components Flashcards
types of digital devices
- Desktop computers
- Laptop computers
- Mobile phones
- Tablet devices
- Raspberry pi
- Data storage
- USB drives
- SD cards
- Hard disk drives (HDDs)
- Solid state drives (SSDs)
- RAM sticks
- Cloud storage
digital devices could be hidden or not obvious
outside a device- cables
in addition to being able to name and assemble the hardware of a computer, you should also be able to detach and re attach all the cables that could be connected to a digital device, be that a computer, a video camera, a mobile phone or any other digital device
outside a device- power cable
you should be able to identify the power cable and what will happen if it is removed from its power source
outside a device- other cables
you should be able to work out what the other cables that are connected are for and where they might connect to
inside a computer
Motherboard Graphics card CPU RAM PSU HDD CD/DVD ROM drive And outside a computer Screen Workstation/base unit Keyboard Mouse Printer External storage device
mobile devices
- Operating systems- ios, android, windows
- SIM cards- subscriber identification module, the come in 4 sizes: full size SIM, mini SIM micro SIM and nano SIM
- Storage- flash cards, cloud drives
- Phones/tablets/smart watches
devices such as Apple Watch
should be looked out for at crime scenes as they could contain additional artefacts that help support or refute a case, although most will need specific tools and knowledge to get the data from them, some might need specific devices as well as specific software to access the data they hold.
disk geometry
- A HDD (hard disk drive) is made up of 1 or more platters coated with a magnetic material
- Geometry- a disks logical structure of platters tracks and sectors
- Head- the device that reads and writes the data to a platter there are 2 heads per platter 1 reads the top side and the other the bottom side
- Track- are concentric circles (circles inside circles) on a platter where data is located
- Cylinders- a column of tracks on 2 or more platters
- Sectors- a section on a track usually made up of 512 bytes
disk geometry diagram
see powerpoint
cylinder, head, sector maths
To work out the size of a hard drive from the CHS values
C x H x S= tS
tS x BpS= total bytes
C= cylinder H= heads S=sectors tS= total sectors BpS= bytes per sector
If.. c= 1024 h=32 s=63 BpS=512 then… 1024 x 32 x 63= 2064384
2064384 x 512= 1056964608 bytes of 1.056 GB
sectors
A sector contains 571 bytes however only 512 of those bytes are for data, the rest make up the header of the sector. The header contains information about the sector, such as its ID, the CHS information and some cylindric redundancy checks digits to ensure the integrity of the date
solid state drive
- Solid state drives are used in USB drives, laptops, tablet and mobile phones and cause digital forensic investigators issues when trying to recover data from them due to a feature called ‘wear-levelling’
- Wear levelling moves the data on the drive from one memory cell to another so all memory cells have equal use as each memory cell is only designed to perform between 10,000 to 100,000 reads/writes depending on their design
- Deleted data is an issue for digital forensic investigators
- If you have an SSD to deal with it is imperative that you make a full forensic image of the drive as soon as possible to avoid any data loss
deleted data is an issue
the actual data is initially not deleted from the drive, just the references to it are removed, so with an SSD, the data will still be there but during the wear-levelling process other data could just be moved to the memory cells it was occupying.
what happens when data is moved around during wear levelling
the old address to the data is filed in an area of firmware in a file called “garbage collector” and the drive will automatically erase data in these areas by overwriting any data in these listed areas.
how to avoid losing data
take a full forensic image of it straight away – obviously there could already have been some data loss before the device was seized but it is our job to prevent any further data loss from this point onwards.
file systems
- FAT- file allocation table
- NTFS- new technology file system
- HFS/HFS+- Hierarchical file system/plus
- APFS- apple file system
- Ext- extended file system
FAT and NTFS
window based files
HFS and APFS
found on Macs
Ext file
found on linux machine
FAT. based file systems
use to a USB drive to save data across multiple operating systems but you can’t store larger files than 4GB in a FAT formatted drive
NTFS based USB drive
a Mac can read this but under normal conditions it cannot write to an NTFS drive
NTFS & APFS
newest files structures
slack space
- In a 1-2GB FAT16 drive there are 64 sectors in a cluster.
- Therefore, a 5,000 byte text document will take up 10 sectors- and have 120 bytes remaining at the end of the file before the actual end of the 10th sector.
- 120 bytes of data is then pulled from the RAM to fill this gap.
- In this cluster, there are also another 54 sectors that need filling in order to write the entire cluster, so more data is added to pad out the rest of the 54 sector gap.
RAM data
data that is chucked in to the sector or cluster it is writing to fill up the empty space (could be passwords, usernames or any other sort of data)
