Hard Disks and File Systems in Digital

Forensics

Hard Disks and File Systems

Hard disks store digital data in structured formats using file systems. Digital forensics
relies on understanding hard disks and file systems for evidence collection, data recovery,
and security. File systems determine how data is stored, accessed, and managed. They
include metadata, directories, and allocation tables. Investigators analyze disk structures
to recover lost files and detect unauthorized access.

Introduction to Hard Disks

A hard disk is a non-volatile storage device used in computers and servers to store op-
erating systems, applications, and user data. It consists of spinning magnetic platters
or solid-state memory in SSDs. Hard disks store data permanently and allow quick re-
trieval. Digital forensics professionals analyze hard disks to extract deleted, hidden, or
encrypted data. The study of disk internals is crucial for recovering lost information and
understanding digital crimes.

Hard Disk Architecture and Components

A traditional hard disk consists of several key components: platters (where data is stored
magnetically), read/write heads (to access data), a spindle (rotating the platters), an
actuator arm (moving the heads), and a controller (managing data transfer). Solid-State
Drives (SSDs) use NAND flash memory instead of moving parts, improving speed and
durability. Understanding disk components helps forensic experts analyze failures, extract
evidence, and recover data.

Hard Disk Interfaces (IDE, SATA, SCSI, NVMe)

Hard disk interfaces define how data is transferred between the disk and the computer.

• IDE (Integrated Drive Electronics): Older interface, slower speeds, used in

legacy systems.

• SATA (Serial ATA): Common in modern PCs, offers faster data transfer and
better efficiency than IDE.

1
 • SCSI (Small Computer System Interface): Found in enterprise systems, sup-
ports multiple devices and high-speed data transfer.

• NVMe (Non-Volatile Memory Express): Latest interface, optimized for SSDs,

offers extremely high speeds for modern applications.

Forensic analysis involves understanding these interfaces for proper data extraction.

Hard Disk Partitioning and Formatting

Partitioning divides a disk into sections, each functioning as an independent storage
unit. It helps organize data and manage multiple operating systems. Formatting prepares
partitions for data storage by defining a file system (e.g., NTFS, FAT32, EXT4). In digital
forensics, partitioning information is analyzed to track data structure, detect hidden
partitions, and recover deleted partitions. Misconfigured or corrupted partitions can
indicate evidence tampering.

File System Basics

A file system manages how files are stored and retrieved on a disk. It includes struc-
tures like directories, allocation tables, and metadata. Common file systems include
FAT, NTFS, EXT, HFS+, and APFS. File systems track file locations, sizes, cre-
ation/modification dates, and permissions. Forensic investigators analyze file system
structures to recover lost files, detect anomalies, and extract metadata for digital evi-
dence.

Types of File Systems

Different file systems serve various purposes based on performance, security, and com-
patibility needs. Below are some commonly used file systems:

FAT (File Allocation Table)

• Used in early DOS and Windows systems, as well as USB drives and memory cards.

• Variants: FAT12, FAT16, FAT32 (supports larger partitions).

• Lacks security features and journaling but offers broad compatibility.

NTFS (New Technology File System)

• Default file system for Windows NT and later versions.

• Supports large files, advanced security permissions, encryption, and journaling.

• Used in modern Windows systems due to its robustness and security.

2
EXT (Extended File System)
• Common in Linux distributions.

• Versions include EXT2 (no journaling), EXT3 (adds journaling), and EXT4 (sup-
ports larger volumes and better performance).

• Offers reliability and efficient file handling for Linux-based systems.

HFS+ (Hierarchical File System Plus)

• Used in macOS before macOS High Sierra.

• Supports journaling and large files but lacks modern features like snapshots.

• Now largely replaced by APFS.

APFS (Apple File System)

• Introduced in macOS High Sierra (10.13) and used in all newer Apple devices.

• Optimized for SSDs, supports encryption, snapshots, and space sharing.

• Provides better performance and security than HFS+.

File System Journaling and Recovery

File system journaling is a technique used to improve data reliability and recovery in case
of system crashes, power failures, or unexpected shutdowns. A journal is a dedicated area
within the file system where changes are logged before being committed to the main file
structure.

Journaling in File Systems

Journaling helps maintain file system integrity by recording metadata and file changes
before applying them. If a system crash occurs during a write operation, the journal can
be used to restore the file system to a consistent state.
Types of Journaling:

• Metadata Journaling: Logs only metadata changes before writing to the disk.
Used in file systems like EXT3 and NTFS.

• Full Journaling: Logs both metadata and file content changes, providing higher
reliability but incurring additional overhead.

• Ordered Journaling: Ensures that metadata changes are committed only after
the corresponding file data is written to disk.

File Systems that Support Journaling:

• EXT3/EXT4 (Linux): Uses ordered journaling for improved performance and

reliability.

3
 • NTFS (Windows): Implements metadata journaling to ensure consistency.

• HFS+ (Mac): Supports journaling to enhance data recovery.

• APFS (Mac): Uses a more advanced snapshot-based mechanism for journaling.

File System Recovery Techniques

File system recovery is critical in forensic investigations and system maintenance. Various
techniques help recover lost, deleted, or corrupted data.
Common Recovery Techniques:

• Journal Replay: Reconstructs lost or incomplete transactions from the journal

to restore file system integrity.

• File Carving: Recovers deleted files by scanning for known file signatures without
relying on file system structures.

• Metadata Analysis: Examines file system metadata to reconstruct lost directories

and file allocations.

• Undelete Utilities: Tools like TestDisk and PhotoRec can restore recently deleted
files from FAT, NTFS, and EXT file systems.

• RAID Reconstruction: Used for recovering data from RAID arrays where file
systems have been partially damaged.

Forensic investigators rely on journaling and recovery techniques to reconstruct digital

timelines, restore lost evidence, and analyze suspicious deletions or modifications.

Disk Partitioning Schemes (MBR, GPT)

Disk partitioning defines how storage is divided and managed on a disk. The two primary
partitioning schemes used in modern computing are Master Boot Record (MBR) and
GUID Partition Table (GPT).

Master Boot Record (MBR)

MBR is the traditional partitioning scheme used in legacy BIOS-based systems. It con-
tains bootloader code and partition table information at the first sector (sector 0) of the
disk.
Features of MBR:

• Supports up to 4 primary partitions (or 3 primary + 1 extended partition, which

can hold multiple logical partitions).

• Uses 32-bit partition entries, limiting disk size to 2TB.

• Stores the bootloader in the first 512 bytes of the disk (MBR sector).

• Vulnerable to corruption: A single-sector failure can render the disk unbootable.

4
 Forensic Considerations for MBR:

• Partition table modifications can indicate hidden partitions or data obfusca-

tion.

• MBR-based malware can manipulate the boot process (bootkits).

• Recovery of lost partitions is possible with tools like TestDisk.

GUID Partition Table (GPT)

GPT is a modern partitioning scheme used in UEFI-based systems, designed to overcome
MBR’s limitations.
Features of GPT:

• Supports up to 128 partitions (on Windows, more on other OSs).

• Uses 64-bit partition entries, allowing disks larger than 2TB.

• Stores multiple copies of partition data across the disk, improving redundancy.

• Uses a CRC32 checksum for integrity checking.

Forensic Considerations for GPT:

• GPT stores multiple backup partition tables, making it more resilient to corruption.

• Malicious users may attempt to hide partitions by modifying GPT headers.

• Analysis of GPT disk images requires tools that support UEFI-based partitions.

Comparison of MBR vs. GPT

Feature MBR GPT

Max Disk Size 2TB Over 9ZB (Zettabytes)
Max Partitions 4 primary (or extended + logical) 128+
Boot Mode BIOS UEFI
Redundancy No backup of partition table Multiple backups
Data Integrity No built-in checks CRC32 checksum verification
Forensic Recovery Vulnerable to corruption More resilient

Table 1: Comparison of MBR and GPT Partitioning Schemes

Forensic Implications of Partitioning Schemes

• Investigators analyze partitioning schemes to recover hidden or deleted partitions.

• MBR-based disks are more prone to partition table corruption, leading to data loss.

• GPT provides better forensic reliability due to redundancy and integrity checks.

5
 • Tools such as TestDisk, GParted, and Forensic Imager help recover partition
structures.
Understanding partitioning schemes is crucial for forensic analysts when recovering
lost partitions, detecting hidden data, and analyzing boot records.

File System Analysis Tools

Forensic analysts use specialized tools to investigate disk structures, analyze file activity,
and recover lost evidence. Some of the most widely used tools include:
• Autopsy: A powerful open-source forensic tool that provides a graphical interface
for analyzing file systems, recovering deleted files, and examining disk images.
• The Sleuth Kit (TSK): A command-line toolkit used for investigating disk par-
titions, extracting file metadata, and performing in-depth forensic analysis.
• X-Ways Forensics: A commercial forensic tool with advanced capabilities for disk
analysis, file system recovery, and metadata extraction.
• EnCase: A professional forensic tool widely used by law enforcement and enter-
prises for digital investigations, evidence preservation, and court-admissible forensic
reports.
These tools help forensic experts uncover hidden files, analyze system activity, and re-
trieve digital evidence crucial for legal proceedings.

Disk Encryption and Data Protection

Disk encryption is a security measure that protects sensitive data by converting it into an
unreadable format using cryptographic algorithms. Encrypted data can only be accessed
with the correct decryption key, ensuring protection against unauthorized access, data
breaches, and forensic investigations.

Types of Disk Encryption

Disk encryption can be categorized based on the scope of encryption and how it is applied:

Forensic Challenges with Encrypted Disks

Encryption poses challenges for forensic investigators attempting to access protected data.
Some key difficulties include:
• Key Recovery Issues: Without encryption keys or passwords, data remains in-
accessible.
• Brute-Force Resistance: Strong encryption (e.g., AES-256) is computationally
infeasible to break.
• Live Acquisition Requirements: Investigators may need to extract encryption
keys from memory before a system shuts down.
• Cold Boot Attacks: Exploiting memory remnants to recover encryption keys.

6
Data Protection Best Practices
To ensure data security and prevent unauthorized access, best practices include:

• Using Strong Passwords: Complex passwords reduce brute-force attack risks.

• Multi-Factor Authentication (MFA): Adds an additional layer of protection.

• Regular Key Rotation: Updating encryption keys periodically enhances security.

• Secure Key Storage: Storing encryption keys in a TPM or secure vault prevents
unauthorized access.

• Data Wiping Before Disposal: Secure erasure techniques ensure encrypted disks
cannot be recovered after disposal.

Forensic Strategies for Analyzing Encrypted Disks

Despite encryption challenges, forensic experts use various techniques to analyze en-
crypted storage devices:

• Live Analysis: Extracting encryption keys from RAM during an active session.

• Memory Forensics: Analyzing memory dumps to locate decryption keys.

• Cold Boot Attacks: Retrieving encryption keys from residual RAM data.

• Legal Warrants: Obtaining court orders to compel decryption.

Recovering Deleted Files and File Metadata

File deletion does not immediately erase data from storage devices. Instead, the operating
system marks the space occupied by the file as available for reuse, while the actual data
remains on disk until overwritten. Digital forensic experts use specialized techniques to
recover deleted files and analyze file metadata to reconstruct events.

Recovering Deleted Files

Several techniques are employed in digital forensics to retrieve deleted files from storage
devices:
1. File System Analysis

• File systems like FAT, NTFS, and EXT maintain records of deleted files in
metadata structures (e.g., the Master File Table in NTFS).

• Recovery tools can locate file entries and restore data before it is overwritten.

2. File Carving

• File carving extracts deleted files by searching for known file headers, footers, and
patterns.

7
 • This technique does not rely on file system metadata and is useful when metadata
is damaged.

• Tools like Scalpel, Foremost, and PhotoRec are commonly used for file carving.

3. Journal and Log Analysis

• Journaling file systems (e.g., NTFS, EXT4, APFS) maintain records of file op-
erations.

• Log entries can reveal deleted file names, timestamps, and contents.

• Recovery is possible by analyzing journal entries before they are overwritten.

4. Shadow Copies and Backups

• Windows Volume Shadow Copy (VSS) and macOS Time Machine retain pre-
vious file versions.

• Backup solutions provide alternative recovery options for deleted data.

5. Unallocated Space Analysis

• Even after file deletion, remnants may persist in unallocated disk space.

• Forensic tools scan unallocated areas to recover fragments of deleted files.

File Metadata and Its Importance in Forensics

File metadata provides essential details about files, such as creation time, modification
history, and ownership. It helps forensic analysts reconstruct digital timelines and detect
anomalies.
1. Types of File Metadata

• System Metadata: Information stored by the file system, including timestamps,

access permissions, and ownership.

• Application Metadata: Embedded data within files, such as EXIF data in im-
ages, document properties in PDFs, and ID3 tags in audio files.

• Security Metadata: Includes Access Control Lists (ACLs) and cryptographic

hash values.

2. Forensic Analysis of Metadata

• Metadata helps identify unauthorized file modifications or access.

• Timeline analysis reconstructs user activities based on file creation, modification,

and access timestamps.

• Metadata is extracted using tools such as:

– Autopsy and Sleuth Kit (analyze file system metadata).

– ExifTool (extracts metadata from images, PDFs, and videos).

8
 – FTK Imager (recovers metadata from forensic disk images).

3. Anti-Forensic Techniques and Metadata Manipulation

• Attackers may attempt to alter or erase metadata using:

– Timestomping: Modifying file timestamps to mislead forensic analysis.

– Metadata Stripping: Removing embedded metadata from files.
– Secure Deletion: Overwriting metadata and file content to prevent recovery.

• Forensic analysts counter these techniques by analyzing system logs, backup meta-
data, and journaling file systems.

Disk and File System Forensics Techniques

Several techniques are employed in disk and file system forensics to recover lost data,
track user activity, and ensure data integrity:

• Disk Imaging: Creating a bit-by-bit copy of a storage device to preserve evidence

and allow for forensic examination without altering original data.

• Metadata Analysis: Extracting information such as timestamps, file ownership,

and modification history to reconstruct digital timelines.

• File Carving: Recovering deleted or fragmented files by scanning for known file
signatures without relying on file system structures.

• Hash Verification: Using cryptographic hash functions (e.g., MD5, SHA-256) to

validate data integrity and detect unauthorized modifications.

• Timeline Reconstruction: Analyzing system logs, file metadata, and user activ-
ity to create a chronological sequence of events for forensic investigations.

These techniques help forensic investigators trace security breaches, retrieve lost data,
and identify unauthorized file modifications.

Best Practices for Hard Disk and File System Security

Implementing best practices for hard disk and file system security is essential to protect
sensitive data and prevent unauthorized access. Key security measures include:

• Regular Backups: Maintaining updated backups ensures data availability in case

of accidental deletion or system failure.

• Encryption: Using full-disk encryption (e.g., BitLocker, VeraCrypt) safeguards

confidential information from unauthorized access.

• Access Control: Implementing user permissions and authentication mechanisms

to restrict unauthorized data access.

9
 • Secure File Deletion: Overwriting deleted files with secure erase methods to
prevent recovery by forensic tools.

• Forensic Readiness: Preparing for forensic investigations by maintaining logs,

enabling auditing, and implementing security policies to detect potential threats.

By following these practices, organizations can enhance data protection, minimize

security risks, and ensure compliance with legal and regulatory standards.

10