Scribd
Upload
26 views5 pages

Module 3

Uploaded by

Abhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
26 views5 pages

Module 3

Uploaded by

Abhi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

1) Explain Different Disk Types Along with Characteristics

Disks are primarily classified into two types: Hard Disk Drives (HDD) and Solid
State Drives (SSD).

- Hard Disk Drives (HDD):


- Mechanical Drives: Uses spinning platters and a read/write head.
- Characteristics:
- Capacity: High storage capacity (several TBs).
- Speed: Slower compared to SSDs due to mechanical movement.
- Durability: Prone to mechanical failure, susceptible to shocks and wear.
- Cost: Cheaper per GB compared to SSDs.
- Use Case: Ideal for bulk data storage.

- Solid State Drives (SSD):


- Electronic Drives: Uses NAND flash memory with no moving parts.
- Characteristics:
- Capacity: Lower storage capacity (typically up to 4TB).
- Speed: Much faster than HDDs in terms of read/write speed.
- Durability: More resistant to physical shocks and mechanical wear.
- Cost: More expensive per GB.
- Use Case: Ideal for operating systems, software, and frequently accessed
data.

2) Logical Structure of a Disk

A disk is logically organized into different sections or structures to manage data


efficiently. Key components include:

- Sectors: The smallest unit of data storage, typically 512 bytes or 4KB.
- Clusters: Groups of sectors that form a single unit for storing files. Files are
stored in clusters.
- File Allocation Table (FAT)/Master File Table (MFT): A table that tracks the
locations of files on the disk.
- Partitions: Logical divisions of the disk that can be formatted independently and
appear as separate drives.
- Boot Sector: Contains the necessary code to boot the operating system and
information about the disk layout.

3) Explain the Process of Evidence Preservation

Evidence preservation is crucial in digital forensics to ensure that digital data is


not tampered with or altered. The steps include:

- Securing the Scene: Isolate the devices and restrict unauthorized access to
prevent tampering.
- Documenting the Evidence: Record all details about the device (model, serial
number, etc.) and take photographs.
- Imaging: Create a forensic bit-by-bit copy (image) of the storage device to
preserve the original data.
- Hashing: Generate a cryptographic hash (e.g., MD5, SHA256) of the original and
the copied image to ensure no changes occurred during copying.
- Write Blockers: Use hardware or software write blockers to prevent any
modification to the original device while creating the forensic image.
- Chain of Custody: Maintain a detailed log of who had access to the evidence
and when, ensuring accountability.

4) Explain File System Analysis Using Autopsy

Autopsy is an open-source digital forensics tool used for analyzing file systems
and recovering evidence. The process involves:

- Ingesting Evidence: Import disk images or raw data for analysis.


- File System Analysis: Autopsy parses the file system to recover files, metadata,
and directory structures. It supports FAT, NTFS, HFS+, ext3, and ext4.
- Recovering Deleted Files: Autopsy can recover files marked as deleted by the
file system but still present on the disk.
- Timeline Analysis: Autopsy creates a timeline of file creation, modification, and
access, which is crucial for understanding user activity.
- Keyword Search: Allows searching for specific keywords within files and
metadata.
- Report Generation: Autopsy generates a detailed forensic report based on the
findings.

5) Explain Linux System Architecture

The Linux system architecture is divided into several layers:

1. Hardware: The physical components like the CPU, memory, storage, etc.
2. Kernel: The core of the Linux system that interacts directly with hardware and
manages resources. It handles process management, memory management,
device drivers, and system calls.
3. System Libraries: Libraries that provide essential functions to applications,
such as accessing kernel features (e.g., `glibc`).
4. Shell: The command-line interface that allows users to interact with the
system through commands.
5. User Space (Applications): Applications and services run in user space,
isolated from the kernel. Examples include text editors, browsers, and software
utilities.

6) How Do You Measure Hard Disk Performance?

- Seek Time: The time it takes for the read/write head of the HDD to move to the
correct track on the platter. Lower seek times indicate faster performance.
- Rotational Latency: The delay caused by waiting for the desired sector to rotate
under the read/write head. This is a function of the rotational speed of the disk
(RPM).
- Data Transfer Rate: The speed at which data can be read from or written to the
disk. It’s measured in MB/s.
- Access Time: The total time required for a read/write operation. It’s a sum of
seek time and rotational latency.
- Speed in RPM: The number of revolutions per minute that the disk platters spin.
Common speeds include 5400, 7200, and 10000 RPM. Higher RPM generally
improves performance but increases power consumption and heat output.

7) Explain Storage Drives

Storage drives are used to store data. They include:


- Hard Disk Drives (HDD): Mechanical storage devices that use spinning platters.
- Solid State Drives (SSD): Faster, non-mechanical storage using flash memory.
- Optical Drives (CD/DVD/Blu-ray): Use laser technology to read/write data on
optical discs.
- USB Flash Drives: Portable storage devices using flash memory.
- Network Attached Storage (NAS): Storage devices connected to a network that
allow multiple users to access data.

8) Explain FTK Imager Briefly

FTK Imager is a forensic imaging tool used to create bit-by-bit copies of storage
devices. Features include:

- Disk Imaging: Create forensic images of drives, preserving all data and
metadata.
- File System Support: Supports a wide range of file systems (FAT, NTFS, ext,
HFS+).
- Mounting Images: Allows viewing and interacting with forensic images as if they
were physical drives.
- Hashing: Calculates MD5 and SHA256 hashes to verify the integrity of the
image.
- File Preview: View files before imaging, which can be helpful for quick analysis.

9) Explain Master Boot Record (MBR)

The Master Boot Record (MBR) is the first sector of a disk (usually 512 bytes) and
contains:

- Boot Loader: A small program that loads the operating system into memory.
- Partition Table: Information about the disk partitions, their sizes, and locations.
- Disk Signature: A unique identifier for the disk.
If the MBR is corrupted or compromised, the system may fail to boot.

10) Differentiate Between FAT and NTFS

You might also like