CFHI Section 2 (Ch. 3/4)

What is Areal density?

# of bits / sq. inch on a platter

What is Track density?

# of tracks in the hard disk

What are the NTFS System Files?

$attrdef - contains definitions of all system & user-defined attributes of the volume $badclus - all bad clusters $bitmap - bitmap for the entire volume $boot - volume bootstrap $logfile - used for recovery $mft - a record for every file $mftmirr - mirror of $mft used for recovery $quota - disk quota list for all users $upcase - converts characters into uppercase UNICODE $volume - volume name & version number

What is the general UEFI boot process

* platform firmware initialization * boot manager loads UEFI drivers and UEFI applications (including UEFI OS boot loaders) to initialize platform functions * The system loads the OS loader at the final stage and then OS starts booting. * Once the OS receives the controls, it halts the UEFI boot service.

What is Unicode?

- a computing standard, developed along with the Universal Coded Character Set (UCS) standard for encoding, representation, and management of texts. It provides a unique number for every character, irrespective of the platform, program, and language. Unicode contains more than 128,000 characters from about 135 modern and historic scripts.

What is the Attribute ID that NTFS sets when a volume in encrypted?

0x100

How do you calculate disk capacity?

1 disk * (# cylinders / disk) * (# heads / cylinder) * (1 track / head) * (# sectors / track) * (512 bytes / sector) = Total bytes

What are the Cluster Sizes for NTFS Volumes?

1. 512 MB or less = 512 bytes cluster 2. 513 MB - 1 GB = 1 KB cluster 3. 1 GB - 2 GB = 2 KB cluster 4. Larger then 2 GB = 4 KB cluster

What is a file system?

1. A File system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovering of data 2. Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc...

Master Boot Record (MBR)

1. A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as a hard disk 2. The information regarding the files on the disk, their location, size, and other important data is stored in the Master Boot Record file

Describe the NTFS Master File Table (MFT)

1. A relational database which consists of information related to the files and the file attributes 2. The rows consist of file records and the columns consist of file attributes 3. It has information of every file on the NTFS volume including information about itself 4. It has 16 records reserved for system files

How are Tracks described?

1. A track is a concentric circular ring on both sides of each platter 2. Drive head can access this circular ring in one position at a time 3. Tracks are numbered for identification purposes 4. Read-write is done by rolling heads from inner to outermost part of the disk 5. Track Numbering a. Begins from 0 at outer edge and moves towards the center, typically reaching a value of 1023 b. Heads are moved in and out jointly so that both heads are always located together at the same track number c. A cylinder is a group of all tracks that start at the same head position on the disk

What is a Logical Block Address (LBA)?

1. Addresses data by allotting a sequential number to each sector of the hard disk 2. Used on SCSI and enhanced IDE drives

What is Cylinder-Head-Sector (CHS)?

1. Addresses data by simply specifying the cylinder (radius), head (platter side), and sector (angular position) 2. Used on most IDE drives

What are the Advantages of GPT disk layout?

1. Allows users to partition disks larger than 2 terabytes 2. Allows users to have 128 partitions in Windows using GPT partition layout (The Microsoft implementation of GUID Partition Table is limited to 128 partitions. However, it is important to note that one partition is used for the EFI System Partition, one for the Microsoft Reserved and two more are used if you use dynamic disks. This leaves 124 partitions for data use.) 3. Partition and boot data is more secure, because GPT stores data in multiple locations across the disk 4. Uses Cyclic Redundancy Check (CRC) to ensure data integrity 5. Uses CRC32 checksums that detect errors in the header and partition table

What command would you use to convert EXT2 to EXT3?

1. Command to convert Ext2 to Ext3 file system: # /sbin/tune2fs -j <partition-name>

What are the Main physical components of a hard drive?

1. Cylinders - the circular tracks present on the platters of the disk drive at equal distances from the center that are used to form a barrel like structure that groups the tracks together between the platters 2. Head - a device present on the arm of the hard drive that reads or writes data on the magnetic platters 3. Platter - disk like structures stacked together and used to store data 4. Spindle - the spinning shaft on which holds the platters in a fixed position so that the read/write arms can read the data on the disks 5. Actuator - a small motor that takes instructions from the drive's circuit board to control the movement of the read/write arm and supervise the transfer of data to and from the platters. It's responsible for ensuring the read/write heads are in exactly the right place at all times.

Describe EXT4

1. Designed as a replacement for EXT3 2. Supported in Linux Kernel v2.6.19 onward 3. Maximum file size of 16TB and volume size of 1 Exabyte

What are the GUID Identifiers?

1. GPT scheme provides GUIDs which are of investigative value as they are unique and hold potential information about entire disk and each partition 2. GUIDs possess unique identifying information for both disks and individual partitions 3. Use tools such as UUID to decode various versions of GUID/UUID

What is the MBR used for?

1. Holding a partition table which refers to the partitions of a hard disk (64 bytes in size) 2. Holding the Master Boot Code which implements the following functions: a. Examines the partition table to find the active partition b. Locates the first sector of the active partition c. Loads a boot sector copy from the active partition into memory d. Transfers control to the executable code in the boot sector 3. Recognizing individual hard disk media with a 32-bit disk signature

Describe EXT2

1. Inode is a basic building block of the Ext2 file system 2. Each file and directory is described by a single inode 3. Inodes for each file system block are placed together in an inode table

What are the Disk drive types?

1. Magnetic Storage - Floppy Drives, Tape Drives 2. Optical Storage - CD | DVD | Blue Ray 3. Flash Memory Storage - USB | BIOS | SD cards 4. HDD 5. SSD (NAND based and Volatile RAM based)

Describe NTFS Alternate Data Streams (ADS)

1. NTFS supports multiple data streams, where the stream name identifies a new data attribute on the file 2. A handle can be opened to each data stream 3. A data stream is a unique set of file attributes 4. When you copy an NTFS file to a FAT volume, data streams and other attributes not supported by FAT are lost An example of an alternate stream is: C:\>notepad sample.txt:secret.txt

What is an alternate method in Windows to check partition style?

1. Open "Computer Management" application and click "Disk Management" in the left pane. Right-click on the primary disk and then click "Properties". 2. In the Device Properties window, click the "Volumes" tab to see the partition style.

How are Platters described?

1. Platters are the round flat disks that hold data 2. Platters are made up of a substrate material & a magnetic coating 3. Data is written onto both sides of the platter

What are some Hard Drive Interfaces?

1. SCSI (Small Computer System Interface) - It enables connection of up to 16 peripheral devices to one PCI board 1. ATA - Advanced Technology Attachment a. Serial - half duplex channel @ 1.5 Gbps up to 6 Gbps b. Parallel - cable length up to 18 inches 2. USB - Universal Serial Bus 3. Fibre Channel - a point-to-point bi-directional high-speed network interface, which supports data transfer rates of up to 40 Gbps 4. IDE/EIDE - Integrated Drive Electronics Master/Slave 5. Serial Attached SCSI (SAS) - a point-to-point serial protocol that handles data flow among the computer storage devices such as hard drives and tape drives. (can support up to 65,535 devices)

What are the Types of file systems?

1. Shared disk 2. Special purpose 3. Tape 4. Flash 5. Database 6. Network 7. Disk

What is the Macintosh Boot Process?

1. Starts with the activation of BootROM, which initializes system hardware and selects an operating system to run 2. Once you power on the Macintosh, BootROM performs the POST to test the hardware interfaces required for startup 3. On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interfaces 4. On Intel-based Macintosh computers, EFI initializes the rest of the hardware interfaces 5. After initializing the hardware interfaces, the system selects the operating system 6. If the system contains multiple operating systems, then it allows the user to choose the particular operating system by holding down the Option key 7. Once the BootROM operation is finished, the control passes to the 8. BootX (PowerPC) or boot.efi (Intel) boot loader, which is located in the /System/Library/CoreServices directory 9. The boot loader loads a pre-linked version of the kernel, which is located at /System/Library/Caches/com.apple.kernelcaches 10. If the pre-linked kernel is missing, the boot loader attempts to load the mkext cache file, which contains a set of device drivers. 11. If the mkext cache file is also missing, the boot loader searches for drivers in the /System/Library/Extensions directory 12. Once the essential drivers are loaded, the boot loader starts initialization of the kernel, Mach and BSD data structures, as well as the I/O kit 13. The I/O kit uses the device tree to link the loaded drivers to the kernel 14. The launchd, which has replaced the mach_init process, runs startup items and prepares the system for the user

What is the FAT windows file system?

1. Stores all the files and resides at the beginning of the volume 2. FAT contains three different versions (FAT12, FAT16, and FAT32) and differs due to the size of the entries in the FAT structure 3. Layout a. Reserved Area - 1 sector in size including data for the file system itself b. FAT Area - Contains the FAT structures c. Data Area - Contains the clusters allocated to store the file & directory data 4. FAT Partition Boot Sector is the first 512 bytes of the FAT file system. a. Holds data that the file system uses to access the partition or volume. (called a SUPER BLOCK in UNIX)

What are the 3 stages of the Linux Boot Process?

1. The BIOS Stage - initializes system hardware during the booting process. 2. The Bootloader Stage - loads the Linux Kernel and RAM disk (if used). 3. Kernel Stage - the virtual root file system created by the initrd image executes the Linuxrc program. This program generates the real file system for the kernel and later removes the initrd image. The kernel then searches for new hardware and loads any suitable device drivers found. It then mounts the actual root file system and then performs the init process. The init process reads the file "/etc/inittab" and uses this file to load the rest of the system daemons.

Describe File System Analysis Using The Sleuth Kit (TSK)

1. The Sleuth Kit (TSK) is a library and a collection of command line tools that allow to investigate volume and file system data 2. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks 3. It analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file systems and disk images 4. It supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, EXT2FS, EXT3FS, EXT4, HFS, ISO 9660, and YAFFS2 file systems

What is Slack Space?

1. The free space on the cluster after writing data on that cluster 2. If the size of the stored data is less than the cluster's size, the unused area remains reserved for the file, resulting in slack space

How are Cluster defined?

1. The smallest allocation unit of a hard disk 2. A set of tracks & sectors from 2 - 32 grouped together 3. Typically 4K in size, but dependent on the size of the disk partition 4. Lost clusters are a File Allocation Table (FAT) error that results when the operating system marks clusters as used but does not allocate them to any file. They are a logical structure error and not a physical disk error. Lost clusters occur when the use does not close files properly or shuts down a computer without closing an application. Programs that check the disk can be used to find and recover lost clusters (chkdsk)

How are Sector described?

1. The smallest physical storage unit on the disk platter 2. Normally holds 512 bytes of data and a few additional bytes for drive control and error correction | Advanced Formatting uses 8 512 byte sectors bound together into a 4K (4096 byte) sector 3. Data is stored on the disk in a contiguous series, so if the file's size is 850 bytes, two 512 sectors are allocated for the file 4. Bad sectors refer to the areas of a hard disk that no longer support read or write activity due to a flaw

Describe HFS+

1. Volumes are divided into logical blocks (sectors) of size 512 bytes 2. These sectors are clustered into allocation blocks 3. Total number of allocation blocks depends on the volume size 4. The bulk of an HFS+ volume consists of seven types of sectors: User file fork Allocation file Catalog file Extent overflow file Attribute file Startup file Unused space

Describe the NTFS Boot Sector

1. When NTFS is formatted, the format program assigns the first 16 sectors to the boot sectors and to the bootstrap code 2. Partition identifier: MBR = 0x07 GPT = EBD0A0A2-B9E5-4433-87C0-68B6B72699C7

Windows Boot Process

1. When the user switches the system ON, CPU sends a Power Good signal to the motherboard and checks for computer's BIOS firmware. 2. BIOS starts a Power-On Self-Test (POST) which checks if all the hardware required for system boot is available and loads all the firmware settings from the non-volatile memory on the motherboard. 3. If POST is successful, add-on adapters perform a self-test for integration with the system. 4. Pre-boot process completes the POST, detecting a valid system boot disk. 5. After POST, the computer's firmware scans the boot disk and loads the master boot record (MBR), which searches for basic boot information in the Boot Configuration Data (BCD). 6. The MBR triggers Bootmgr.exe, which locates the Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe. 7. The Windows loader loads the OS kernel ntoskrnl.exe. 8. Once the Kernel starts running, the Windows loader loads HAL.DLL, bootclass device drivers marked as BOOT_START and the SYSTEM registry hive into memory. 9. The Kernel passes control of the boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure the Win32 subsystem run environment. 10. The Session Manager Process triggers Winlogon.exe, which presents the user logon screen for user authorization. 11. The Session Manager Process initiates Service control manager, which starts all the services, the rest of the non-essential device drivers, the security subsystem LSASS.EXE and executes Group policy scripts. 12. Once the user logs in, Windows creates a session for the user. 13. The Service control manager starts Explorer.exe and initiates the Desktop Window Manager (DMW) process, which provides the desktop for the user.

What does The MBR partition scheme use?

32 bits for storing the LBA (Logical Block Addresses) and the size information on a 512-byte sector. In GPT, each logical block is 512 bytes and each partition entry is 128 bytes, and the negative addressing of the logical blocks starts from the end of the volume with -1 as the last addressable block. GPTs use logical block addressing (LBA) instead of the cylinder-head-sector (CHS) addressing. LBA 0 stores the Protective MBR, LBA 1 contains the GPT header, and the GPT header comprises a pointer to the partition table or Partition Entry Array at LBA 2. The UEFI assigns 16,384 bytes for the Partition Entry Array. Since the disk has 512-byte sectors with a partition entry array of 16,384 bytes and the minimum size of 128 bytes for each partition entry, LBA 34 will be the first usable sector.

How do you Identify the GUID Partition Table (GPT)

A GPT header can be useful to analyze the layout of the disk including the locations of the partition table, partition area, and backup copies of the header and partition table

What are sparse files in Windows?

A type of file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty. In a sparse NFTS file, clusters are assigned for the data that an application defines, and the file system marks the space as non-allocated in the case of non-defined data.

Describe NTFS Files & Data Storage

Attributes recorded when a file is stored: 1. Header 2. Standard Information 3. File Name 4. Data 5. Security Descriptor Every attribute is identified by an attribute type code and name

Describe Bitmap (BMP)

BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors. Each bitmap file contains: 1. Header 2. RGBQUAD Array 3. Information Header 4. Image Data A bitmap file always has 42 4D as the first characters in a hexadecimal representation. These characters translate to BM in the ASCII code.

How is data is recorded in the hard disk?

By using zoned bit recording, which is the technique of grouping tracks into zones based on their distance from the center of the disk

In the Sleuth Toolkit was does istat.exe do/what are the switches?

Display details of a meta-data structure. Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated. Syntax: istat [-B num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-b dev_sector_size] [-vV] [-z zone ] [-s seconds ] image [images] inode

In the Sleuth Toolkit was does fsstat.exe do/what are the switches?

Display general details of a file system Syntax: fsstat [-f fstype ] [-i imgtype] [-o imgoffset] [-b dev_sector_size] [-tvV] image [images]

What are some common Linux File Systems?

EXT2 EXT3 EXT4

Describe a GIF

Each color in the GIF color table is described in RGB values, with each value having a range of 0 to 255. Two versions of file format 1. GIF 87a - It supports LZW file compression, interlacing, 256-color palettes, and multiple image storage 2. GIF 89a - It supports properties such as background transparency, delay times, and image replacement parameters, which helps to store multiple images

What does NTFS set and what is stored in the EFS attribute when a volume is encrypted

Encryption and EFS - NTFS sets a flag for the file after encrypting it and creates an EFS attribute where it stores the Data Decryption Field (DDF) and Data Recovery Field (DRF).

What are Common computer file systems?

FAT( 12 | 16 | 32 ) NTFS EXT ( 2 | 3 | 4 ) EFS HFS/HFS+

How do you use the cmdlets below in Windows PowerShell to identify the presence of a GPT:

Get-GPT - analyze the GUID Partition Table data structure of the hard disk (doesn't work for MBR, use get-MBR instead)

What are some Mac OS X File Systems?

HFS HFS+ (MAC OS Extended) UFS (Unix File System)

Why are HPA and DCO areas of concern?

HPA and DCO areas are of concern as many tools fail to detect their presence. Use tools such as EnCase, TAFT (an ATA (IDE) forensics tool), or Sleuth Kit to detect and image HPA and/or DCO areas.

What is Data density on a hard disk?

Hard disks store data using the zoned bit recording method, which is also known as multiple-zone recording. Tracks form a collection of zones depending on their distance from the center of the disk and the outer tracks have more sectors on them than the inner tracks. This allows the drive to store more bits in each outer track compared to the innermost zone and helps to achieve a higher total data capacity.

Describe the PDF File Format

Hex values for a PDF begin with 25 50 44 46

What is the NTFS windows file system?

Includes several new features over its predecessors: sparse file support, disk usage quotas, re-parse points, distributed link tracking, and file-level encryption, also known as the Encrypting File System (EFS).

How to identify Hidden Information on GPT Disks

Intruders may hide data on GPT disks just as they do on traditional MBR disks. Data hiding places on GPT disks may be inter-partition gaps, un-partitioned space towards the end of the disk, GPT header, and reserved areas. In addition, manipulated GPT headers, misplaced starting and ending LBAs, as well as areas marked with a reserved tag.

What are the Deleted and Overwritten GUID Partitions issues?

Issue 1: the conversion or re-partition of the MBR disk to GPT will generally overwrite the sector zero with a protective MBR, which will delete all the information about the old partition table. Follow the standard forensics methods of searching the files systems to recover data about the previous MBR partitioned volumes. Issue 2: When conversion or re-partition of the GPT to MBR disk takes place, the GPT header and tables may remain intact based on the tool used. You can easily recover or analyze the data from such disk partitions.

What is the Protective MBR?

It helps legacy tools solve compatibility issues when they fail to understand the GPT format. It stores the startup code for the operating systems that support a GPT boot disk. The Protective MBR protects GUID Partition Table disks from previously-released MBR disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk Administrator.

What is a Hex Editor?

It is a program that allows users to modify the binary data of a file. A hex editor has three display areas including an address area, a hexadecimal area, and a character area. In digital forensic investigations, the hex editors allow the investigators to view any data stored in disk and also search for the remnants of deleted files. A hex editor allows investigators to view the physical contents stored on a disk, including the files, directories, or partitions

What is a JPEG?

Joint Photographic Experts Group. It is a method of lossy compression for digital images and allows users to adjust the degree of compression. JPEG files allow compression ratio of 90%, which is one-tenth of the size of the data.

In the Sleuth Toolkit was does fls.exe do/what are the switches?

List file and directory names in a disk image. Syntax: fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode ]

What is the DXE (Driver Execution Environment) Phase of UEFI boot process

Most of the initialization happens in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). The DXE core produces a set of EFI Boot Services and EFI Runtime Services. The EFI Boot Services provided are allocating memory and loading executable images. The EFI Runtime services provided are converting memory addresses from physical to virtual while handing over to the kernel, and resetting the CPU, to code running within the EFI environment or within the OS kernel once the CPU takes control of the system.

What are the essential Windows System Files?

Ntoskrnl.exe Ntkrnlpa.exe Hal.dll Win32k.sys Ntdll.dll Kernel32.dll Advapi32.dll User32.dll Gdi32.dll

What characters does ASCII encode?

Numbers 0 to 9 Lowercase letters a to z Uppercase letters A to Z Basic punctuation symbols Control codes that originated with teletype machines A space

GPT

Part of the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware interfaces. UEFI uses partition interfacing systems that overcome the limitations of the MBR partitioning scheme.

Describe RAID 0, 1, 5, 10

RAID 0 - Striping RAID 1 - Mirroring RAID 5 - Striping with parity RAID 10 - Mirrored Striping

What are the 5 phases in the UEFI boot process

SEC (Security) Phase PEI (Pre-EFI Initialization) Phase DXE (Driver Execution Environment) Phase BDS (Boot Device Selection) Phase RT (Run Time) Phase

What are the forms of digital evidence?

Static (non-volatile) vs. Live (volatile)

BIOS Parameter Block (BPB)

The BPB is data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume. It describes the volume partition on partitioned devices such as hard disks, whereas on the un-partitioned devices it describes the entire medium.

What controls controls the UEFI boot process

The EFI boot manager

GUID

The Globally Unique Identifier is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, a database entry, and/or the user

What is Data Acquisition?

The process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media

What is the Host Protected Areas (HPA)?

The reserved area on a HDD, meant to store data in a way that the user, BIOS, or OS cannot modify, change, or access it. Information about HDD utilities, diagnostic tools, boot sector code, etc. is found here.

How could you backup the MBR in Windows?

Using MbrFix.exe: MbrFix /drive <num> {/partition <part>} <command> { /yes } { /byte }

What is ASCII?

a character encoding standard used in computers. The standard has 128 specified characters coded into 7-bit integers. Source code of a program, batch files, macros, scripts, HTML and XML documents are also ASCII files.

What does A JPEG bit stream contain?

a sequence of data chunks. Every chunk starts with the marker value, each marker having a 16-bit integer value, and it is stored in big endian byte format. The most significant bit marker is set to 0xff. The first bits of a file represent the file type and JPEG files start with binary value 0xffd8 (SOI— start of image) and end with binary value 0xffd9 (EOI—end of image). Therefore, ffd8 (the 0x is implied) at the beginning represents a JPEG file when viewed with a hex editor. The basic format of a segment is as follows: 0xff marker number (1 byte) data; size (2 bytes); and data (n bytes)

What are the Device Configuration Overlays (DCO)?

an additional hidden area which enables system vendors to buy HDDs of varying sizes from different manufacturers and configure all of them to have an equal number of sectors. It can also be used to enable/disable features on the HDD.

Get-PartitionTable

analyzes the GUID partition table to find the exact type of boot sector (MBR or GPT) and displays the partition object.

Get-BootSector

analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.

What is Bit density?

bits / unit length of track

What is the SEC (Security) Phase of UEFI boot process

consists of initialization code that the system executes after powering the EFI system on. It manages platform reset events and sets the system so that it can find, validate, install, and run the PEI.

How do you backup the MBR in UNIX/ Linux?

dd if=/dev/xxx of=mbr.backup bs=512 count=1

How do you restore the MBR in UNIX/ Linux?

dd if=mbr.backup of=/dev/xxx bs=512 count=1

What is the PEI (Pre-EFI Initialization) Phase of UEFI boot process

initializes the CPU, temporary memory, and boot firmware volume (BFV). It locates and executes the Pre-Initialization modules (PEIMs) present in the BFV so as to initialize all the found hardware in the system. Finally, it creates a Hand-Off Block List with all found resources interface descriptors and passes it to the next phase.

What is the BDS (Boot Device Selection) Phase of UEFI boot process

interprets the boot configuration data and selects the Boot Policy for later implementation. This phase works with the DXE to check if the device drivers require signature verification. In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.

What is a Nibble?

known as a half-byte or tetrade, is a collection of four bits, or half of an octet. A byte is two nibbles.

What is a Partition?

logical divisions in a hard disk that allows for the application of operating system-specific logical formatting

How is the Logical structure of a hard disk formed?

mainly depends on the file systems used and the software that defines the process of accessing data from the disk. Operating systems use different types of file systems, and those file systems are used to control how data is stored and retrieved.

What are the 3 divisions of the ASCII Table?

non-printable (system codes between 0 and 31) lower ASCII (codes between 32 and 127) higher ASCII (codes between 128 and 255)

What is OFFSET?

refers to either the start of a file or the start of a memory address. Its value is added to a base address to derive the actual address.

What is Areal Density?

refers to the number of bits per square inch on a platter, and it represents the amount of data a hard disk can hold.

What is Track Density?

refers to the space a particular number of tracks require on a disk.

Describe the PNG File Format

short for Portable Network Graphics, is a lossless image format intended to replace the GIF and TIFF formats. PNG file hex values begin with 89 50 4e, which is the hex value for GIF.

What is a Bit?

short for binary digit, is the smallest unit of data. It can contain only one of the two values represented as 0 or 1. They also represent logical values such as true/false, yes/no, activation states (on/off), algebraic signs (+/−) or any other two-valued attribute.

What is a Byte?

short for binary term consists of eight bits. The byte is a representation of the number of bits a system has used to encode one text character. It is the smallest addressable memory unit. Two hexadecimal digits represent a full byte or octet.

What is a Primary Partition?

the drive that holds the information regarding the operating system, system area, and other information required for booting

What is an Extended Partition?

the logical drive that holds the information regarding the data and files that are stored in the disk

What is Bit Density?

the number of bits a unit length of track can accommodate.

What is File Carving?

the process of recovering files from their fragments and pieces from unallocated space of the hard disk in the absence of file system metadata. In computer forensics, it helps investigators to extract data from a storage media without any support of the file system used in creation of the file.

What is the RT (Run Time) Phase of UEFI boot process

the system clears the UEFI program from memory and transfers it to the OS. During UEFI BIOS update, the OS calls the run time service using a small part of the memory.