CyberCode Academy
Avsnitt

Course 36 - Windows Forensics and Tools | Episode 2: Windows Forensic Imaging and Drive Nomenclature

CyberCode Academy
Dela

In this lesson, you’ll learn about: Windows forensic imaging and data structure fundamentals1. What is Forensic Imaging?

  • A bit-by-bit, sector-by-sector copy of a storage device
  • Captures everything, not just visible files

🔹 What it Includes

  • Active files and folders
  • Deleted files
  • Unallocated space
  • Slack space

👉 Key Difference:

  • Not a backup → it is an exact forensic replica

2. Why Forensic Imaging Matters

  • Preserves original evidence
  • Prevents modification of:
    • File timestamps
    • Metadata

👉 Legal Importance:

  • Required for court-admissible investigations

3. Physical vs Logical Drives (Windows Naming)🔹 Physical Drives

  • Identified as:
    • Disk 0
    • Disk 1
  • Represent actual hardware

🔹 Logical Drives

  • Represent partitions using letters:
    • C:
    • D:
    • E:

👉 Analogy:

  • Physical disk → entire cabinet
  • Logical drives → drawers inside the cabinet

🔹 Historical Note

  • A: and B: reserved for floppy disks

4. File System Hierarchy🔹 Structure Levels

  1. Volume (highest level)
  2. Partition
  3. Directory (folder)
  4. File

🔹 File Definition

  • A logical grouping of related data

👉 Key Insight:

  • Understanding hierarchy helps in locating and analyzing evidence

5. Processes and Threads (Execution Basics)

  • Process → running program
  • Thread → smallest execution unit within a process

👉 Why it matters:

  • Helps track:
    • Program execution
    • Malicious activity

6. Data Integrity & Verification🔹 Hashing Concept

  • Generate a unique fingerprint for data

🔹 Algorithm Example

  • MD5 hash

🔹 Key Properties

  • Same file → same hash
  • Rename file → hash unchanged
  • Change 1 bit → completely different hash

👉 Use Case:

  • Verify forensic image integrity

7. Chain of Trust in Forensics

  • Acquire image → generate hash
  • Analyze copy → compare hash again

👉 Goal:

  • Ensure no tampering occurred

Key Takeaways

  • Forensic imaging captures complete disk data, including hidden content
  • Physical and logical drives represent different abstraction layers
  • File systems follow a structured hierarchy
  • Hashing ensures data integrity and authenticity
  • Even a tiny change in data invalidates evidence

Big PictureForensic imaging helps you:👉 Move from raw disk → verified evidence copyMental Model

  • Disk → Image → Hash → Analyze → Verify



You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

Rss Apple Podcaster
Podden och tillhörande omslagsbild på den här sidan tillhör CyberCode Academy. Innehållet i podden är skapat av CyberCode Academy och inte av, eller tillsammans med, Poddtoppen.