Week 2

Question 1

Traditional Drives are arranged into a number of _________ ________ , each containing a number of concentric ______.

Answer 1

Circular Platters , Tracks

Question 1

Each track contains a number of blocks known as _______ , which are the base unit that is addressable on the disk.

Answer 1

Sectors

Question 2

We do not address these physical sectors by their platter or sector location, but instead use a sequential _______ _____ _______ (LBA) scheme since it offers a simpler and more abstract method of accessing storage media.

Answer 2

Logical Block Address

Question 3

Overtime, as files are created, modified , and deleted , the data on the disk becomes __________. This means that parts of a file are stored in non-contiguous sectors scattered across the disk rather then being stored in a sequential manner.

________________ reorganizes the data on the disk so that the pieces of each file are stored in contiguous sectors.

Answer 3

Fragmentation , Defragmentation

Question 4

In SSD, There is no distinct advantage to contiguous storage, in fact ____ ________ algorithms mean that almost the exact opposite happens.

SSDs use this algorithm to distribute write and erase cycles evenly across the memory cells, which helps to prolong the drive’s lifespan. However, these algorithms cause data to be moved around the drive unpredictably, making it difficult to locate specific data fragments during a carving process.

Answer 4

Wear Leveling

Question 5

In a Logical Drive Structure,

1. __________ _____ ______ found at the beginning of the drive, it contains the boot loader for the installed operating system and information about the drive’s logical partitions.
2. _________ are divisions on a physical hard drive that create distinct, separate areas within the drive. Each partition can have a different file system , and is a low-level division of the disk.
3. _______ is a single accessible storage within a file system, which can span multiple partitions or reside on one partition.
4. _________ are the smallest unit of disk space that can be allocated to a file. Each file is made up of one or more _________.

Answer 5

Master Boot Record
Partitions
Volume
Clusters

Question 6

In the MBR,

1. __________ ____ contains the machine code that the BIOS loads and executes to start the boot process. It scans the partition table for an active partition and then loads and executes the boot sector of that partition to begin loading the operating system.
2. ___ __________ _____ contains the details of up to four partitions. Each partition entry is 16 bytes long.

Answer 6

Bootstrap Code
MBR Partition Table

Question 7

______________ ______ is the part of a storage device that is not assigned to any defined partition and does not hold a recognized file system. → Writing directly to this area will not be detected from the OS.

By using the forensic tools, we can do the following :
1. ____ Analysis : Tools such as Autopsy, EnCase, or X-Ways can analyze disk images and reveal hidden, unallocated, or slack space where data might reside.
2. _________ Analysis : These tools can also detect and analyze hidden partitions, even if they are not immediately visible in the system’s disk management tools.

Answer 7

Unpartitioned Space
Disk Analysis
Partition Analysis

Question 8

______ _____ is the space that exists between the end of the file system data and the end of the allocated space within a volume and this happens when the partition size is not multiple of the cluster size.

For example, let’s assume create a partition that is 100 sectors. You create an NTFS file system in that partition that has cluster size of 15 sectors per cluster.
100/15 = 6 .. and remainder of 10. — These 10 sectors are not used assigned to a cluster in the filesystem, and are unused. → 10 * 512 b. = 5kb slack space.

Answer 8

Slack Space

Question 9

There are three types of acquisition method,

1. ________ _____ acquisition images an entire physical device , including all partitions. This is a preferred method as it is exhausive.
2. _______ _____ acquisition images only a selected partition. Most commonly used on server acquisitions, where large multi partition disks may be common.
3. Logical Evidence File (LEF) images a collection of files , or folders. This method is used in scenarios where the capturing physical disks is not possible or practical. It doesn’t capture slack space at all, and requires another format (L01,AD1)

Answer 9

Physical Image
Logical

Question 10

We can do the following reconstruction method for the RAID system :

1. _______ ____________ uses software that can take all images ,a nd reconstruct the raid. Forensic software has the ability to reconstruct some common RAID
   configurations. Can also be done using vendor specific recovery tools.Might take a logical image of the reconstructed image for ease of use later.
2. ________ ____________ will only be attempted when logical reconstruction isn’t possible. In this way, Each image is restored to a clean drive, and those drives reconnected in the same physical configuration, using the same or similar controller hardware. A logical image is then taken running on this hardware.

Answer 10

Logical Reconstruction
Physical Reconstruction

Question 11

In NTFS ,

$___ is essentially the heart of the NTFS file system, acting as a database that contains records for every file and directory on an NTFS volume, Each record in the $___ includes details about a file , such as its name , size , time stamps , permissions , and the physical location of the file’s data on the disk.
Every file or folder must have its own record in the $___, which contains metadata about the file, and the location of the data itself.

Answer 11

MFT

Question 11

In NTFS ,

$______ file used by NTFS to manage disk space usage efficiently, it tracks which clusters on the volume are in use and which are free. Each. bit in the bitmap represents a single cluster on the disk → to enable the file system to find free space quickly when writing new files or expanding existing once by preventing the file system from having to scan the entire volume for free space.
- A bit set to “1” means the cluster is in use.
- A bit set to “0” indicates a free cluster.

Answer 11

Bitmap

Question 12

In FILE ,

Each file has its own FILE within the $MFT , even the$MFT it self. These records contain a small MFT header and consist of attributes that contain metadata about the file.

Question 13

________ ____ refers to the file data that is stored directly within the MFT entry of the file itself. This is possible when the data is small enough to fit within the MFT entry, typically alongside the file’s metadata.

If a file is initially resident, but then grows sufficiently that it needs to become non-resident , then it may be partially overwritten, but it is not zeroed out ( O / X )

Atributes can become resident again ( O / X )

Answer 13

Resident Data
O
X

Question 14

What will happen when a file is deleted in NTFS ?

State the three steps.

Answer 14

1. The MFT marks the FILE entry as available for reuse in its tracking attribute.a. The file’s entry in the MFT is marked as available for reuse, this is typically done by setting a flag in the file record that indicated the file has been deleted.
   b. However, the entry itself , including most of its metadata and the pointers to the data remains intact until it is overwritten by another file. This allows the possibility of recovering the deleted file’s metadata and structure.
2. The $DATA attribute of the FILE entry is read, and the $BITMAP is updat to show that the cluster runs are no longer in use.
   a. When a file is deleted, NTFS reads the $DATA attribute of the file to determine which clusters the file was using. It then updates the $BITMAP file to mark these clusters as free.
   b. This update to the $BITMAP does NOT physically erase the data, it simply marks the space as available for future use.
3. Nothing is actually wiped or deleted from either the MFT or the clusters holding data, which implies :
   1. Until the FILE entry is overwritten, the full location of the data is stored in the $DATA attributes cluster runs. Unlike FAT, we have the starting position and length of each run.
   2. The data itself is still sitting in the data clusters until they are reallocated by the system to a new file.

Question 15

____ _______ is a technique used in digital forensics to recover files based on content and data patterns directly from raw data, usually without the aid of the file system metadata.

State the process of ____ _______.

Answer 15

File Carving.

1. Data Identification : Carving starts with identifying data segments within unallocated space or entire disk images that appear to belong to files, based on data patterns or headers.
2. Extraction : Once potential file data is identified , it is extracted based on common signatures and footers.
3. Reassembly : If the file is fragmented, segments identified as belonging to the same file are reassembled in the correct order to recreate the file.

Question 16

__________ is recording a sequence of operations or transactions in a log file or journal.

Answer 16

Jornaling

Question 17

______ _____ are files that have lost their parent directory reference,meaning their directory structure has beren deleted or corrupted, but the file data itself still exists on the disk.

What are the causes of this ?

Answer 17

Orphan Files

Causes :
- Improper Shutdowns or System Crashes: If a system crashes or is improperly shutdown while files are being written or directories are being updated, it might leave files without properly linking them to a directory. In such cases, the directory entry might not be updated to reflect the file’s existence even though the file itself remains on the disk.

• Disk and File System Corruption: Corruption can occur due to various reasons like hardware failures, software bugs, or sudden power losses. Corruption might erase or damage directory entries while leaving the actual file data intact on the disk, thus creating orphan files.