topic 14 - digital forensics Flashcards
what are the components of a hard disk drive (HDD)?
casing
platter
head
head motor
controller/cache
platter motor
hard disk drive structure = tracks, sectors and clusters.
what is a hard disks operation?
Each rotating disk (platter) is made up of a thin layer of magnetically responsive material in which the data is stored (as binary).
Platters spin extremely fast 3,600-12,000 rpm.
Head glides on cushion of air cause by spin of platter (millionths of inch above).
Side to side movement of the head arm allows any position on the disk to be read/written.
what is a sector?
A sector is the smallest addressable area on a hard disk (512 bytes).
One or more whole (4 sector) clusters allocated to a file (non-contiguous => fragmented file).
what happens when a file is deleted?
User deletes file -> goes to recycle bin
When the recycle bin is emptied the OS marks that area of the hdisk available for reuse (unallocated space).
how are deleted files still available after they’ve been deleted?
Deleted files still accessible by forensic tools UNTIL OVERWRITTEN.
Formatting deletes pointers to files locations but does not remove the data either
Secure deletion involves purposely overwriting unallocated space with random characters
what practical tools do the forensic team use digitally?
- WinHex
- Windows Explorer
Hidden files
Deleted files
Normal files - FTK Imager – Preview/Image
Write Blocker
Write Protect USB Devices in Windows XP.
file recovery.
how are files generally identified?
Files are generally identified by their 3 character extensions. like pdf or doc or ppt.
The computer will usually try to use that extension to associate an application with the file, and then open it.
what are file signatures and how are they used?
In the case of some file types, all files of that type have a known and recognisable header.
Definite indicator of content (extensions can be changed).
Known as a “file signature”.
Used by forensic tools to identify and classify files by content (and identify mismatches).
