with a name that starts with $R and creates an associated file, the $I file, to contain m_________ about the deleted file.
It then stores this new file in a h_________ location on the hard drive.”
metadata
hidden
The Recycle Bin and soft deletes
The deleted file is renamed with a name starting with _ _
$R
The Recycle Bin and soft deletes
The OS creates an associated file beginning with _ _ to store the metadata about the deleted file.
$l
The Recycle Bin and soft deletes
What m__________ is kept about the deleted file?
Header
F_____ S_________
Deleted Timestamp
File Name Length
O__________ File Name (including path)
metadata
file size
original File Name
The Recycle Bin and soft deletes
The metadata may be presented like so:
Offset Size (in bytes) Description
0 8 Header
8 8 File Size
16 8 Deleted Tim…
What is the offset?
An offset is a position relative to another point. So if we think about this file starting at a particular memory address and each piece of data is in consecutive chunks of memory, then the offset tells us how far from that starting point a particular piece of data can be found.
So the Header field is the start of the file because it has an offset of 0. The 8-byte binary value for the header is always 00000010 00000000 00000000 00000000 00000000 00000000 00000000 00000000, and it is this that identifies it as a $I file.
The Recycle Bin and soft deletes
True or False?
$l is a metadata file?
True
The Recycle Bin and soft deletes
True or False?
$R is a renamed deleted file.
True
The manufacturer claims that data can be written to a particular high-performing hard disk at around 100 MB/s.
Recalling that 1 GB = 1,000 MB, and 1 MB = 1,000,000 bytes
How long will it take, in seconds, to write 10 GB of zeros to such a disk?
100 sec
Offset Size (in bytes) Description
0 8 Header
8 8 File Size
16 8 Deleted Timestamp
24 4 File Name Length
28 240 Original File Name
Suppose the size of the file name of the 10 GB file is 240 bytes. Determine the size of the $I file if it has the format shown in the Table above
From Table 1.2, and the fact that the file name has a size of 240 bytes, we can deduce that the $I file has a size of
8 + 8 + 8 + 4 + 240 = 268 bytes.
Given that 100 MB of data can be written to the disk in 1 second, how long will it take, in seconds, to write zeros over every bit in the $I file? Write your answer in scientific notation.
A rate of 100 MB/s is equivalent to 100 × 1,000,000 = 100,000,000 bytes per second. So the $I file would take 268 / 100,000,000 = 0.00000268 seconds to overwrite. In scientific notation, this is
2.68 × 10–6 seconds.
It is the case that hard disks tend to take longer to read and write small amounts of data, so writing a zero to a disk might be done at more like 1 MB/s. [This is because a bigger proportion of the processing time needed to transfer a small amount of data (compared to a large file) is the time-consuming input/output operations.] Calculate again the time it would take to overwrite the $I file using a writing rate of 1 MB/s.
It will be 100 times slower than previously, so it would take 2.68 × 10–4 seconds. (Note that this is still a substantial saving of time compared to overwriting the 10 GB file.)
File Carving
File carving is a process used in digital forensics and data recovery to extract files or data from a storage device without relying on the f_______ s_______.
It involves searching for and extracting files based on their c_________, rather than relying on file m___________ or the file system structure.
This t___________ is particularly useful when dealing with damaged or corrupted file systems, or when files have been deleted or lost.
file system
content
metadata
technique
File Carving
What is a ‘characteristic signature’ AKA ‘a magic number’?
A characteristic signature refers to a unique sequence of bytes or patterns within a file that can be used to identify the beginning (header) or end (footer) of that specific file type.
File Carving - Characteristic signatures
Header Signature: The beginning of a file often has a characteristic pattern of bytes that identifies the file t_____. This header signature is like a fingerprint for the file and distinguishes it from other types of files. For example, a JPEG image file might have a specific set of bytes at the beginning that indicates it is a JPEG file.
type
File Carving - Characteristic signatures
Footer Signature: Some file types have recognizable patterns at the e____ of the file, known as the footer. The footer signature helps in accurately determining the end of the file during the carving process.
end
File Carving
True or False?
There is no such thing as file carving software.
False
Data Carving
True or False?
Data Carving always works, even if the files are heavily fragmented.
False
If a file on a hard disk drive is hard deleted, which two of these statements are true:
a) Meta data about the file continues to be
stored on the disk.
b) The sooner the user tries to recover the
file using special software, the more
likely they are to be able retrieve it.
c) It is completely impossible to recover
the file.
d) The space the file occupied in memory is
overwritten with 0s.
e) The file will stay in memory until
another file is allocated to that memory
location.
b, e
Recap
True or False?
In SSDs, the TRIM function will ensure that the unallocated and slack space is overwritten with zeros.
True
File Carving
File carving doesn’t work on SSDs.
Why not?
Because the TRIM function will ensure that the unallocated and slack space will be overwritten with zeros, so there is nothing to find.”
Analysing main memory (RAM)
What is a RAM Dump?
A RAM dump, also known as a memory dump or core dump, is a snapshot or c____ of the contents of a computer’s random access memory (RAM) at a specific point in time.
copy
RAM data recovery
