Introduction
Understanding storage media at a fundamental level is essential for digital forensics practitioners. This knowledge allows you to understand where data resides, how it can be recovered, and what forensic artifacts may be present on different types of storage devices.
By the end of this part, you will understand the physical and logical architecture of HDDs and SSDs, recognize the forensic implications of different storage technologies, comprehend RAID configurations and their impact on forensic acquisition, and identify common storage interfaces and their characteristics.
Hard Disk Drive (HDD) Architecture
Hard disk drives have been the primary storage medium for decades. Understanding their physical structure is crucial for forensic analysis, especially when dealing with damaged drives or advanced recovery techniques.
Physical Components
An HDD consists of several precision-engineered components working together:
Platters
Platters are circular disks coated with a magnetic material where data is stored. Modern drives contain multiple platters stacked on a spindle, with each platter having two surfaces for data storage. The platters spin at constant speeds, typically 5,400 RPM, 7,200 RPM, or 10,000+ RPM for enterprise drives.
Read/Write Heads
Each platter surface has its own read/write head mounted on an actuator arm. These heads float nanometers above the platter surface on a cushion of air. The head assembly moves across the platter to access different tracks.
Spindle Motor
The spindle motor rotates the platters at a constant speed. The rotational speed directly impacts data transfer rates and access times.
Logical Structure
The logical organization of data on an HDD follows a hierarchical structure:
- Tracks: Concentric circles on a platter surface where data is written
- Sectors: The smallest addressable unit on a disk, traditionally 512 bytes, now commonly 4,096 bytes (Advanced Format)
- Clusters: Groups of sectors that the file system uses as the minimum allocation unit
- Cylinders: The collection of tracks at the same position on all platters
When files are deleted on an HDD, only the file system pointers are removed - the actual data remains on the platters until overwritten. This is why deleted file recovery is often successful on HDDs. The magnetic properties of platters can also retain traces of previously overwritten data, though modern high-density drives make this extremely difficult to recover.
CHS vs LBA Addressing
Historical drives used CHS (Cylinder-Head-Sector) addressing, which directly referenced physical locations. Modern drives use LBA (Logical Block Addressing), which provides a linear address space abstracted from physical geometry.
| Addressing Mode | Description | Forensic Relevance |
|---|---|---|
| CHS | Physical addressing (legacy) | Found in older partition tables |
| LBA | Logical 48-bit addressing | Standard for forensic imaging |
Solid State Drive (SSD) Technology
SSDs have become increasingly common and present unique challenges for digital forensics due to their fundamentally different architecture and data management mechanisms.
Wear Leveling | TRIM | ECC
NAND Flash Memory
SSDs store data in NAND flash memory cells. Unlike HDDs, there are no moving parts. Data is stored by trapping electrons in floating-gate transistors.
Types of NAND Flash
- SLC (Single-Level Cell): 1 bit per cell, highest durability and speed, most expensive
- MLC (Multi-Level Cell): 2 bits per cell, good balance of performance and cost
- TLC (Triple-Level Cell): 3 bits per cell, lower cost, reduced endurance
- QLC (Quad-Level Cell): 4 bits per cell, highest density, lowest endurance
SSD Controller Functions
The SSD controller is a critical component that manages all data operations:
Wear Leveling
NAND cells have limited write cycles before they degrade. Wear leveling distributes writes evenly across all cells to extend drive lifespan. This means data may not be stored where the operating system believes it is.
TRIM Command
TRIM informs the SSD which blocks of data are no longer in use. The controller can then erase these blocks proactively, making them ready for new writes. This significantly complicates forensic recovery.
TRIM destroys deleted data. When a file is deleted on an SSD with TRIM enabled, the controller may immediately erase the underlying blocks. Unlike HDDs where deleted data persists until overwritten, SSDs may make deleted data unrecoverable within seconds or minutes of deletion. This is a fundamental difference that forensic examiners must understand.
Garbage Collection
SSDs cannot overwrite data directly - they must first erase entire blocks. Garbage collection consolidates valid data and erases blocks containing only invalid data, further complicating forensic analysis.
Over-Provisioning
SSDs reserve a portion of their capacity (typically 7-28%) for controller operations. This hidden area may contain remnants of deleted data but is generally inaccessible through normal means.
SSD vs HDD Forensic Comparison
| Aspect | HDD | SSD |
|---|---|---|
| Deleted File Recovery | Often successful until overwritten | Difficult due to TRIM/GC |
| Data Location | Predictable physical location | Abstracted by controller |
| Write Blocking | Standard hardware blockers | Must block TRIM commands |
| Hidden Areas | HPA, DCO | Over-provisioned space |
| Imaging Speed | Limited by mechanical speed | Very fast, limited by interface |
RAID Systems
RAID (Redundant Array of Independent Disks) combines multiple physical drives into a single logical unit for performance, redundancy, or both. Forensic acquisition of RAID arrays requires understanding the specific configuration.
RAID 0 (Striping)
RAID 1 (Mirroring)
RAID 5 (Parity)
RAID 6
Forensic Acquisition of RAID
There are two primary approaches to acquiring RAID arrays:
Physical Acquisition
- Image each drive individually
- Reconstruct the array in forensic software
- Requires knowledge of RAID configuration (level, stripe size, disk order)
- Preferred method as it captures all data including metadata
Logical Acquisition
- Image the RAID volume as presented by the controller
- Simpler but may miss hidden areas
- Requires working RAID controller
- May be only option for hardware RAID without access to individual drives
When encountering a RAID system, document: RAID level, number of drives, stripe size (typically 64KB-256KB), disk order, and controller type (hardware/software). This information is critical for reconstruction. Check BIOS/UEFI settings, controller configuration utilities, and any labels on the system.
Storage Interfaces
Understanding storage interfaces is important for proper forensic acquisition and selecting appropriate write blockers.
Common Interfaces
| Interface | Max Speed | Common Use | Forensic Notes |
|---|---|---|---|
| SATA III | 6 Gbps | Desktop/Laptop HDDs, SSDs | Most common, well-supported blockers |
| SAS | 12 Gbps | Enterprise servers | Requires SAS-capable blockers |
| NVMe | 32 Gbps (PCIe 4.0) | Modern SSDs | Limited blocker options, very fast imaging |
| USB 3.0/3.1 | 5-10 Gbps | External drives | May have translation layer issues |
| IDE/PATA | 133 MBps | Legacy systems | Still found in older evidence |
Form Factors
- 3.5": Desktop HDDs, requires 12V + 5V power
- 2.5": Laptop drives, SSDs, 5V power only
- M.2: Modern SSDs, various key types (B, M, B+M)
- mSATA: Older compact SSDs
Always verify the interface type before connecting evidence drives. Connecting an M.2 NVMe drive to an M.2 SATA slot (or vice versa) will not work and could potentially cause issues. Check the key notch position and consult documentation when uncertain.
Hidden Disk Areas
Modern drives contain areas that may not be visible through normal access but can contain valuable forensic evidence.
Host Protected Area (HPA)
HPA is a reserved area at the end of the drive that can be hidden from the operating system. Originally used for diagnostic tools and recovery partitions, it can also be used to hide data. Forensic tools like hdparm (Linux) can detect and access HPA.
Device Configuration Overlay (DCO)
DCO can modify the drive's reported capacity and features. It can hide an HPA and make a drive appear smaller than its actual size. DCO detection requires specialized tools and should be checked before imaging.
Service Area (SA)
Also known as the negative sectors or system area, the SA contains firmware and drive configuration data. Accessing this area typically requires specialized equipment and is usually only relevant in advanced data recovery scenarios.
Before imaging any drive, use appropriate tools to detect HPA and DCO. If these areas exist, they should be included in the forensic image. Failure to capture hidden areas could mean missing critical evidence.
- HDDs store data magnetically on spinning platters; deleted data often remains until overwritten
- SSDs use NAND flash and have TRIM/garbage collection that can destroy deleted data quickly
- SSD wear leveling means data location is abstracted from what the OS sees
- RAID forensics requires understanding configuration for proper reconstruction
- Different interfaces require different write blockers and acquisition approaches
- Always check for HPA and DCO before imaging - hidden areas may contain evidence
- Document all drive details: make, model, serial number, capacity, and interface