We started small, in fact very small . . . bits and bytes small, in Part 1, explaining the origins of data and progressing onward, addressing concepts related to data storage, boot records and partitions and how each of these are interrelated and essential in the understanding of the process and methodology of a cyber-forensic investigation.
Part 2 of this series on the introduction to cyber forensics, continues on with our examination of the progression of data onto actual digital evidence by providing a comprehensive examination and discussion of the science of cyber forensic investigations, what is happening behind the scenes to data and why, what to look for and where to find it.
While still focusing on an understandable presentation of often technical concepts, Part 2 examines further advanced topics of a cyber-forensic investigation, including; volume versus partition, cylinder, head, sector, and Logical Block Addressing, File Systems, FAT 12/16 and NTFS and the File Allocation Table (FAT).
After completing this course, participants will be able to:
- Communicate an understanding of volumes and partitions as they relate to investigating digital evidence.
- Recognize the difference as well as the relationship between cylinder, head and sector, and role of Logical Block Addressing.
- Differentiate between FAT 12/16 and NTFS file systems.
- Explain how a cluster size is determined.
- Validate the functionality, operation and relevance, to a cyber-forensic investigation, of the master file table.
- Identify significant concepts related to alternative filing systems.