Digital Forensics Flashcards
What are the components of a hard disk drive
- Platter
- Head
- Head motor
- Controller/cache
- Platter Motor
- Casing
What is the structure of the platter?
- Tracks
- Sectors
- Cluster
How many sectors form a cluster?
Sectors are typically organised into groups of 4 and 4 sectors form a cluster.
What does one complete circuit around the drive form?
A track
How is information stored on the platter?
S
In chunks which are sectors
How does the platter store information?
Platters store the information magnetically, magnetic dipoles pointing up and down representing 1’s and 0’s
How does a hard disk operate?
Head glides
- Each rotating disk (platter) is made up of a thin layer of magnetically responsive material in which the data is stored (as binary).
- Platters spin extremely fast 3,600-12,000 rpm.
- Head glides on cushion of air cause by spin of platter (millionths of inch above).
- Side to side movement of the head arm allows any position on the disk to be read/written.
When do files actually get deleted?
- Deleted files are flagged as free space and aren’t deleted until it has been overwritten with another file and even then the overwritten file may not take up all the space so file fragments will be in the remaining cluster slacks.
How can you obtain information from a USB?
- Make an exact bit copy of the USB.
- This is done using a device called a physical write blocker.
- This allows you to read the information off the USB stick but won’t allow you to change anything. - It’s a one-way data blocker. (reads the data but doesn’t change anything)
What should you not do with USB evidence?
You shouldn’t plug the USB into your PC as it could change the time or date stamp on a file which can invalidate the evidence.
What is an exact bit-for-bit copy of a USB called?
Image file
