Chapter 15
Computer Basics for Digital Investigators
On completion of this chapter, the student will:
– Be aware of the process that occurs when a computer boots.
– Recognize how data is stored on a magnetic media.
– Recognize the significance of file formats.
– Be aware of how file carving affects recovered data.
A basic understanding of how computers operate and how data is stored is a fundamental skill
for forensic examiners. This includes understanding and controlling the boot process, recovering
data, and analyzing data.
Multiple Choice Questions
1. How many bytes are in a kilobyte?
2.
3. The storage capacity of a hard drive with 256 heads, 63 sectors, and 1024 cylinders is:
4. What can you do to determine the number of sectors on a hard drive larger than 8GB?
5. The first sector of a hard disk contains a:
6. The first sector of a volume contains a:
7. File slack space is:
8. Unallocated space is:
9. Encrypted data can be recovered using which of the following methods?
10. Which encryption scheme is weakest?
11. On Intel-based computers, system date and time information is maintained in:
12. Solaris computers store data in:
13. Which of the following are limitations to salvaging data through data carving?
14. The boot sector in a FAT volume contains all of the following information EXCEPT:
15. In NTFS, an example of a file system feature that can be used to conceal data is:
True or False Questions
1. The ENIAC was the first digital computer.
2. By default, computers will boot from a floppy disk if one is present in the system.
3.
4. Hard drive settings stored in a computer
accurate.
5. The POST verifies that all of the com functioning properly.
6. The BIOS can be password protected.
7. The Macintosh Open Firmware can be instructed to boot from a CD-ROM by holding
8. The Sun OpenBoot PROM can be inte
9. Although storage media come in many forms, hard disks are the richest sources of digital
evidence on computers.
10. Digital forensics examiners do not need to be concerned about the distinction between
little-endian and big-endian representations because automated tools make the necessary
translation.
11. Unicode can represent more characters than ASCII.
13. Many digital forensics laboratories have the capability to recover overwritten data from a
hard drive.
14. A sector is composed of multiple clusters.
15. The number of sectors on any hard drive is calculated by multiplying its CHS values.
Discussion Questions
1. Describe the main steps that your computer takes during the boot process from the time you press
the power switch to the first appearance of the operating system. Why is this important to a
forensic examiner?
2. What type of computer do you have and how do you interrupt the boot process to display the
3. List four of the most important CMOS settings of your computer. List two CMOS settings that
4. What is the ASCII representation of the binary data
Answer guidance: Break this string of binary data into 8-bit segments and determine the ASCII
equivalent of each 8-bit segment as shown here (it may help you to convert to hexadecimal first):
0100 0011 = 43 = C
0110 1111 = 6F = o
0111 0010 = 72 = r
5. What is the ASCII representation of this hexadecimal data:
6. What is the storage capacity of a hard drive with 64 heads, 63 sectors, and 787 cylinders?
7. Where is the partition table located on a hard drive, and what does it contain?
8. How do you remove data from a hard drive to prevent it from being recovered (e.g., delete
partition table, reformat drive, delete files)?
9. What is file slack and why is it important to digital investigators?
