Join Jungwoo Ryoo for an in-depth discussion in this video Understanding disk drives, part of Computer Forensics Essential Training.
…Hard disk drives are widely used today and…provide a relatively cheap way of storing data.…As a computer forensics specialist,…you often have to recover data from hard disk drives.…And therefore, it is essential to understand how they work to do…your job effectively as a computer forensic specialist.…Let's get started by learning some terminology.…There are multiple disks inside your hard disk drive.…Those are called platters.…On both sides of the platters, you have read/write heads.…
There's one read/write head on one side.…There's another one on the other side, as you can see in the picture.…This platter is divided into tracks and sectors for addressing purposes.…As you can see in the picture,…tracks are concentric circular patterns on which data is written.…Sectors are evenly divided sections of a track,…which typically holds 512 bytes of data.…The reason why your platter is divided into tracks and…sectors is that they allow you to locate a piece of information when there is a need.…
Based on the track number and…
- Understanding computer forensics
- Understanding partitioning
- Using a hex editor
- Preparing a target drive
- Acquiring data
- Ensuring data integrity with hashing
- Indexing and searching
- Generating a report
Skill Level Intermediate
Q: Which operating systems support built-in write blocking?
<div>A: Microsoft introduced the registry concept into its OS with the release of Windows 95. As a result, registry-based write blocking has been available since then. In this course, we tested registry-based write blocking on both Windows 7 and Windows 8.</div><div> </div><div>If for whatever reason your OS doesn’t support registry-based write blocking, you can enable software-based write blocking via a forensics software suite such as EnCase. Finally, If all fails, you can always use hardware write blockers.</div>
Q: Are there other ways to access deleted files in the usbimage.001 file?
<div>A: When opening the usbimage.001 file in Autopsy and trying to recover the deleted file (i.e. dreamCar.jpg), as shown the chapter 5 movie “Searching,” if you don’t see the deleted file in the Data Sources tree, you can still view and extract the deleted file in the Views tree as shown below.</div><div> </div><div><span style="font-size:15px;font-family:Arial;color:#000000;background-color:transparent;font-weight:normal;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;" id="docs-internal-guid-c405f10c-f4d7-c786-b0d1-e968a60b8b2a"><img src="https://lh6.googleusercontent.com/ktvWtca7teVjVd-gxPugs27p140zywXc-S0fYJHAsgupzg6UMVpom9LuIE6jB3LRxvjTCQADfYs_d-Qk8yIVWMiPOUms2jl63dN5_oa0JT6tOA_Fao7M_kKcwl11kJD6nA" style="border: none; transform: rotate(0.00rad); -webkit-transform: rotate(0.00rad);" alt="faq2.jpg" height="388px;" width="624px;" /></span></div>