Digital forensics
File System Content Metadata File name Application
5 data categories
Next available allocation strategy
Starts its search with the data unit that was most recently allocated instead of at the beginning
Volume Slack
Left-over sectors at end of volume
File Slack
a portion of data unit ( Cluster) that file doesn't fill/ require
first 512 byte sector
A disk that is organized using DOS partitions has an MBR in the
Slack Space
A file must allocate a full data unit, even if it needs only a small part of it, and the unused bytes in the last data unit are called
DOS-style partition system
the most commonly encountered partition system is the
Essential file systems data
those that are needed to save and retrieve files
Non-essential file system data
those that are there for convenience but not needed for basic functionality of saving and retrieving files.
fragmented
When a file does not have consecutive data units it is called
volume
a collection of addressable sectors that an operating system or application can use for data storage.
partition
a collection of consecutive sectors in a volume.
Secondary file system partition
a logical partition in windows, is located inside the primary extended partition bounds and contains a file system or other structured data.
Secondary extended partition
a partition that contains a partition table and a secondary file system partition
Primary file system
a partition whose entry is in the MBR and the partition contains a file system or other structured data
Primary extended partition
a partition whose entry is in the MBR, and the partition contains additional partitions
Application
data that provide special features
RAM Slack
end of file till end of sector, usually filled with zeros, could reveal passwords and other data that was not supposed to be written to disk.
Data unit allocation status
for when we don't know the exact location of the evidence but we know that it is unallocated -Extract and search only unallocated units for content
Cluster
is a group of consecutive sectors, and the number of sectors must be power of 2 such as 1, 2, 4, 8, 16, 32,64
Data unit viewing
is a technique used when the investigator knows the addresses where evidence may be located.
logical file system level searching
search that looks in each data unit for a specific phrase or value - a volume search
First Available allocation strategy
searches for an available data unit starting with the first data unit in the file system - results in more fragmentation
File name
"human interface" of files
bootcode, a partition table, and a signature value
The MBR contains...
Content
Category that contains file data
"Best fit" allocation strategy
Searches for consecutive data units that fit the needed amount of data
File System
Category that contains general info about or map of the File System
Metadata
Category that contains information about files
Motive, opportunity, and means (MOM)
Shows trier of fact that the accused could have and would have done what he/she is accused of doing.
