You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Disk forensics is the examination of hard drives, solid-state drives, and other persistent storage media to extract and analyse evidence. It encompasses the analysis of partitions, file systems, operating system artefacts, user activity, and hidden data. Disk forensics is often the starting point for computer-based investigations.
| Storage Type | Interface | Forensic Considerations |
|---|---|---|
| HDD (Hard Disk Drive) | SATA, IDE, SAS | Magnetic storage; data may persist after deletion; easier to recover overwritten data |
| SSD (Solid State Drive) | SATA, NVMe, M.2 | Flash storage; TRIM command may zero deleted blocks; wear levelling complicates recovery |
| USB flash drive | USB | Similar to SSD; may use FAT32 or exFAT |
| External drive | USB, Thunderbolt | May be HDD or SSD; same principles apply |
| SD card / microSD | SD interface | Flash storage; commonly used in cameras and mobile devices |
Traditional HDD:
Delete file ──▶ Metadata updated ──▶ Data remains on disk until overwritten
Modern SSD with TRIM:
Delete file ──▶ Metadata updated ──▶ TRIM command sent ──▶ Blocks zeroed by controller
(Data may be irrecoverable within seconds)
Tip: When seizing an SSD, remove power as quickly as possible. The SSD controller may continue garbage collection and TRIM operations even while the system appears idle, destroying potential evidence.
Before examining files, an examiner must understand the disk's partition layout:
| Partitioning Scheme | Description |
|---|---|
| MBR (Master Boot Record) | Legacy scheme; up to 4 primary partitions; 2 TB maximum disk size |
| GPT (GUID Partition Table) | Modern scheme; up to 128 partitions; supports disks larger than 2 TB |
| Tool | Description |
|---|---|
| mmls (Sleuth Kit) | Lists partition layout of a forensic image |
| fdisk -l | Lists partitions on a device |
| gdisk | GPT-aware partition tool |
| Autopsy | GUI-based; automatically parses partitions |
# List partitions in a forensic image using The Sleuth Kit
mmls /evidence/case001/disk.img
# Example output:
# DOS Partition Table
# Offset Sector Length Description
# 000: Meta 0000000000 0000000001 Primary Table (#0)
# 001: ----- 0000000000 0000002048 Unallocated
# 002: 000:000 0000002048 0001024000 NTFS / exFAT (0x07)
# 003: 000:001 0001026048 0976744448 NTFS / exFAT (0x07)
Windows systems contain numerous forensically significant artefacts:
| Hive | Location | Key Evidence |
|---|---|---|
| SAM | C:\Windows\System32\config\SAM | User accounts and password hashes |
| SYSTEM | C:\Windows\System32\config\SYSTEM | Hardware configuration, computer name, timezone |
| SOFTWARE | C:\Windows\System32\config\SOFTWARE | Installed software, OS version, registered applications |
| NTUSER.DAT | C:\Users<username>\NTUSER.DAT | User-specific settings, recent documents, search history |
| UsrClass.dat | C:\Users<username>\AppData\Local\Microsoft\Windows\UsrClass.dat | ShellBags (folder access history) |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.