Computer and storage architecture knowledge empowers investigators in computer and cyber forensics to make smart choices about evidence acquisition, navigate hidden data areas, and anticipate challenges like encryption or wear-leveling. Without grasping how data lives on disks, SSDs, and arrays, you risk missing artifacts or corrupting evidence during imaging.
Disk Fundamentals: HDDs vs. SSDs
Traditional and modern storage differ in how they store and erase data, directly impacting forensics.
1. Hard Disk Drives (HDDs): Spinning platters with read/write heads; data persists magnetically even when "deleted." Logical tools easily image sectors.
2. Solid State Drives (SSDs): NAND flash chips with wear-leveling (randomizes writes) and TRIM (auto-erases deleted blocks), complicating recovery. Over-provisioned areas hide data.
3. Hybrid Drives (SSHDs): SSD cache + HDD bulk storage; forensics requires full imaging to capture both.
Note: HDDs use magnetic platters; SSDs rely on flash memory—knowing this guides safe handling.
Key implication: Power off SSDs quickly—ongoing TRIM destroys evidence.
Partitioning and Volume Management
Devices divide into partitions housing file systems—understanding layouts reveals hidden volumes.
1. Master Boot Record (MBR): Legacy 4-partition limit, 2TB max; stores partition table in first sector.
2. GUID Partition Table (GPT): Modern, 128+ partitions, UEFI boot; resilient to corruption.
3. Dynamic Disks (Windows): Software RAID-like volumes spanning disks.
4. Logical Volume Manager (LVM, Linux): Flexible resizing, snapshots for point-in-time views.
Tools like TestDisk recover lost tables; anomalies signal anti-forensics.
Note: MBR/GPT schemes organize space; investigators check for unallocated or resized partitions.
RAID and Networked Storage
Enterprises cluster drives for redundancy—disassembling requires array awareness.
Note: RAID levels dictate reconstruction; wrong order corrupts data.
Extract RAID metadata pre-dismantling using ddrescue.
File System Layouts Critical for Forensics
File systems organize bits into recoverable structures—parse these for artifacts.
1. NTFS (Windows): Master File Table (MFT) indexes everything; $LogFile tracks changes.
2. FAT32/exFAT: Simple, ubiquitous on USBs; short file names hide data.
3. ext4 (Linux): Journaling prevents corruption; inodes link files to blocks.
4. APFS (macOS): Snapshots, encryption native; containers hold multiple volumes.
Unallocated space and slack (file end to cluster end) hold carved treasures.
Note: Metadata like MACB timestamps (Modified, Accessed, Changed, Born) build timelines.
Encryption and Secure Storage Impact
Modern drives encrypt by default, blocking access without keys.
Note: BitLocker, FileVault, LUKS demand credential forensics first.
1. Full Disk Encryption (FDE): SEDs (self-encrypting drives) tie keys to hardware.
2. Software Wrappers: VeraCrypt volumes mimic free space.
3. Cloud Storage: Transparent encryption; metadata leaks usage patterns.
Workflow: Capture RAM first (keys reside there), then unlock volumes.
Practical Acquisition Strategies by Architecture
Tailor methods to hardware realities.
Note: Live vs. dead acquisition weighs volatility against integrity.
Validate with dual hashes; test on identical hardware setups.
In 2025, NVMe and enterprise SSDs demand high-speed Thunderbolt docks, but principles—know your target—remain timeless for investigators.
