A hard disc, often known as a hard disc drive or a hard drive, is a computer’s magnetic storage medium. Hard discs are flat circular discs covered with a magnetic substance and constructed of aluminum or glass. Personal computer hard discs can store terabytes (billions of bytes) of data. Data is stored in circular tracks on their surfaces. A magnetic head is a miniature electromagnet that writes binary digits (1 or 0) on a spinning disc by magnetizing tiny spots in different orientations and reads digits by sensing the magnetization direction of the spots.
A hard drive in a computer is a device that consists of numerous hard discs, read/write heads, a drive motor to spin the discs, and some circuitry, all of which are enclosed in a metal case to protect the discs from dust. The term hard disc is used to refer to the entire internal data storage of a computer, in addition to the discs themselves. Beginning in the early twenty-first century, several personal computers and laptops were made with solid-state drives (SSDs), which store data using flash memory chips rather than hard discs.
The hard disc drive is still one of the most popular storage devices, and as a result, it is frequently used in digital investigations. Numerous documents, such as the Association of Chief Police Officers Guidelines in the United Kingdom and the Department of Justice, Prosecuting Computer Crimes guidelines in the United States, describe the best evidential practice and a wide range of techniques. These standards take hard drive media into account and offer best-practice processes and procedures for gathering and analyzing digital evidence. However, there is the potential for the various hard disc drive firmware implementations to be altered for malicious purposes in specific circumstances when a technically competent suspect has access to specialized data recovery hardware and software.
This gives the user the ability to hide information on the hard disc and put it beyond the reach of typical forensic tools and methodologies. These technologies, as well as any future kinds of malware, have the potential to damage the drive, making forensic analysis impossible. As a result, an investigator must be aware of some of the processes that can be used to recover data from a damaged disc drive, as well as the possibility for these techniques to be abused, allowing possible evidence to be hidden. This gives the investigator a better understanding of the forensic importance and impact of data recovery techniques.
Platters, voice coils, read/write heads, case, mountings, a motor, and a printed circuit controller board make up a hard disc drive. These come in a variety of sizes, the most common of which are the 3.5-inch and 2.5-inch discs found in desktop and laptop computers, respectively. The data storage area is made up of a stack of magnetically coated metal, ceramic, or glass platters. There is a separate armature and head assembly for each disc surface. A track is a single rotation of the disc at a specific radius. A cylinder is a set of tracks with the same radius for a set of surfaces.
The smallest addressable unit in the sector typically contains 512 bytes of data. The cylinder address (C), the Head (H), and the Sector (S) can all be used to find a specific sector address (S). The Logical Block Address (LBA) technique assigns a sequential number to each sector at a higher level of abstraction. Drives having a maximum capacity of roughly 2TB are now available from the major hard disc drive manufacturers. The capacity of the disc is lowered after it has been formatted and given a file system. The host computer’s operating system does not have access to all areas of the disc. There are sections of the drive that are used by the manufacturer to record data in addition to the user addressable space.
The Host Protected Area (HPA), which stores diagnostics and other tools required by the PC maker, and the Device Configuration Overlay (DCO), both of which can be found on a hard disc, are two examples. The Device Configuration Overlay (DCO) is similar to the HPA, but it is used by manufacturers to define drive sizes and can coexist with it. Carrier provides a great description of the HPA and DCO.
Seizure and Acquisition of Storage Devices
The first step is to seize the storage media to acquire digital evidence. This stage is carried out at the crime scene. Using a suitable cyber forensics program, a hash value of the storage media to be seized is computed in this phase. A hash value is a one-of-a-kind signature generated by a mathematical hashing algorithm based on the storage media’s content. The storage media is securely sealed and taken for further processing after the hash value is computed.
“Never work on original evidence,” is one of Cyber Forensics’ cardinal rules. To ensure that this criterion is followed, a replica of the original evidence must be generated for analysis and gathering of digital evidence. The process of making this precise copy, in which the source storage media is write-protected and bitstream copying is used to verify that all data is copied to the destination medium, is known as acquisition. In most cases, source media is acquired in a Cyber Forensics lab.
Authentication of the Evidence
In the Cyber Forensics laboratory, the evidence is authenticated. Both the source and destination media’s hash values will be compared to ensure that they are the same, ensuring that the destination media’s content is an identical replica of the source media.
Preservation of the Evidence
Electronic evidence can be tampered with or altered without leaving a trace. The original evidence should be stored in a secure location away from highly magnetic and radiation sources once it has been acquired and authenticated. Another copy of the image should be made and kept on acceptable media or in a dependable mass storage system. As a mass storage medium, optical media can be utilized. It is dependable, quick, has a longer life lifetime, and can be reused.
Verification and Analysis of the Evidence
If data recovery products are found to be useful, the following suggestions are made: To begin, assuming that the hard disc drive is in good working order and that access to the user data is possible, a standard image of the drive should be taken as a baseline for further analysis. Due to normal wear and tear, all hard disc drives will have valid bad sectors; these bad sectors will activate reserved space, and data will be remapped to this area. Because the data at specific LBA locations is likely to change over time, an alternative copy cannot be assured.
As a result, obtaining a baseline image to work from is required first; otherwise, additional firmware alterations will block access to the reserve area and associated data, resulting in the loss of potentially valuable evidence. Second, once a baseline picture has been established, the investigator should use data recovery tools and procedures to remove the contents of the dynamic defect list, the G-list, and re-aligning all of the original LBA values to their CHS counterparts. After the realignment has been done successfully, the hard disc drive must read parameters be changed to allow the drive to read from all sectors in more time.
If this is not changed, the disc may have difficulty reading the sector and mark it as unsuccessful, resulting in no data being acquired. This is important because malicious users may go to great lengths to hide data not only in physical sectors not accessible by the disc but also in legitimate failing locations, such that even if the defect Glist was re-set, the data would still be unavailable due to the default drive read time configuration.
Reporting the findings
The type of examination required by a court or investigation body should be reflected in the case analysis report. It should include the following information: the nature of the case, the examination requested, the material objects and hash values, the outcome of evidence verification, the analysis conducted and digital evidence obtained, the examiner’s observations, and the conclusion. Non-technical people should be able to understand the substance of the report if it is presented in simple language and a detailed manner.
Documentation
Every step of the Cyber Forensics procedure necessitates meticulous documentation. To make a case admissible in a court of law, everything should be properly documented. Documentation should begin with the planning of a case investigation and continue through the search of the crime scene, the seizure of material objects, chain of custody, authentication, and acquisition of evidence, verification and analysis of evidence, collection of digital evidence, and reporting, material object preservation, and case closure.
