Cheatography
https://cheatography.com
A revision guide to prepare for the Cyber Crimes and Digital Forensics Exam.
This is a draft cheat sheet. It is a work in progress and is not finished yet.
Draw and Label a HDD
A hard disk drive (HDD) is a magnetic storage device used for persistence data storage. |
Physical Components: |
- |
Platter: |
Circular disks coated with magnetic material where data is stored magnetically on both sides. |
- |
Heads: |
Read/write mechanisms (one for each side of each platter) that move across the platter surface to access data. Data is read from and written to both sides of the platter simultaneously. |
- |
Actuator Arms: |
Mechanical arms that move the heads to the correct radial position (cylinder) on the platters. |
- |
Spindle:: |
The central axis around which the platters rotate. |
- |
Cylinders |
A set of tracks on all platters that are at the same radial distance from the spindle. |
- |
Sectors: |
Pie-shaped divisions on a track that are the smallest unit of data storage, typically 512 bytes. |
Calculating CHS
Cylinders, Heads, Sectors (CHS): |
A method of addressing data on HDDs based on their physical structure |
Components involved: |
- |
Cylinders: |
Represents concentric tracks across all platter surfaces. |
| |
Heads: |
Correspond to each readable surface of a platter (two heads per platter). |
| |
Sectors: |
Wedge-like segments within a track that store data. |
Formula for calculating HDD capacity using CHS: |
- |
Cylinders x Heads x Sectors x Sector Size (512 bytes) = Total Bytes. |
Difference between Sectors and Clusters
Sectors: |
The smallest physical storage unit on a disk, with a fixed size, typically 512 bytes |
Clusters: |
The smallest logical unit of disk space that is allocated to hold a file by the file system. |
A cluster consists of one or more contiguous sectors |
File systems use clusters for efficiency in managing disk space, as they don't have to track every individual sector for file allocations |
The allocation unit size during formatting determines cluster size. |
Live files, Slack space, Unallocated space
Live files: |
Files that are currently present in the file system and accessible |
Slack space: |
The unused space within the last cluster allocated to a file. |
| |
Since files rarely perfectly fill a cluster, the remaining space might contain fragments of previously deleted files (drive slack) or remnants of data from RAM (RAM slack) |
Unallocated space: |
The portion of the hard drive that is not currently assigned to any file or partition. |
| |
When a file is "deleted," only its entry in the file system is removed, but the data often remains in the unallocated space until overwritten by new data. |
| |
This area can contain recoverable data from previously deleted files. |
|
|
|
|
|
