components

Question 1

types of digital devices

Answer 1

• Desktop computers
• Laptop computers
• Mobile phones
• Tablet devices
• Raspberry pi
• Data storage
• USB drives
• SD cards
• Hard disk drives (HDDs)
• Solid state drives (SSDs)
• RAM sticks
• Cloud storage
  digital devices could be hidden or not obvious

Question 2

outside a device- cables

Answer 2

in addition to being able to name and assemble the hardware of a computer, you should also be able to detach and re attach all the cables that could be connected to a digital device, be that a computer, a video camera, a mobile phone or any other digital device

Question 3

outside a device- power cable

Answer 3

you should be able to identify the power cable and what will happen if it is removed from its power source

Question 4

outside a device- other cables

Answer 4

you should be able to work out what the other cables that are connected are for and where they might connect to

Question 5

inside a computer

Answer 5

Motherboard
Graphics card
CPU
RAM
PSU
HDD
CD/DVD ROM drive
And outside a computer
Screen
Workstation/base unit
Keyboard
Mouse
Printer
External storage device

Question 6

mobile devices

Answer 6

• Operating systems- ios, android, windows
• SIM cards- subscriber identification module, the come in 4 sizes: full size SIM, mini SIM micro SIM and nano SIM
• Storage- flash cards, cloud drives
• Phones/tablets/smart watches

Question 7

devices such as Apple Watch

Answer 7

should be looked out for at crime scenes as they could contain additional artefacts that help support or refute a case, although most will need specific tools and knowledge to get the data from them, some might need specific devices as well as specific software to access the data they hold.

Question 8

disk geometry

Answer 8

• A HDD (hard disk drive) is made up of 1 or more platters coated with a magnetic material
• Geometry- a disks logical structure of platters tracks and sectors
• Head- the device that reads and writes the data to a platter there are 2 heads per platter 1 reads the top side and the other the bottom side
• Track- are concentric circles (circles inside circles) on a platter where data is located
• Cylinders- a column of tracks on 2 or more platters
• Sectors- a section on a track usually made up of 512 bytes

Question 9

disk geometry diagram

Answer 9

see powerpoint

Question 10

cylinder, head, sector maths

Answer 10

To work out the size of a hard drive from the CHS values
C x H x S= tS
tS x BpS= total bytes
C= cylinder H= heads S=sectors tS= total sectors BpS= bytes per sector
If.. c= 1024 h=32 s=63 BpS=512 then… 1024 x 32 x 63= 2064384
2064384 x 512= 1056964608 bytes of 1.056 GB

Question 11

sectors

Answer 11

A sector contains 571 bytes however only 512 of those bytes are for data, the rest make up the header of the sector. The header contains information about the sector, such as its ID, the CHS information and some cylindric redundancy checks digits to ensure the integrity of the date

Question 12

solid state drive

Answer 12

• Solid state drives are used in USB drives, laptops, tablet and mobile phones and cause digital forensic investigators issues when trying to recover data from them due to a feature called ‘wear-levelling’
• Wear levelling moves the data on the drive from one memory cell to another so all memory cells have equal use as each memory cell is only designed to perform between 10,000 to 100,000 reads/writes depending on their design
• Deleted data is an issue for digital forensic investigators
• If you have an SSD to deal with it is imperative that you make a full forensic image of the drive as soon as possible to avoid any data loss

Question 13

deleted data is an issue

Answer 13

the actual data is initially not deleted from the drive, just the references to it are removed, so with an SSD, the data will still be there but during the wear-levelling process other data could just be moved to the memory cells it was occupying.

Question 14

what happens when data is moved around during wear levelling

Answer 14

the old address to the data is filed in an area of firmware in a file called “garbage collector” and the drive will automatically erase data in these areas by overwriting any data in these listed areas.

Question 15

how to avoid losing data

Answer 15

take a full forensic image of it straight away – obviously there could already have been some data loss before the device was seized but it is our job to prevent any further data loss from this point onwards.

Question 16

file systems

Answer 16

• FAT- file allocation table
• NTFS- new technology file system
• HFS/HFS+- Hierarchical file system/plus
• APFS- apple file system
• Ext- extended file system

Question 17

FAT and NTFS

Answer 17

window based files

Question 18

HFS and APFS

Answer 18

found on Macs

Question 19

Ext file

Answer 19

found on linux machine

Question 20

FAT. based file systems

Answer 20

use to a USB drive to save data across multiple operating systems but you can’t store larger files than 4GB in a FAT formatted drive

Question 21

NTFS based USB drive

Answer 21

a Mac can read this but under normal conditions it cannot write to an NTFS drive

Question 22

NTFS & APFS

Answer 22

newest files structures

Question 23

slack space

Answer 23

• In a 1-2GB FAT16 drive there are 64 sectors in a cluster.
• Therefore, a 5,000 byte text document will take up 10 sectors- and have 120 bytes remaining at the end of the file before the actual end of the 10th sector.
• 120 bytes of data is then pulled from the RAM to fill this gap.
• In this cluster, there are also another 54 sectors that need filling in order to write the entire cluster, so more data is added to pad out the rest of the 54 sector gap.

Question 24

RAM data

Answer 24

data that is chucked in to the sector or cluster it is writing to fill up the empty space (could be passwords, usernames or any other sort of data)

Question 25

operating systems

Answer 25

• DOS
• Window 9x/XP/ME/vista/7/8/10
• MacOS, iOS, watchOS, tvOS
• Linux- various distributions
• Android- various versions and differences between handset manufacturers