So I've been intending to do this for the last few days but haven't had the chance until now. This post is going to cover a very basic introduction to how computers work along with some links to more specific information related to file system types. Now lets get started.
The first area we want to talk about is hardware. What are the main components of a computer and what do they do.
Main-board or Motherboard
-- The motherboard is exactly what it sounds like. It is usually the largest circuit board in the computer that all of the other components are connected to. It allows and moderates the communication between all of the devices that are connected to it. On a forensic level the motherboard has one very important piece of data that it contains. The motherboard has the BIOS (which stands for Basic Input/Output System). The BIOS is important to the forensic examiner for a few reasons. The primary BIOS feature that is important to us are the Boot Order and the Time Zone information.
The Boot Order may be important to a forensic exam if it identifies which hard drive that is the default device it is looking at during boot up. It is possible to have two separate hard drives in one computer. Each of those hard drives could have an independent operating system (Windows, Mac OS-X, or Linux) installed on it. If that is the case the default boot device will most likely contain the primary operating system being used. (This is assuming the operator is not an absolute shade tree trying to confuse or trick you into believing something that is false).
The time zone information (and the primary system time) stored in the BIOS is very important to any investigation that involves multiple users or any case that the time line is going to be relevant.
Hard Drive/Hard Disk
-- The hard drive is usually the most important part of a forensic examination. It is what stores a computers operating system and user data. This is where the important data of an investigation is going to be located. Hard drives come in many sizes and connection types. The most common hard drive sizes are 3.5, 2.5, and even 1.8 inches. The most common connections are SATA (Serial ATA) and ATA (sometimes called IDE). Hard drives are slow but can hold very large amounts of data even when they don't have access to power. They are the long term storage for the computer. Hard drives are most often a series of magnetic disks but over the past few years more and more hard drives are being made of NAND Flash memory with no moving parts and less power consumption. These newer drives are called Solid State drives.
Central Processing Unit (CPU)
--The Central Processing Unit or CPU is the brain of the computer. It is what completes all of the computations that the computer must complete. Almost all information must pass through the CPU before being displayed on your computers screen.
Random Access Memory (RAM or Memory)
-- Random Access Memory is the short term memory of the computer and is made up of flash memory similar to a USB thumb drive. This memory acts as a buffer between the hard drive and processor. It connects to a very fast channel on the motherboard allowing it to move large amounts of data quickly. RAM takes data is being held on the hard drive and holds it until the processor calls for the data. This allows the processor to receive that data almost immediately. After the data has been processed it is returned to the RAM. Then, when the hard drive is available to receive that data it is written back to the hard drives memory. RAM may be important to a forensic examiner but if the computer is powered off RAM will not hold any data because it cannot hold any information without a power source.
There are more components including but not limited to graphics card, sound card, and network card. All of these components are important but not important to computer forensics on a basic level. My next post will be on basic forensic procedure, primary the imaging of hard drives.