“What the File?!” – A Fun, Forensic Deep Dive Into Hard Disks and File Systems 💾

Studying for the Digital Forensics Essentials certification? Learn about disk drives, file systems, and how Windows, Linux, and macOS boot, store, and hide data.

TL;DR 🧠

Hard disks and file systems aren’t just where your memes and spreadsheets live—they’re the skeletons of every computer crime scene. In this module, you’ll learn about different types of disks, how data is organized, how operating systems boot up, and what you need to look for when examining files like a digital bloodhound. 🐾💻

Types of Disk Drives (or: Not All Drives Spin the Same)

Digital forensics 101: Before you examine a drive, know what kind of beast you’re dealing with.

🌀 HDD (Hard Disk Drive)

• Mechanical.

• Prone to failure, but cheap.

• Stores data magnetically on spinning platters.

• Great for cold storage... and retro whirring sounds.

⚡ SSD (Solid State Drive)

• No moving parts = faster.

• Stores data in flash memory.

• Trickier in forensics: built-in TRIM functions can auto-delete data (thanks, tech overlords 😑).

☁️ Hybrid Drives & NVMe

• SSHD: Hybrid of HDD and SSD—"best of both lags."

• NVMe SSDs: Lightning-fast. Uses PCIe lanes. Forensics nightmare if you blink too slow.

Pro tip from forensic expert Ovie Carroll (Director, DOJ Cybercrime Lab):

“Investigators must understand storage tech—especially SSDs. You can’t use old-school methods on new-school drives.”
📖 Carroll, Digital Forensics in the Real World, 2022

The Logical Structure of a Disk (a.k.a. Disk Anatomy 101 🧬)

Whether it's Windows or Linux, disks are split up like digital pie slices:

▪ Sector – Smallest addressable unit of a disk (usually 512 bytes).

▪ Cluster – Group of sectors used by file systems.

▪ Track & Cylinder – Legacy terms, still pop up during forensic imaging.

▪ Partition – Chunk of the disk dedicated to a file system.

▪ MBR/GPT – Where the disk stores boot info:

• MBR (Master Boot Record) – Limited, older, still common.

• GPT (GUID Partition Table) – Modern, supports big drives.

How Operating Systems Boot Up (The Nerdy Morning Routine ☀️)

Knowing the boot process helps you spot shady startups and malware hangouts.

🪟 Windows Boot Process (NT family)

1. Power On > BIOS/UEFI

2. Bootmgr > BCD (Boot Configuration Data)

3. winload.exe loads kernel

4. ntoskrnl.exe = Windows kernel magic starts

🐧 Linux Boot Process

1. BIOS/UEFI > GRUB or LILO

2. Loads initrd/initramfs

3. Kernel kicks in

4. systemd or init manages userspace

🍏 macOS Boot Process

1. Power On > EFI firmware

2. Boot.efi loads macOS kernel (XNU)

3. launchd = main boss of macOS processes

Tip from SANS Forensics Instructor Rob Lee:

“The boot sequence is prime malware territory—if you’re not looking there, you’re missing where the bad guys hide early.”
📚 SANS DFIR Bootcamp Notes, 2023

File Systems: Windows vs. Linux vs. macOS (and Why It Matters in Forensics)

A file system decides how data is stored, indexed, and recovered. Know your systems = know where the digital skeletons are buried.

🪟 Windows – NTFS, FAT32, exFAT

• NTFS: Journaling, permissions, hidden metadata galore.

• FAT32: Simple, but weak on security. Still seen on USBs.

• exFAT: Cross-platform darling. No journaling = forensics headache.

🐧 Linux – ext3, ext4, XFS, Btrfs

• ext4: Default, supports journaling, timestamps, deleted file recovery.

• Btrfs/XFS: Advanced features, snapshots, high complexity = high skill needed.

🍏 macOS – APFS, HFS+

• APFS: Default on modern Macs. Snapshots, encryption, space sharing.

• HFS+: Older, still shows up. Supports journaling.

File System Examination (Where You Go Full Cyber Sherlock 🔍)

This is where the rubber meets the forensic road.

Key Tools:

• Autopsy/The Sleuth Kit – Visual file recovery and timeline.

• FTK Imager – Disk imaging + preview.

• EnCase – Industry gold standard.

• Linux 'dd' + grep – Command-line power combo.

Look For:

• Hidden partitions or volumes

• Deleted files (they’re not really gone)

• Alternate Data Streams (in NTFS—where malware likes to Netflix and chill)

• Timestamps: created, modified, accessed. (Pro tip: if the access time is after the modify time… someone’s been messing around 👀)

TL;DR: “Disks Don’t Lie—But They Do Hide” 💡

• Learn your disk types: HDD, SSD, NVMe = different forensic strategies.

• Know the logical structure: MBR vs. GPT matters in imaging.

• Understand how OSes boot so you can spot weird behavior.

• File systems (NTFS, ext4, APFS) control how and where you dig.

• Forensic tools and knowledge are your digital shovel. Dig smart.

Want More Forensic Fun That Doesn’t Feel Like Reading a VCR Manual?

Stick with us—we’ve got more EC-Council DFE breakdowns coming your way, from evidence handling to network investigations.

👉 Browse our whole DFE blog series and learn byte by byte.

Tags: EC-Council, Digital Forensics Essentials, File Systems, Hard Disks, NTFS, ext4, APFS, Disk Structure, Boot Process, Digital Forensics