Table of Contents for

System Forensics, Investigation, and Response, 3rd Edition

Although mobile devices, like smartphones and tablets, are a growing part of forensic work, computers are still the biggest target of forensic investigations. Most computers utilize magnetic media. Hard drives and floppy drives are types of magnetic media. Essentially, the data is organized by sectors and clusters, which are in turn organized in tracks around the platter. A typical sector is 512 bytes, and a cluster can be from 1 to 128 sectors.

Because the data is stored magnetically, the drives are susceptible to magnetic interference. This can include being demagnetized. If a drive has been demagnetized, there is no way to recover the data. You should transport drives in special transit bags that reduce electrostatic interference. This reduces the chance of inadvertent loss of data.

There are five types of magnetic drives:

• Integrated Drive Electronics (IDE)

• Extended Integrated Drive Electronics (EIDE)

• Parallel Advanced Technology Attachment (PATA)

• Serial Advanced Technology Attachment (SATA)

• Serial SCSI

These drive types refer to the connection between the drive and the motherboard, as well as the total capacity of the drive, but they are all magnetic drives.

It is important to remember that because magnetic drives have moving parts in them, they are also susceptible to physical damage. If you drop a drive, you may render the data inaccessible. This is why you must take care when handing magnetic drives.

Solid-state drives (SSDs) use microchips, which retain data in nonvolatile memory chips and contain no moving parts. Most SSDs use Negated AND (NAND) gate–based flash memory, which retains memory even without power. Because there are no moving parts, these drives are usually less susceptible to physical damage than magnetic drives are.

One reason these drives are so popular is because they generally require one-half to one-third the power of hard disk drives (HDDs). The start-up time for SSDs is usually much faster than for magnetic storage drives. However, they are still more expensive than magnetic drives and usually have a lower capacity. They are often used in tablets and in some laptops. This means that you are likely to encounter them at some point in your forensic career.

If these drives are internal, they can use the same interfaces magnetic drives use, including SCSI and SATA. However, if connected externally, it is most common for them to have a universal serial bus (USB) connection.

Both magnetic and solid state drives include a few features that are important for forensics:

• Host protected area (HPA): This was designed as an area where computer vendors could store data that is protected from user activities and operating system utilities, such as delete and format. To hide data in the HPA, a person would need to write a program to access the HPA and write the data.

• Master boot record (MBR): This requires only a single sector, leaving 62 empty sectors of MBR space for hiding data.

• Volume slack: This is the space that remains on a hard drive if the partitions do not use all the available space. For example, suppose that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden.

• Unallocated space: An operating system can’t access any unallocated space in a partition. That space can contain hidden data.

• Good blocks marked as bad: Suppose that someone manipulates the file system metadata to mark unusable blocks as bad. The operating system will no longer access these blocks. These blocks can then be used to hide data.

• File slack: File slack is the unused space that is created between the end of file and the end of the last data cluster assigned to a file.

Although many organizations are moving from electronic backups to optical media or even direct network backups to an off-site location, digital audio tape (DAT) drives are still widely used. DAT drives are among the most common types of tape drives. DAT uses 4-mm magnetic tape enclosed in a protective plastic shell. Even though this looks very similar to audio tapes, the recording is digital rather than analog.

From a forensic point of view, it is important to remember that these tapes do wear out, just like audio tapes. If you are old enough to remember cassette or 8-track tapes, you’ll recall that these tapes would, from time to time, become stretched and worn and no longer usable. The same thing happens with the DAT tapes. In fact, network administrators are admonished to replace them periodically.

When working with DAT drives, most likely they will contain archived/backup data that you need to analyze. Make certain you first forensically wipe the target drive so you can be sure that there is no residual data on that drive. You then need to restore it to the target hard drive (magnetic or solid state) in order to analyze it.

Digital Linear Tape (DLT) is another type of tape storage, more specifically a magnetic tape. The DLT technology relies on a linear recording method. The tape itself has either 128 or 208 total tracks. This technology was first invented by Digital Equipment Corporation (DEC). This tape, like DAT, is used primarily to store archived data. So, as with DAT, you need to make sure you have a forensically wiped hard drive to restore the data to and then restore the data to that hard drive in order to analyze it.

Like hard disks, optical media such as CD-ROMs use high and low polarization to set the bits of data; however, CDs have reflective pits that represent the low bit. If the pit is nonexistent, the data is a 1; if the pit exists, it’s a 0. The laser mechanism actually detects the distance the light beam has traveled in order to detect the presence or absence of a pit. This is why scratches can be problematic for optical media.

Since the advent of the original compact disc, there have been enhancements. These enhancements still utilize the same optical process, but have larger capacity. The DVD (or digital video disc) can hold 4.7 gigabytes (GB) for a one-sided DVD and 9.4 GB for a double-sided DVD. This technology uses a 650-nm wavelength laser diode light as opposed to 780 nm for CDs. The smaller wavelength allows DVDs to use smaller pits, thus increasing storage capacity.

Blu-ray discs are the successor to the DVD and store up to 25 GB per layer, with dual-layer discs storing up to 50 GB. There are also triple- and quadruple-layer discs, such as the Bluray Disc XL, that allow up to 150 GB of storage. Although Blu-ray discs are primarily associated with movies, you can certainly store data on them. And for smaller organizations, the Blu-ray disc can be an attractive backup medium.

Just like all other storage devices, a Blu-ray disk should be forensically copied to a clean, forensically wiped drive for analysis. No matter what the media, you never work with the original suspect storage if it is at all possible to avoid it.

Universal serial bus (USB) is actually a connectivity technology, not a storage technology. And USB can be used to connect to external drives that can be either magnetic or solid state. Small USB flash drives, also known as thumb drives, are also quite common. These drives can be easily erased or overwritten. It is important to copy the data from the USB drive to a target forensic drive for analysis. You must, of course, document the copying process and ensure nothing was missed or altered.

USB thumb drives have no moving parts. Each bit is set by using a two-transistor cell, and the value is changed in each cell using a technique called Fowler-Nordheim tunneling. The memory bank then communicates with the computer using a controller and USB interface, much like a hard disk communicates over IDE or SCSI. Because there are no moving parts, these drives are resilient to shock damage (i.e., dropping them probably won’t hurt them). From a forensic point of view, you should remember that many of these drives come with a small switch to put them in read-only mode. Use this whenever you are extracting data for investigation. If the drive is in read-only mode, it is unlikely you will accidentally alter the data.

In addition to physical means of storing data, there are a variety of file formats for storing forensic data on a given storage device. It is important that you have a working knowledge of these formats for forensic analysis.