Digital Investigation Information Retrieval & Recovery

Digital Investigation Information Retrieval & Recovery

Digital storage media facilitates organized data storage and easy data retrieval. Hard disks are the most commonly used data storage media. Hard disks store data by magnetizing a magnetic material in a pattern that represents the data. The most common experience with a volume system occurs when installing Microsoft Windows and creating partitions on the hard disk.

Installing the OS guides through the process of creation of logical partitions and finally listing the disk into drives or volumes in which the data is stored. Use of multiple disks has become more common now a day. However, volume management software is used to make multiple disks appear as one large disk.

During a digital investigation, it is common to acquire an entire disk image and import the image into analysis tools. Many digital investigation tools automatically break the disk image into partitions, but sometimes they have problems. Digital investigation is a very important and useful concept. For example, when partitions on the disk have been deleted or modified by the suspect or the tool simply cannot locate a partition. The procedures given here may also be useful when analyzing the sectors that are not allocated to a partition.

Volume Concepts

Volume refers to a collection of addressable sectors that an Operating System (OS) or application can use for data storage. The hard disk is an example of a volume that is located in consecutive sectors. A volume may be a single unit or the result of assembling and merging smaller volumes.

Volume System involves two essential concepts:

• Assembling multiple storage volumes into one storage volume
• Partitioning large storage volume into independent partitions.

General Theory of Partitions

Generally, a partition is a collection of consecutive sectors in a volume. By definition, a partition is also a volume. Consider a Microsoft Windows system with one hard disk. The hard disk volume is partitioned into three smaller volumes, and each has a file system. Windows assigns the names C, D, and E to each volume.

However, Partitions are used in many scenarios, including

• Some file systems have a maximum size that is smaller than hard disks.
• Many laptops use a special partition to store memory contents when the system is put to sleep.
• UNIX systems use different partitions for different directories to minimize the impact of file system corruption.
• IA32-based systems that have multiple operating systems, such as Microsoft Windows and Linux, may require separate partitions for each operating system.

The purpose of a partition system is to organize the layout of a volume; therefore, the only essential data are the starting and ending location for each partition. A partition system cannot serve its purpose if those values are corrupt or non-existent. All other fields, such as a type and description, are nonessential and could be false.

When the partition system structures are missing, the partition boundaries can sometimes be guessed using knowledge of what was stored inside of the partition. This is analogous to guessing property boundaries based on the landscape.