Content deleted Content added
No edit summary |
→How it works: explained most typical procedure for use of the forensic disk controller |
||
Line 22:
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state. Because the operating system's internal state persists only as long as the drive is mounted or powered on, assuming none of the writes were desired there is no adverse consequence to losing the data in the change buffer.
The most typical way a forensic disk controller is used is to create an image file of a hard drive. In this scenario, an entire hard drive image is copied into a single regular file - for example, a 250GB hard drive becomes a 250GB regular file (before considering the possibility of compression). Imaging is likely done on an operating system such as Linux, which is natively tolerant of read-only hard disks - something Windows does not handle well. Once the entire drive has been converted to a regular file, the physical drive itself is locked away, and then the image file can be examined independently on any platform (including Windows) using a hex editor or a utility specifically designed for navigating file systems encapsulated within files (e.g. ''WinHex'' or ''DiskExplorer'').
==References==
| |||