Chapter 3: Understanding Filesystems and Storage Media

It takes a lot more than just technical know-how to be a digital forensic investigator. There's a lot of research, processes, and analytics that also go into the case itself. Consider a scenario where you need to build a house. Sure, we need wood, nails, cement, metal, glass, and all the other raw materials, and we also require the skilled laborers and contractors to construct the structure and piece it together. Apart from the materials, tools, and resources, we would have also done our research to ensure that we understood what is needed for this to be a successful project.

For instance, we would have had to obtain permits to build, performed a soil analysis, considered the weather, and then chosen the types of materials based on the weather, location, soil type, and so on. It goes without saying that there must be an understanding of fundamental concepts in the field in order to efficiently carry out the task. In the same way, we need to have an understanding of the filesystems, operating systems, data types, and locations, as well as a thorough understanding of the methods and procedures for preserving data, storage media, and general evidence.

In this chapter, we will learn about the following topics:

• The history of storage media
• Filesystems and operating systems
• What about the data?
• Data volatility
• The paging file and its importance in digital forensics

The history of storage media

The end result of any investigation is to prove whether something exists or took place. In laptops, desktops, mobile devices, and smart devices, data has to be stored somewhere, even if it's just temporarily. Most of us may be familiar with hard disk drives within laptops, desktops, mobile devices, and so on, but we also need to focus on removable and portable storage devices. These include DVDs, portable drives, thumb or flash drives, SD and microSD cards, older media such as CDs and floppy disks, and countless more.

We should also consider that many portable flash drives come in many interesting shapes and sizes as novelty items and may not take the usual shape of the ordinary rectangular-shaped drive. Another issue to consider is that many of these storage media devices have changed in size over the years and may be smaller in size, usually as a result of evolving technology.

Cloud storage has also cemented its place as a common and cost-effective solution, with many companies offering free cloud storage solutions between 2 GB and 15 GB to the average user, with the option to pay for more storage. Although not a new concept, cloud storage is here to stay and with it also comes some challenges to data recovery and forensics as we do not have access to the physical storage servers. Fortunately, many cloud storage providers, such as Google, Dropbox, and Microsoft, offer a service of temporarily holding deleted files in the event that they were mistakenly deleted or need to be recovered.

IBM and the history of storage media

There can never be a story, journal, book, or even discussion on the history of hard drives and storage media without mentioning three letters: IBM. We're all familiar with this well-known tech giant, but we might not all be familiar with some of its great achievements.

International Business Machines (IBM, as we know it), has been around for quite some time. Known as the Computing-Tabulating-Recording Company (CTR) back in the early 1900s, IBM is better known for building the very first hard disk drive, the first PC, its servers, desktops, and laptops.

Between the years 1956 and 1957, IBM made major inroads with the development and release of the 305 Random Access Method of Accounting and Control (RAMAC), which utilized the first disk storage technology. This revolutionary technology weighed in at approximately one ton and was roughly 16 square feet in size. The disk space capacity of this behemoth, however, was only 5 MB (megabytes – yes, I said megabytes) in size.

Although 5 MB by today's standard is roughly the size of a high-definition photo taken with a mobile device, all things considered, this really was a monumental achievement for its time. Before IBM's invention, data was stored on punch cards, which could amount to as many as millions of cards just to hold a few megabytes.

A major issue faced back then with the introduction of this digital storage was the size of the device. Transportation by plane and truck may not have been an option for many and the space to store this would also have been an issue.

As technology progressed, IBM announced a much more portable computer in 1975, released as the IBM 5100 Portable Computer. In the 1980s, specifically 1981, we saw the birth of the IBM Personal Computer. Weighing in at much less than its predecessor, this portable computer also had a much more affordable price tag of between $8,000 and $20,000.

It wasn't until 1981, when IBM released the first personal computer, that the portability of computers was becoming an actual reality. With a price tag of $1,565, owners were afforded a keyboard and mouse, with options for a monitor, printer, and floppy drives. Apart from the floppy drives, this is the standard for today's personal computers.

Along with this newer and more portable technology, there were also improvements in data storage media over the years, which saw advancements from magnetic tape storage, to floppy disks and diskettes, CDs, DVDs, Blu-ray disks, and, of course, mechanical and solid-state drives (SSDs).

Removable storage media

Continuing on our topic of storage media, I'd first like to start by discussing removable storage media, as they play a role just as important as that of fixed storage media in today's world.

Magnetic tape drives

Introduced by IBM in the 1950s, magnetic tape was an easy and very fast way to store data at a speed equal to its processing time. The IBM 726 magnetic tape reader and recorder was one of the first devices to offer this storage, with a capacity or tape density of 100 bits per linear inch of tape. Inch of tape should give an indicator of the size of the tape, which was wound on a large wheel, similar to an old film roll movie tape.

With magnetic tape media, data is written across the width of the magnetic-coated plastic strip in frames separated by gaps consisting of blocks. Magnetic tape is still very much used today and, like many other storage media types, has significantly decreased in size while increasing in capacity and speed.

To give an idea of how far magnetic tape storage has come, in 2017, IBM developed newer tape storage media with a tape density of 200 Gbps per inch on a single cartridge, which can hold up to 333 GB of data. These cartridges (for older folks like myself) are the size of a cassette tape, or (for the younger ones) not much smaller than the average smartphone, which fits in your hand. As of 2019, Fujifilm released the Fujifilm Linear Tape-Open Ultrium 8 (LTO-8) magnetic tape cartridge with a native capacity of 12 TB (terabytes) and a data rate of 360 Mbps. 30 TB of compressed data can fit on this single 12 TB cartridge.

Floppy disks

The floppy disk, introduced yet again by IBM, was first seen along with its floppy disk drive in 1971. Although mainframe computers back then already had hard drives and magnetic tape storage media, there was a need for a simple and cheaper means of saving and passing on software and instructions to the mainframes, previously done using the much slower punch cards.

At the core of the floppy disk was a small magnetic disk, which, although far more portable than magnetic tape storage and hard disk drives at the time, stored much less data than other media we've mentioned.

Evolution of the floppy disk

Size: 8-inch Year introduced: 1971 Maximum capacity: 80 kilobytes (KB)

Size: 5.25-inch Year introduced: 1976 Maximum capacity: 360 KB

Size: 3.5-inch Year introduced: 1984 Maximum capacity: 1.2 megabytes (MB)

Important note:

In 1986, the capacity of the floppy was increased to 1.44 MB, which remained as such until it was discontinued by Sony (the last remaining manufacturer of the floppy) in 2011.

Optical storage media

Optical storage media is so-called because of the way in which data is written to the various media types, involving the use of different types of lasers on the surface of the disk itself.

Although it may be somewhat difficult to distinguish various optical disks if there are no default labels on them, they do have slight differences in color and hue due to the size of the lasers used to write data to them.

Compact disks

Compact disks (CDs) are made of pits and lands, noticeable as bumps on the underside of the disk, coated with a thin layer of aluminum, which results in a reflective surface. Data is written in concentric circles, further split up into sectors of 512 bytes, each known as tracks, on the CD from the inside to the outside (or edge) of the disk:

• Diameter: 120 millimeters (mm)
• Type of laser used to write data: 780 nanometer (nm) infrared laser
• Maximum capacity of a CD: 650-700 MB

The various types of CDs are as follows:

• Compact Disk – Read-Only Memory (CD-ROM): This disk comes with data on it in the form of programs, games, music, and so on, and can only be read from.
• Compact Disk Recordable (CD-R): Data can be written to this disk, but only once.
• Compact Disk – ReWritable (CD-RW): Data can be written to this disk many times.

Digital versatile disks

Digital Versatile Disks (DVDs), although the same size in diameter, can store much more data than CDs:

• Diameter: 120 mm (same as a CD)
• Type of laser used to write data: 650 nm red laser
• Maximum capacity of a DVD: 4.7 gigabytes (GB) and 15.9 GB (dual-layer DVD)

The various types of DVDs are as follows:

• Digital Versatile Disk – Read-Only Memory (DVD-ROM): The DVD comes with data already written to it, much like a CD-ROM.
• Digital Versatile Disk – Recordable (DVD-R): Data can be written once to the DVD.
• Digital Versatile Disk + Recordable (DVD+R): Data can be written once to the DVD. +R DVDs utilize more advanced error detection and management technology.
• Digital Versatile Disk – ReWritable (DVD-RW): Data can be written to the DVD several times. The DVD-RW disk differs from the DVD+RW disk in that the DVD-RW disk may be written-to a bit faster and may also be compatible with a larger variety of DVD players.
• Digital Versatile Disk – Recordable Dual Layer (DVD-R DL): The DVD contains dual layers resulting in higher storage capacities of between 7.95 GB on a DVD-9 disk and 15.9 GB on a DVD-18 disk.
• Digital Versatile Disk – Recordable Dual Layer (DVD+R DL): Same as the DVD-R DL, but has been argued as having a more efficient format, resulting in fewer errors.
• Digital Versatile Disk – Random-Access Memory (DVD-RAM): Mainly used in video recording equipment due to its resiliency (lasting up to two decades) and the ability to rewrite data onto it. This disk is more expensive than other DVD formats and is also not compatible with many common DVD drives and players.

Blu-ray disk

The current standard for removable disk media, the Blu-ray disk, gets its name from the color of the laser used to read from and write to the disk. Due to the high-capacity storage of Blu-ray disks, high definition (HD) content can easily be stored on Blu-ray disks without a loss in quality:

• Diameter: 120 mm (same as a CD and DVD)
• Type of laser used to write data: 405 nm blue laser
• Maximum capacity of a DVD: 27 GB and 50 GB (double-layer Blu-ray)

Flash storage media

Flash memory is so named because the data is written to, and erased from, using electrical charges. You may have perhaps heard someone say that they've had to flash their mobile device. This is quite similar to erasing flash storage media on smartphones and smart devices, except devices with operating systems such as Android and iOS require a much more extensive procedure for flashing and reinstalling their operating systems. The end result, however, is very much the same in that the memory and storage areas are reset or wiped.

Flash storage chips come in two types, known as NAND and NOR flash memory, and are responsible for high-speed and high-capacity storage of data on flash storage media. They are newer types of Electrically Erasable Programmable Read-Only Memory (EEPROM) chips, and instead can wipe blocks of data or the entire drive, rather than just one byte at a time, as with the slower EEPROM. This type of flash memory chip is non-volatile, meaning the data is still stored on the chip even after power to the chip is lost. Data is erased when specific instructions are sent to the chip in the form of electrical signals via 
a method known as in-circuit writing, which alters the data accordingly.

The following photo shows one of my old 1 GB flash drives with a Samsung NAND chip, which stores the data. If you'd like to get down into the technical details of the chip, you can have a look at the datasheet PDF at https://www.datasheet.directory/index.php?title=Special:PdfViewer&url=https%3A%2F%2Fpdf.datasheet.directory%2F5164321c%2Fsamsung.com%2FK9K4G08U0M-PCB00.pdf:

Figure 3.1 – A flash drive with the NAND chip exposed

Flash media storage has so far become the ultimate in portability, with many types ranging from the size of your thumb to the size of the nail on your little finger. The lifespan of flash storage all depends on the usage as they all have an average read-write usage, sometimes displayed on the packaging of the device. The read-write speeds are also some of the fastest at this point, which is why hard disk drives have moved away from the traditional mechanical disk mechanism to a solid-state one. SSDs will be discussed further later in this chapter.

Important note:

With flash storage media capacities ranging from 2 GB to 256 GB, particularly on SD, microSD and flash drives, these can now act as very fast removable drives with operating systems installed on them, and can even be partitioned using various tools. Yes, indeed, Kali Linux most certainly can be installed onto a flash drive, SD, or microSD card (and be made bootable) with as little as 8 GB of storage space.

USB flash drives

The Universal Serial Bus (USB) port, or interface, released in 1995, has become the standard for all devices, replacing older devices that would have been connected to specific parallel ports on a computer. It's quite common to see almost any device or peripherals connected to a computer via a USB connection, including mice, keyboards, flash drives, printers, scanners, cameras, mobile devices, and just about every other device.

The evolution of the USB port is shown here:

USB flash drives come in all shapes and sizes today, from the standard rectangular to any shape imaginable. USB flash drives use NAND EEPROM chips to store their data, and today are available in various versions that define the read/write speeds of the flash drive.

The following photo shows various flash drives ranging from the oldest to the newest, left to right. The first drive is a USB 2.1 drive, the middle is a 32 GB USB 3.0 drive, and the last (right-side) is a significantly smaller 64 GB USB 3.2 drive:

Figure 3.2 – USB 2.1, 3.0, and 3.2 flash drives

Important note:

I should give a special mention to the elephant in the room here, the novelty flash drive, which can easily pass as a keychain or toy and may actually pose a threat to organizations that do not allow employees to bring to work or leave with flash drives due to the sensitive nature of the data within the organization.

Flash memory cards

Like flash drives, flash memory cards (or memory cards, as they are fondly referred to) also use NAND flash memory, which, as we previously learned, is a non-volatile, solid-state memory. Unlike USB flash drives, however, these cards do not come with a USB interface and must be used with either an adapter or memory card reader.

Over the years and decades, we've had several formats of memory cards grace our desktops, laptops, mobiles, and other devices, including cameras, MP3 players, and even toys. Although I'll only cover some of the more popular cards used today, it is important that you are at least familiar with memory cards and are also able to identify them.

The flash memory card types we will look at are as follows:

• Memory Stick PRO Duo (MSPD, proprietary card developed by Sony)
• Secure Digital (SD)
• Secure Digital High Capacity (SDHC) – 2–32 GB capacity
• Mini SDHC
• Micro SDHC
• Secure Digital eXtended Capacity (SDXC) – 32 GB–2 TB capacity
• CompactFlash (CF)
• MultiMediaCard (MMC)
• xD-Picture (xD)
• Smart Media (SM)

Of the aforementioned card types, I've opted to show three from my collection in the following photo. The card to the left is a Sony Memory Stick PRO Duo, the card in the middle is an SD card that has a sliding lock to the side, used to prevent data from being overwritten, and the card to the right is the more common card of today, the microSD:

Figure 3.3 – Sony Pro Duo, SD, and micro-SD cards

I'd like to do a brief comparison of these three cards. Developed at least a decade apart, the older PRO Duo card is larger, with a capacity of 2 GB. Although not seen on the SD card, its capacity is 4 GB, and the smallest and newest card to the right (microSD) actually has a whopping 64 GB of storage capacity.

Have a look at the following photo to see a close-up of the microSD card. It shows the capacity of 64 GB, and also the class of the microSD card (class 10). 64 GB of data on something as small as a fingernail! Still, microSD cards are being developed with even larger capacities of 128 GB and even 256 GB:

Figure 3.4 – Class 10 microSD card

The various classes of microSD cards identify their read/write speeds and suggested uses. I do suggest getting a class 10 (C10) microSD card if purchasing one, as the C10 is much faster than the other classes (2, 4, and 6) and supports constant HD and even 4k video recording.

Classes 2, 4, 6, and 10 support speeds of up to 2 MBps, 4 MBps, 6 MBps, and 10 MBps, respectively, and are known as SD Speed Class. Class 1 and class 3 are known as the UHS Speed Class and support speeds of up to 10 MBps and 30 Mbps, respectively. The newer Video Speed Class, which is recommended for HD video in 4K and 8K, supports much faster speeds. The V10, V30, V60, and V90 cards support speeds of up to 10 MBps, 30 MBps, 60 MBps, and 90 MBps, respectively.

As mentioned earlier, flash memory cards require card readers, which connect to laptops, desktops, and other media players using USB ports. The following photo shows one of my many card readers, which supports CompactFlash, Memory Stick PRO Duo, Secure Digital, and even the Smart Media cards:

Figure 3.5 – USB multi-card reader

I'd suggest getting yourself a few USB card readers that support the various card types to easily access cards (whether for ordinary use or data recovery) as most newer laptops, desktops, and devices may only support SD card slots and USB interfaces.

Hard disk drives

Now that we've had a good look at non-volatile storage, including tape and flash storage, let's go a bit deeper into the world of hard disk drives (HDDs), which serve as fixed storage media. I'll try to keep things simple and short by focusing mainly on the knowledge necessary for forensics investigators in particular.

HDD technology has certainly come a long way from the monstrous storage devices first seen in IBM mainframes and is now more compact, fast, and affordable, with capacities in the terabytes.

Although the newer solid-state drives use the same type of memory found in flash memory devices, they are still a bit costly when compared to mechanical drives. This may be, perhaps, one of the contributing factors to why older mechanical drive technology is still being used. Mechanical drives consist of moving parts, including platters, an actuator arm, and a very powerful magnet. Although it is very common to still find these mechanical HDDs in today's laptops and hard drives, they are much slower than the newer solid-state drives, which have no moving parts and look very similar to the chipset of a USB flash drive.

In your forensics investigations and adventures, you may come across or be presented with older HDDs that can have different interfaces and use different cable technologies to connect to motherboards. Let's have a look, shall we?

IDE HDDs

Many of the first PCs in the mid-1980s were outfitted with hard drives that used Parallel Advanced Technology Attachment (PATA) and Integrated Drive Electronics (IDE) technology. As with all older devices back then, parallel transmission was the order of the day, allowing for very limited throughput. An easy way to identify older IDE drives is to simply have a look at the interface where the data and power cables connect to the drive.

These older drives, as in the following photo, have four pins for power, which connect to a Molex connector separated by eight pins used to set the device as a master or slave device, and then 40 pins for the IDE data cable, which transmits the data to the motherboard:

Figure 3.6 – An older 40-pin EIDE hard disk drive

In 1994, advancements in technology led to the release of Enhanced Integrated Drive Electronics (EIDE), which saw an increase in the number of pins for the data cable from 40 to 80, also increasing the transmission speeds from 4 Mbps to a possible 133 Mbps.

IDE/EIDE was still, however, limited to a maximum of four IDE/EIDE drives per computer, as the jumper pins on the drive only allowed for two primary and two secondary drives, set in a master/slave configuration. Consideration also had to be given to the fact that CD-ROM and RW devices, and DVD-ROM and RW devices, were also using IDE/EIDE technology at that time.

SATA HDDs

In 2002, Seagate released an HDD technology called Serial Advanced Technology Attachment (SATA), which used serial transmission instead of slower parallel transmission. While PATA drives speeds of 33/66/133 Mbps, SATA boasts speeds of 150/300/600 Mbps. This meant that the lowest SATA transmission speed of 150 Mbps was faster than the highest PATA speed of 133 Mbps.

The connector interfaces of the SATA drives were also different, but it was common at the time to see SATA drives with connectors for both SATA and PATA power cables for backward compatibility.

SATA data cables are much thinner than PATA cables, as they only contain seven wires connecting to seven pins. SATA devices use one cable per drive, unlike PATA devices, which connect two drives on one IDE/EIDE cable connected in a master/slave configuration.

The following photo shows an older SATA drive with SATA data and power connectors to the right and a legacy IDE Molex power cable (four pins) to the left:

Figure 3.7 – A SATA hard disk drive

SATA still continues to be the standard today for drive technology for both desktops and laptops and has had several revisions, as listed here. Speeds listed are in MBps (megabytes per second) and not Mbps (megabits per second):

• SATA 1: 150 MBps
• SATA 2: 300 MBps
• SATA 3: 600 MBps

The following photo shows two SATA laptop 2.5-inch drives. The one to the left is damaged and has been opened for us to see the circular platter at the middle with the actuator arm at the top, slightly positioned over the platter. At the end of the actuator arm is a read/write head, which actually does the reading and the writing of data to the platter.

The drive on the right-hand side in the photo is actually a hybrid drive, or a Solid-State Hybrid Drive (SSHD). This is actually a mechanical drive like the one to the left, but also has flash memory in it to allow for faster access to the data on the platters:

Figure 3.8 – A mechanical laptop drive with platters exposed

Solid-state drives

As briefly mentioned before, SSDs are non-volatile storage media and use NAND flash memory in an array to hold data. SSDs have been around for quite some time. However, mainstream use would have been greatly hampered by the high cost of the drive. Samsung first released a 32 GB SSD with a PATA interface in 1996, followed by SanDisk's 32 GB SSD, but with a SATA interface.

Although SSD drives use flash memory, the materials used are more high-end than that found in flash drives, which makes it the much preferred option for use as a hard drive, but again contributes to the very high cost.

Some advantages of SSDs come from the fact that there are no moving parts in an SSD. No moving parts make the SSD more durable in the event of a fall or swift foot to the PC tower as there are no platters or actuator arms to be scratched or struck. Also, the faster read/write speeds and access times greatly reduce the time taken for the device to boot or start, and even gives an enhanced experience when using resource-intensive software and games.

As far as digital forensics goes, SSDs are still a relatively new technology that will be constantly improved upon for some time to come. It's important to remember that you are not dealing with a mechanical drive and that data on an SSD, much like a flash drive or memory card, can be lost or wiped within minutes or even seconds. Although traditional tools can be used to image and recover data from SSDs, I strongly suggest researching any SSD drive before performing any forensic activities to get a better understanding of its workings and complexities, such as de-chipping and wear-leveling algorithms.

More information on the reasons for the wearing out of SSDs, as well as wear-leveling, can be found at https://www.dell.com/support/article/en-tt/sln156899/hard-drive-why-do-solid-state-devices-ssd-wear-out?lang=en.

Here's a photo of a 250 GB SSD:

Figure 3.9 – An M2 NVMe Solid State Drive (SSD)

Take note of the pin layout interface for the SSD connector (left side), which connects to a PCIe interface on the board instead of the usual SATA connectors. The connector in the preceding photo is an M.2 Non-Volatile Memory express (NVMe) SSD connector type, but there are other types as well. When performing forensic acquisitions on SSDs, which may require the use of a USB adapter, be sure you know which connector you are working with.

Different SSD interface types include the following:

• SATA 3.0 (up to 6 Gb/s bandwidth)
• mSATA (up to 6 Gb/s bandwidth) – found in older computers
• M.2 SATA (up to 32 Gb/s bandwidth)
• M.2 NVMe (up to 32 Gb/s bandwidth)
• U.2 (up to 32 Gb/s bandwidth but not very common)

Filesystems and operating systems

Now that we've covered the physical, let's get logical! Any and every type of storage media needs to be formatted with a particular filesystem. The filesystem chosen will also determine which operating system can be installed on the medium, along with file and partition sizes.

A simple way to think of this is to imagine a blank sheet of paper as any type of new or wiped storage media. We can put several types of information on this piece of paper, but we'll probably first want to organize or prepare the sheet of paper in a way that makes our data easy to understand, access, and even store. We can choose to write on it from left to right in sentences and paragraphs in English, or we can perhaps create tables using rows and columns. We can even use printed slides to display our data, or even use images, graphs, and flowcharts. Additionally, we can format our storage media in a way that best suits the data that will be stored and used.

Filesystems ensure that the data is organized in such a way that it can be easily recognized and indexed. Consider the storage space within a filing cabinet with multiple compartments. Some may be used specifically for storing files in alphabetical order, others in chronological order, some compartments for stationery supplies, miscellaneous, and even random items. Although all are used for storing different items, they can all be labeled and easily recognized, and also organized in such a way that the contents of each compartment can be easily accessed or even removed.

To install any operating system on a hard drive or removable storage media, the device must first be formatted and prepared for the operating system by choosing the appropriate filesystem. Windows, macOS, Android, Kali, and so on all have filesystems that organize the storage medium so that the operating system can be successfully installed.

Some of the more popular operating systems and their filesystems are as follows.

Microsoft Windows:

• Filesystem: Net Technology File System (NTFS)
• Supported versions: Server 2019, Server 2016, Server 2012, Server 2008, Windows 10, 8, 7, Vista, XP, 2000, NT
• Maximum volume size: 256 TB (although listed as theoretically 16 Exabytes, or 16 EiB)
• Maximum supported file size: 256 TB (using a 64 KB cluster size)
• NTFS features: Compression, EFS (Encrypted File System), disk quotas

  Important note:

  Older versions of Microsoft Windows supported the File Allocation Table (FAT) filesystem by default. Newer versions of Windows also support FAT and FAT32, but with drive size limitations (8 TB) and file size limitations (4 GB). exFAT was created to remove the limitations of FAT32, but may not be as widely supported as FAT32.

Macintosh (macOS):

• Filesystem: HFS+ (Hierarchical File System)
• Supported versions: macOS up to version 10
• Maximum volume size: 2 TB
• Maximum supported file size: 8 EB

  Important note:

  In 2017, Apple advanced to a newer filesystem called Apple File System (APFS) to replace HFS+, optimized specifically for SSDs. APFS is available as the default filesystem for macOS High Sierra and anything newer, and also for iOS 10.3 and anything newer.

Linux:

• Filesystem: Ext4 (Fourth Extended File System). Several filesystems are available for Linux, but I recommend this one if you are uncertain as to which should be used.
• Supported versions: Red Hat, Kali, Ubuntu, and so on.
• Maximum volume size: 1 EB.
• Maximum supported file size: 16 TB.

  Important note:

  Many open source operating system distributions are based on Linux, including Kali Linux and Android, so use the ext2/ext3/ext4 filesystems. They are also able to use the FAT32 filesystem.FAT32 can be used across any platform, including older versions of Windows, Mac, and Linux, and is supported by almost any device with a USB port.

What about the data?

In this chapter so far, we've looked at the various media for storing data. Now, I'd like to talk about the actual data itself, some of its states, and what happens when it's accessed.

Data states

Firstly, there's data in transit, also called data in motion. These states describe data on the move, perhaps traversing across the network between devices or even between storage media, actively moving between locations.

Then there's data in use. Data in this state is currently being accessed by a user or processed by a CPU. When data is accessed from the hard drive, it is temporarily stored in RAM, which is much faster than the hard drive (particularly mechanical drives) and stored there for as long as the user accesses it and there is power to the device.

When data is not in motion, transit, or in use, it is described as data at rest. In this state, the data rests or resides on non-volatile media such as hard drives, optical media, flash drives, or memory cards.

Metadata

Metadata is simply data about data. Take an item such as a laptop stored in a warehouse, for example. Somewhere in the warehouse (and also, possibly, in other locations such as the cloud), there may be several pieces of information about that laptop, which can be referred to as data about the laptop, or even laptop metadata, such as:

• Location of the laptop within the warehouse
• Laptop brand and model
• Manufacture date
• Warranty dates and information
• Hardware and software specs
• Color and size

Additionally, data may have at least some basic information pertaining to it, whether it be at rest or in motion. At rest, data may be indexed on a hard drive in the file table to identify the location of the data and whether it may be available to the user or is waiting to be overwritten. Data in transit will also contain header information (which will be discussed in later chapters), which gives information about source and destination addresses and the size of the data, to name just a few aspects.

Slack space

Clusters are the smallest amount of disk space or allocation units on storage media that store data. When formatting drives, we need to define the size of these allocation units, or we can use the default cluster size of 4 KB. This is where slack space comes in.

Slack space (also referred to as file slack) is the empty and unused space within clusters that contain data but are not completely filled with data. To fully understand this, we first need to understand default cluster sizes specified by operating systems. A drive formatted using NTFS (for Windows) has a default cluster size of 4 KB. Let's say that you've saved a text file to your disk with a file size of 3 KB. This means that you still have 1 KB of unused or slack space within that cluster.

Slack space is of particular interest to a forensic investigator as data can be easily hidden inside it. Lucky for us, we have several tools available, such as Sleuth Kit and Autopsy, within Kali Linux, to help investigate slack space and find hidden files.

Data volatility

In this section, we will take a look at why data is lost when power to the volatile memory is lost.

Data can exist as long as the media it is stored on is capable of storing the data. Hard drives (mechanical and solid-state), flash drives, and memory cards are all non-volatile storage media. Although SSDs have made, and continue to make, drastic improvements in data access times, RAM thus far remains the faster type of memory, typically referred to only as memory, inside devices.

RAM, however, is volatile memory. Unlike non-volatile memory found in hard drives and flash drives, data stored in RAM is kept there temporarily, only for as long as there is an electrical current being provided to the chips. There are two types of RAM that we need to be aware of: Static RAM (SRAM) and Dynamic RAM (DRAM).

SRAM is superior to DRAM but is far more costly because of the expensive materials used in building the chips. SRAM is also physically much larger than DRAM. SRAM can be found in the CPU cache (L1 or Level 1) and, on some chips, on the motherboard (L2/L3), although in very small sizes (KB) due to the cost and physical size.

Although DRAM is slower, it is much cheaper and remains one of the reasons for its usage as the main memory in devices. What makes RAM volatile is its components, such as transistors and capacitors. Some of you may already be familiar with this topic from certification courses such as A+, but for the benefit of all our readers, allow me to go into a bit more detail.

DRAM uses capacitors, which store electrical charges temporarily as part of a refresh circuit. The chips need to be constantly refreshed in order to hold the data while being accessed. However, between refreshes, a wait state is created, which makes DRAM slower when compared to SRAM as it uses transistors instead of capacitors, which do not have wait states.

Over the decades, there have been many types of DRAM or memory sticks in slightly varying sizes and increased pins with which to make contact with the motherboard. Some of the RAM types, in order of age, are as follows:

• Extended Data Output RAM (EDO RAM): One of the earlier types of DRAM.
• Synchronous Dynamic RAM (SDRAM): Began synchronizing itself with the CPU clock speed. Had a maximum data rate of 166 MT/s (millions of transfers per second). Labeled as PC100, PC133, and PC166. SDRAM had a maximum transfer rate/speed of 1.3 GB/s.
• DDR-SDRAM/DDR 1 (Double Data Rate – SDRAM): Effectively doubled the transfer rate of SDRAM. Had a maximum transfer rate of 400 MT/s and the maximum transfer speed was 3.2 GB/s.
• DDR2: Had a maximum transfer rate and speeds of 800 MT/s and 6.4 GB/s, respectively.
• DDR3: Consumes up to a third less power than DDR2. Had a maximum transfer rate and speeds of 1,600 MT/s and 14.9 GB/s, respectively.
• DDR4: Had a maximum transfer rate and speeds of 3,200 MT/s and 21 GB/s, respectively.
• Graphics Double Data Rate Synchronous Dynamic RAM (GDDR SDRAM): GDDR is used in graphic cards for video graphics rendering.

In today's laptops and desktops, you will mainly come across DDR3 and DDR4, but it may not be uncommon to run into a legacy machine, such as an older server with DD2. The following photo shows different RAM types, Dual Inline Memory Modules (DIMM). From top to bottom, we have SDRAM, DDR1, DDR2, and, lastly, DDR3:

Figure 3.10 – Various desktop RAM form factors

Important note:

Laptops also use DDR RAM but are available in a more compact size called Small Outline DIMM (SODIMM) modules.

The paging file and its importance in digital forensics

Operating systems have the ability to use a portion of the hard disk as an extension of RAM. This is referred to as virtual memory and is usually a good idea if a computer or laptop has limited RAM. Although the hard drive is much slower than the RAM, the swap or paging file on the disk can store files and programs that are being accessed less, leaving the RAM available to store data that is being frequently accessed. This process involves the operating system swapping pages of data that are less frequently used and moving data to the dedicated paging file area on the hard drive.

The paging file is very important to us in forensics investigations. Although not as volatile as RAM itself, due to being stored on the hard disk, it is a hidden file in Windows called pagefile.sys, and should always be inspected using tools of your choice as this file may reveal passwords for encrypted areas, information from sites visited, documents opened, logged-in users, printed items, and so on.

Data on mechanical drives, in particular, is stored in a fragmented manner. However, the advantage of the paging or swap file is that the data can be stored in a contiguous manner, one piece after the next, allowing for faster access times.

It is recommended that the size of the paging file is set to 1.5 times the amount of memory and that it also be stored on a separate drive if possible, not just a separate partition.

Important note:

Pagefile.sys can be located in the Windows registry path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management

Summary

In this chapter, we took the time to cover some of the basics of non-volatile storage media, which stores data even after there is no power supplied to the medium. Non-volatile media includes different types of HDDs, such as mechanical and solid-state PATA, as well as SATA drives, flash drives, and memory cards.

Newer storage media devices, including SSDs, use a special type of flash memory called NAND flash to store data. This flash memory is significantly faster and more durable than traditional mechanical drives as the devices contain no moving parts. However, they are still quite costly for now.

We also had a look at various filesystems associated with various operating systems and saw that the smallest allocation of data is called a cluster, in which slack space can reside. Slack space is the unused space within a cluster in which data can be hidden. Data itself has different states and can be at rest, in motion, or in use. Regardless of the state of the data, there always resides some information about the data itself, called metadata.

Any data accessed by the user or operating system is temporarily stored in volatile memory or RAM. Although data can be stored for lengthy periods on non-volatile memory, it is lost when electrical charges to volatile memory (RAM) are also lost. An area of the hard disk called the paging file can act as virtual RAM, allowing the computer to think it has more RAM than installed.

I do encourage you to do more research and expand your knowledge on these topics, allowing you to gain a greater understanding of what has been covered. Let's now move on to the next chapter, where we'll learn about investigative procedures and the best practices for incident response, such as acquiring volatile data and procedures for working with and analyzing live machines.