8.7 Summary

Digital investigators require a basic understanding of how computers operate and how data are stored on media. A failure to understand and control the boot process can result in changes being made to an evidentiary hard drive. To recover data, digital investigators must know how data are arranged on a disk. To analyze data, digital investigators must know how to view them and interpret them. Details of the collection, recovery, and analysis of digital evidence are elaborated on in the next chapter.

Observing the life of a file is an illustrative way to summarize some of the important concepts presented in this chapter. When a program instructs the operating system to create a file, the first step is to find an available space on the disk where the data can be stored. The file system serves this purpose, reserving the necessary clusters. Then the read/write heads of the hard drive are moved to the proper track and, when the disk spins to the correct sector, a binary representation of the data is created by altering the surface of the disk. When the file is deleted, the space in unallocated - the file system is updated to indicate that the clusters are available for new data. However, until these clusters are reused, the original data remain. Even when one of the clusters is reused, some of the original data will remain in file slack space.