![]()
Chapter 1
Computer Hardware
EnCE Exam Topics Covered in This Chapter:
- Computer hardware components
- The boot process
- Partitions
- File systems
Computer forensics examiners deal most often with the media on which evidentiary data is stored. This includes, but is not limited to, hard drives, CDs, DVDs, flash memory devices, smart phones, tablets, and even legacy floppies and tapes. Although these devices might be the bane of the examinerâs existence, media devices donât exist in a void, and knowledge of a computerâs various components and functions is a must for the competent examiner.
As an examiner, you may be called upon to explain how a computer functions to a jury. Doing so requires you know a computerâs function from a technical standpoint and that you can translate those technical concepts into real-world, easy-to-understand terms.
As an examiner, you may also be subjected to a voir dire examination by opposing counsel to challenge your competence to testify. Acronyms are hardly in short supply in the field of computingâsome well-known and meaningful, others more obscure. Imagine being asked during such an examination to explain several of the common acronyms used with computers, such as RAM, CMOS, SCSI, BIOS, and POST. If you were to draw a blank on some obscure or even common acronym, picture its impact on your credibility.
You may encounter problems with a computer system under examination or with your own forensic platform. Troubleshooting and configuration require knowledge of the underlying fundamentals if you are to be successful.
Thus, the purpose of this chapter is to provide you with a solid understanding of the various components of a computer and show how a single spark of electricity brings those otherwise dead components to life through a process known as booting the computer. In addition, youâll learn about the drive partitions and file systems used by computer systems.
Computer Hardware Components
Every profession has, at its core, a group of terms and knowledge that is shared and understood by its practitioners. Computer forensics is certainly no exception. In this section, I discuss the various terms used to describe a computerâs components and systems.
Case The case, or chassis, is usually metal, and it surrounds, contains, and supports the computer system components. It shields electrical interference (both directions) and provides protection from dust, moisture, and direct-impact damage to the internal components. It is sometimes erroneously called the central processing unit (CPU), which it is not.
Read-Only Memory (ROM) This is a form of memory that can hold data permanently, or nearly so, by virtue of its property of being impossible or difficult to change or write. Another important property of ROM is that it is nonvolatile, meaning the data remains when the system is powered off. Having these properties (read-only and nonvolatile) makes ROM ideal for files containing start-up configuration settings and code needed to boot the computer (ROM BIOS).
Random Access Memory (RAM) A computerâs main memory is its temporary workspace for storing data, code, settings, and so forth. It has come to be called RAM because it exists as a bank of memory chips that can be randomly accessed. Before chips, tape was the primary media, and accessing tape wasâand still isâa slow, linear or sequential process. With the advent of chips and media on drives (both floppy and hard drives), data could be accessed randomly and directly and therefore with much greater speed. Hence, random access memory was the name initially given to this type of memory to differentiate from its tape predecessor. Today most memory can be accessed randomly, and the termâs original functional meaning, differentiating it from tape, has been lost to history. What distinguishes RAM from ROM, among other properties, is the property known as volatility. RAM is usually volatile memory, meaning that upon losing power, the data stored in memory is lost. ROM, by contrast, is nonvolatile memory, meaning the data remains when the power is off. It is important to note, however, that there are nonvolatile forms of RAM memory known as nonvolatile random access memory (NVRAM), and thus you should not be quick to assume that all RAM is nonvolatile.
start feature
The computer forensic examiner, more often than not, encounters computers that have been shut down, seized, and delivered for examination. Important information in RAM (the computerâs volatile memory) is lost when the computerâs plug is pulled. All is not lost, however, because this data is often written to the hard drive in a file called the swap file. This swap file, in its default configuration, can grow and shrink in most Microsoft Windows systems, which means this data can be in the swap file itself, as well as in unallocated clusters and in file slack as the swap file is resized. Unallocated clusters and file slack are areas containing data that is no longer in an allocated file. Iâll cover them in detail in Chapter 2. Whatâs more, if the computer was in the hibernate mode, the entire contents of RAM are written to a file named hiberfil.sys so that the contents of RAM can be restored from disk. In fact, the system can be restored in the time it takes to read the hiberfil.sys file into RAM. It should be no surprise to learn that the hiberfil.sys file is the same size as the systemâs RAM memory size!
end feature Power Supply The power supply transforms supply voltage (120VAC or 240VAC) to voltages and current flows required by the various system components. DC voltages of 3.3 volts, 5 volts, and 12 volts are provided on a power supply for an ATX form factor motherboard.
start feature
The standard molex power connector used frequently by examiners has four wires providing two different voltages (yellow = 12VDC+, black = ground, black = ground, red = 5VDC+).
end feature Motherboard or Mainboard This component is the largest printed circuit card within the computer case. It is mounted on âstand-offsâ to raise it above the case, providing a space for airflow and preventing contact or grounding of the printed circuits with the case. The motherboard typically contains the following: the CPU socket, BIOS, CMOS, CMOS battery, Real-Time Clock (RTC), RAM memory slots, Integrated Drive Electronics (IDE) controllers, Serial Advanced Technology Attachment (SATA) controllers, Universal Serial Bus (USB) controllers, floppy disk controllers, Accelerated Graphics Port (AGP) or Peripheral Component Interconnect (PCI) Express video slots, PCI or PCI Express expansion slots, and so forth. Many features that once required separate expansion cards are now offered onboard, such as Small Computer System Interface (SCSI) controllers, network interface (Gigabit Ethernet and wireless), video, sound, and FireWire (1394a and b).
Microprocessor or CPU The brains of the unit, the CPU is a massive array of transistors arranged in microscopic layers. The CPU performs data processing, or interprets and executes instructions. Accordingly, most of the computerâs function and instructions are carried out in this unit. Modern processors generate enormous amounts of heat, and quickly and efficiently eliminating heat is essential to both the function and survival of the component.
Heat Sink and Fan At the very least, a heat sink and fan will be attached to the CPU to keep it cool. The heat sink interfaces directly with the CPU (or other heat-generating chip), usually with a thermal compound sandwiched between. The heat sink consists of a high-thermal conductance material whose job it is to draw the heat from the chip and to dissipate that heat energy into the surrounding air (with the assistance of the fan, with an array of cooling fins). Some high-end platforms will have thermal solutions (heat sinks and fans) mounted to RAM memory, chipsets, hard drives, and video cards. Water-cooling systems are becoming more popular with gamers. Use caution working around these systems because water and electricity are usually at odds; therefore, damage to systems can occur.
Hard Drive This is the main storage media for most computer systems; it holds the boot files, operating system files, programs, and data. It consists of a series of hard thin platters revolving at speeds ranging from 4,800 to 15,000 revolutions per minute (RPM). These platters (which are magnetized) are accessed by heads moving across their surfaces as they spin. The heads can read or write, detecting or creating microscopic changes in polarity, with positive changes being 1s and negative changes being 0sâwhich is why we refer to the binary system of â1s and 0s.â
Hard drive platters have an addressing scheme so that the various locations where data is stored can be located for reads and writes. Originally this addressing scheme involved the CHS system (C = Cylinder, H = Head, and S = Sector). A sector is the smallest amount of space on a drive that can be written to at a time. A sector contains 512 bytes that can be used by the operating system. Each side of the platter is formatted with a series of concentric circles known as tracks. Sectors are contained in the tracks, and originally each track contains the same number of sectors. A cylinder is a logical construct; it is a point on all the platters where the heads align along a vertical axis passing through the same sector number on all the platters. There are two heads for each platter, one for each side (side 0 and side 1). Depending on the number of platters present, the heads will be numbered. To determine the number of bytes present on a hard drive, a formula is used: C n H n S n 512 = total storage bytes. The C is the total number of cylinders, the H is the total number of heads, the S is the number of sectors per track, and 512 is a constant that represents the number of bytes in a sector usable by the operating system (OS).
This formula holds true as long as the number of sectors per track remains the same for all tracks, which applies to older, lower-capacity hard drives. This system, however, has limitations for hard drive storage capacity. The limitations reflect how densely populated (sectors per track) the inner tracks are. The outer tracks, by contrast, can always hold more data...
