This chapter is from the book
This chapter is from the book
This chapter is from the book
Summary
It is important for computer forensics investigators to understand the vast array of digital devices that they may encounter at a crime scene. This knowledge is essential because each device needs to be handled differently, and investigators must maintain and update different power and data cables over time. Moreover, with each device there are different types of evidence associated with each device and a different methodology needed to acquire evidence from these devices.
Hard disk drives are a primary source of evidence for investigators. There are different types of hard disk drives, which are mainly differentiated by their drive controllers and connections. There are Small Computer System Interface (SCSI) hard disk drives and Integrated Drive Electronic (IDE) hard disk drives, but more recently, Serial ATA (SATA) hard disk drives have become more prevalent. Hard disk drives are cloned rather than imaged when a hard disk drive needs to be copied quickly. Solid state drives have gained market share in recent times but present significant challenges for computer forensics investigators, given the unstable nature of these drives compared to traditional hard disk drives. Occasionally, an investigator will encounter a computer with multiple hard disk drives, which is referred to as a Redundant Array of Independent Disks (RAID).
USB thumb drives and other kinds of flash memory continue to grow in significance as they become cheaper and contain greater memory capacity. Interestingly, though, connecting these devices to a computer leaves a digital footprint in a (Windows) computer’s file registries, which the investigator then can view. This digital footprint is sometimes available on Macintosh and UNIX systems, too.
Key Terms
Blu-ray disc (BD): A high-capacity optical disc that can be used to store high-definition video.
Boot Camp: A utility included with Mac OS X 10.6 (Snow Leopard) that enables a user to run the Windows operating system on an Intel-based Mac.
compact disc: A polycarbonate plastic disc with one or more metal layers that is used to store data digitally.
CompactFlash: A memory card that was first developed by SanDisk for use in portable electronics like digital cameras.
dd: A UNIX command that produces a raw data image of a storage medium, like a hard drive or magnetic tape, in a forensically sound manner.
Digital versatile disc (DVD): An optical disc with a large storage capacity that was developed by Philips, Sony, Toshiba, and Time Warner.
disk clone: An exact copy of a hard drive that can be used as a backup for a hard drive because it is bootable just like the original.
disk controller: Facilitates communication between a computer’s central processing unit (CPU) and hard disks (or other disk drives).
disk image: One file or a group of files that contain bit-for-bit copies of a hard drive but cannot be used for booting a computer or other operations.
eSATA: A variation of SATA that is used for external drives.
fault tolerance: If one component in a system, like a hard disk drive, fails, then the system will continue to operate.
File Translation Layer (FTL): Maps a logical block address to a physical block address.
FireWire: The Apple version of IEEE 1394, which is a serial bus interface standard for high-speed data transfer.
floppy disk: A thin, flexible, plastic computer storage disc that is housed in a rigid plastic rectangular case.
frames: Consist of 24 bytes and are the smallest unit of memory on a CD.
garbage collection: A memory-management process that removes unused files to make more memory available.
Host Protected Area (HPA): The region on a hard disk that often contains code associated with the BIOS for booting and recovery purposes.
Integrated Drive Electronics (IDE): A drive interface, largely based on IBM PC standards, for devices like hard disk drives, tape drives, and optical drives.
lands: The reflective surfaces on a CD burned flat by a laser.
magnetic tape: A thin, plastic strip with a magnetic coating that is used for storing audio, video, and data.
Memory Stick: Sony’s proprietary memory card that was introduced in 1998.
MultiMedia card: Storage memory that was developed by Siemens AG and SanDisk for use in portable devices, like cameras.
pits: The less reflective surfaces on a CD that have not been burned by a laser.
RAID (Redundant Array of Independent Disks): Two or more disks used in conjunction with another to provide increased performance and reliability through redundancy.
Random access memory (RAM): Volatile memory that is used for processes that are currently running on a computer.
Secure Digital card: A file storage device that was developed for use in portable electronics, like cameras.
Serial ATA: An interface that connects devices, like hard disk drives, to host bus adapters.
session on a compact disc: A group of tracks recorded at the same time.
Small Computer System Interface (SCSI): A protocol for both the physical connection of devices and the transfer of data.
solid state drive (SSD): A nonvolatile storage device found in computers.
table of contents (TOC): Records the location of the start address, the session number, and track information (music or video) on a compact disc.
track on a compact disc: A group of sectors that are written to at one time.
TRIM: An operating system function that informs a solid state drive which blocks are no longer in use, to allow for high write performance.
ware-leveling: The process by which areas of a storage medium become unusable over time.
write-blocker: A hardware device that allows an individual to read data from a device such as a hard drive without writing to that device.
xD (Extreme Digital) Picture Cards: Developed by Olympus and Fujifilm for digital cameras and some voice recorders.
zip disk: A removable storage medium that was developed by Iomega in the early 1990s.