Week 3 - Disk and Filesystem Forensics

Question 1

CPU

Answer 1

brain of the computer. Does all the calculations and runs instructions from

Question 2

Core 1

Answer 2

one processing unit inside CPU

Question 3

Registers

Answer 3

super fast, tiny storage spots inside the CPU. Holds data and instructions CPU is currently working on (fastest memory but only a handful of bytes each)

Question 4

L1 Cache

Answer 4

very small, extremely fast memory right next to/inside each core. Stores the most frequently used data & instructions so the CPU doesn’t have to wait

Question 5

Difference between L1 and L3 Cache

Answer 5

larger and slower

Question 6

PCI Express

Answer 6

high-speed connection bus standard used to connect motherboard components to peripherals e.g. SSD

Question 7

PCIe SSD

Answer 7

solid state drive that plugs into PCIe slot (very fast storage)

Question 8

NVME SSD

Answer 8

fastest type of PCIe SSD. Uses NVMe protocol to get max speed out of PCIe lanes

Question 9

RAM

Answer 9

Holds program and data CPU is actively using. Fast but volatile

Question 10

Chipset

Answer 10

Set of chips on motherboard that manages communication between CPU, RAM, storage, USB ports

Question 11

BIOS

Answer 11

Basic firmware stored on chip on motherboard. Boots OS, checks hardware with Power-On-Self-Test (POST).

UEFI used for newer system

Question 12

SATA

Answer 12

Older connection for hard drives and SSDs. Slower and cheaper than PCIe/NVMe used in older models

Question 13

USB

Answer 13

Universal Serial Bus. Standard port for plugging in peripherals

Question 14

Types of Computer Memory with examples

Answer 14

Non-volatile – retain data without power
In chip – ROM, EPROM
Disks – HDD, SSD, CD
Volatile – loses data without power
In-processor – Registers
SRAM (cache)
DRAM -RDRAM, EDO RAM

Question 15

What is the layered design approach for forensic analysis?

Answer 15

Start at lowest (most raw) level → higher human-readable layers
Prevents missing/altered/hidden data and defeats anti-forensics tricks

Question 16

Layered Design Layout

Answer 16

Physical storage media analysis
Vol Analysis Mem Analysis
File sys, DB, Swap space analysis
Application/OS analysis

Question 17

What happens at Physical Storage Media Analysis of Layered Design?

Answer 17

Examine raw physical hardware e.g. HDD, platters, SSD
Goal: acquire bit-for-bit raw image.
Look for: bad sectors, magnetic signals, hidden areas.
Avoid relying on OS interpretation.

Question 18

What happens at Volume Analysis of Layered Design?

Answer 18

Treats physical media as logical volumes/partitions.
Examine partition tables (MBR/GPT), unallocated spaces, RAID setups, LVM etc
Goal: map layout, recover deleted partitions, identify file-system areas.

Question 19

What is RAID?

Answer 19

Redundant Array of Independent Disks - combines multiple hard drives or SSDs into a single logical unit to improve data performance, storage capacity, and reliability

Question 20

What happens at File System Analysis of Layered Design?

Answer 20

Interprets structure on a volume (e.g. NTFS, ext4, FAT, APFS)

Recovers files, examines timestamps, slack space, unallocated clusters, and hidden data inside a file system

Goal: recover deleted files, build timelines, detect hiding in slack/unallocated space

Question 21

What happens at Application/OS Analysis of Layered Design?

Answer 21

Highest layer – interprets OS and application-specific data.
Examines file contents
Goal: prove intent, malware behaviour, user actions.

Question 22

Why does the layered forensics model become increasingly abstract as you move from physical storage → volumes → file systems → applications?

Answer 22

• Volume = storage location for user/application (partitions, RAID)
• File system = organisation of files
• Application & user activity
  Helps systematically recover evidence at every level.

Question 23

A forensic investigator lacks understanding of the layered model. What two major risks does this create?

Answer 23

Opportunities for evidence to be hidden (at any layer)
Potential problems recovering, finding, and piecing together evidence
(increasing storage complexity and size)

Question 24

How does data location differ between HDD, CD/DVD, and SSD?

Answer 24

• HDD: Cylinder + Head + Sector (CHS)
• CD/DVD: Track + Sector
• SSD: Dies + Plane + Blocks

Each device needs a unique method to locate data → LBA was created to homogenise access.

Question 25

What are bad sectors? How is this a forensic issue?

Answer 25

Sector that is unreadable leading to data corruption or loss Forensic issue: No perfect disk clone possible

Question 26

What cases bad sectors?

Answer 26

Hard – physical defects Soft – magnetic defects, viruses, corruption

Question 27

what does SATA-IDE controller do to bad sectors?

Answer 27

maintains bad sector map to relocate sectors

Question 28

CHS Addressing (Cylinder-Header-Sector) Formulae

Answer 28

cylinders x heads x sectors x bytes

Question 29

What are CHS used for?

Answer 29

Used to identify physical data blocks on HDD specifying precise location using parameter

Question 30

What limitation does CHS addressing face and why?

Answer 30

250 GB drive only gives 8GB Fixed bit size for CHS addresses Assumption that heads (not cylinders) would increase Hardware growth outpaces the scheme

Question 31

Problem and Solution for CHS addresing

Answer 31

Problem: cannot address large disks, many hardware translation issues Solution – LBA, BIOS performs address translation, less need to know physical geometry

Question 32

LBA Addressing Formulae

Answer 32

LBA = (C x HPC + H) x SPT + (S – 1) HPC - max heads per cylinder = 255 SPT - max sectors per track = 63

Question 33

Forensic benefits of LBA

Answer 33

Homogenises access to non-volatile memory Drives present data as linear series of logical blocks (each block = sectors) with unique LBA

Question 34

Who ultimately converts an LBA address into the actual physical location on an HDD or SSD?

Answer 34

Disk firmware (not OS or BIOS) BIOS only translates OS requests; firmware performs final LBA → CHS or LBA → Flash mapping

Question 35

Disk cloning - purpose, includes, why?

Answer 35

Purpose: Perfect sector-by-sector (block-by-block) copy of entire drive Includes: used space + unused/free space (deleted files, slack space, unallocated) why? Maintains chain-of-custody – evidence is not altered

Question 36

Forensic Issue with Disk cloning

Answer 36

No perfect clone exists (different bad-sector mapping on each physical drive) Be prepared to explain this in court

Question 37

Disk Wiping

Answer 37

Block-level overwriting of every sector with meaningless data. Makes original information permanently unrecoverable.

Question 38

Disk Partitioning

Answer 38

Set of rules that defines how a physical storage drive is divided into separate logical sections (partitions)

Question 39

Difference between MBR GPT features

Answer 39

Max disk size 2TB 9.4ZB Max partition size 2TB 256TB Max partitions 4 128 BIOS Support Yes No (UEFI only) UEFI Support Yes Yes standards for organising partitions

Question 40

MBR

Answer 40

Master Boot Record - legacy simple

Question 41

GPT

Answer 41

GUID Partition Table - modern, backup tables, protective MBR for compatibility

Question 42

Forensic Issues – Partitioning (critical documents)

Answer 42

Operating system information Partition tables Unaddressed space Hidden partitions

Question 43

Places to hide outside normal partitions (6)

Answer 43

Volume slack (unfilled track) Sectors/tracks falsely marked bad Disk geometry translation gaps Altered boot sector size Hidden partition (not in table) Unallocated space on disk / inside logical partitions

Question 44

Different RAID levels

Answer 44

0 (striping) 1 (mirroring) 1+0, 5 (stripping with parity across drives) 6 (stripping with dual parity across drives)

Question 45

Forensic Issues with RAID

Answer 45

Image each drive separately or the logical volume? Live image (RAID running) or dead image (boot CD)? Last MB of drive usually contains RAID metadata Logical reassembly needs exact config: level, order of drives, stripe size & direction

Question 46

Key core functions of filesystem

Answer 46

Method to organise, store, name, retrieve files on a partition Acts as digital librarian: manages metadata + data blocks Controls access ensuring efficient storage/retrieval

Question 47

Simplified Filesystem Structure (10)

Answer 47

metadata root structure folder name folder structure file name times (last accessed, modified created) owners/groups security permission pointers to data data

Question 48

Why may a deleted file be recoverable from the disk.

Answer 48

File system deletion behaviour means data is not erased Only remove the directory entry and mark space as free. Actual data + metadata bits remain until overwritten by new data. Recovery possible until overwritten.

Question 49

FAT File System

Answer 49

Tree of linked lists, cluster allocated to files Low performance, high simplicity Times: Creation, Modification, Access (no Changed time) Precision: 2 seconds

Question 50

FAT Benefit and Drawback

Answer 50

compatible with everything but lacks security and handles power failures poorly

Question 51

NTFS File System

Answer 51

A complex, robust database for Windows. MACE Timestamps (Modified, Accessed, Create, Entry modified) Precision: 100ns Block size: 4KB default (up to 2MB)

Question 52

How does NTFS work?

Answer 52

Everything stored on Master File Table (MFT) - central index hold metadata for every file + directory on drive

Question 53

Single Indirectiom

Answer 53

The file record points to a descriptor (the extent), which then tells the system where the actual data is.

Question 54

EXT4 File System

Answer 54

The high-performance standard for Linux Block size: 4 KB default (range 1 KB–64 KB) Time precision: 1 nanosecond

Question 55

How EXT4 works?

Answer 55

Uses inodes to store file metadata and extents (contiguous blocks of data) to reduce fragmentation Super Block: master reference (size, block size, inode counts, etc.) Block Groups: groups of blocks containing inode tables Inode: metadata structure (permissions, owner, timestamps, pointers) – no filename Bitmaps: track free blocks and inodes Inode pointers: direct + single + double + triple indirect

Question 56

File System Forensic Use Cases

Answer 56

Recovery of Deleted Files/Folders Precise timing of File Actions Authentication/Authorisation Related to a File

Question 57

From a forensic perspective, why is it useful that users cannot control the exact physical location of their data on the drive?

Answer 57

User cannot control physical location of storage User cannot control deletion of evidence from hard drive Opportunities to recover (partial) files, reconstruct timelines (especially NTFS), detect hidden data in alternate streams, etc.