Computer Hardware & Operating Systems

Before you can investigate a crime on a computer, you need to understand what is inside it — and what each part stores. This chapter covers hardware components, the boot sequence, and the file systems every digital examiner must recognise cold.

1.1Motherboard, Processor & Memory

The motherboard is the main circuit board inside every computer. Every other component — the CPU, RAM, storage, graphics card — plugs into or sits on top of it. Think of it as the city's road network: nothing moves without it.

The CPU (Central Processing Unit) executes every instruction the computer runs. Its speed is measured in gigahertz (GHz) — a 3 GHz CPU can attempt roughly three billion basic operations per second. Modern CPUs have multiple cores, each acting as an independent processor. Each core has its own fast memory called cache (L1 is smallest and fastest; L2 and L3 are larger but slower), which holds the data the CPU is actively working on so it does not have to reach out to the slower RAM on every instruction.

RAM (Random Access Memory) is the computer's working memory — like a whiteboard. The CPU writes whatever it is actively processing to RAM. RAM is volatile: when power is cut, everything on the whiteboard is wiped instantly. For a digital examiner this is critical. If you simply pull the power plug on a running machine, you lose running processes, open network connections, encryption keys held in memory, and any data the user was working on but had not yet saved to disk. A live memory dump — capturing RAM to an image while the machine is still running — preserves that evidence before shutdown.

The ROM/BIOS chip (Read-Only Memory) holds the computer's firmware — the lowest-level software that starts the machine before any operating system loads. Unlike RAM, ROM is non-volatile: its contents survive power-off.

1.2Storage Devices

Storage is where persistent evidence lives. Unlike RAM, storage devices keep their data after power is removed — but not all storage is equal when it comes to forensic recovery.

Hard Disk Drives (HDD) store data on spinning magnetic platters. A read/write head floats just above the surface and magnetises tiny areas to record binary data. Data is organised into sectors (traditionally 512 bytes; modern drives use 4 096-byte "Advanced Format" sectors) and groups of sectors called clusters. When a file is too large for one cluster, the OS spreads it across multiple clusters — sometimes non-contiguous ones. This fragmentation leaves a trail: even after a file is "deleted," the clusters that held its data are not immediately overwritten. The OS simply marks them as available. Until another file overwrites them, the original data can be recovered.

Solid State Drives (SSD) store data in NAND flash cells — no moving parts. They are faster and more durable than HDDs. However, SSDs use wear levelling: the controller deliberately spreads writes across all cells so no single cell is written too often. This means data is distributed in ways the OS does not control or record. The TRIM command instructs the SSD controller to immediately erase blocks that the OS marks as freed, so future writes are faster. The forensic consequence is severe: on a TRIM-enabled SSD, deleted data may be zeroed within seconds — long before an examiner ever images the drive.

USB flash drives use the same NAND flash technology as SSDs. Most consumer flash drives do not implement TRIM aggressively, so deleted data recovery is often still possible.

The table below summarises the forensic differences between HDD and SSD:

1.3OS Boot Process

When you press the power button, the computer does not jump straight to Windows or Linux. It follows a strict sequence of steps before the operating system is ready. Every step is also a location where malware — especially rootkits — can hide.

Step 1 — Power-On Self Test (POST). The firmware immediately runs a hardware check: is the CPU working? Is RAM present and readable? Are storage devices detected? If POST fails, the machine beeps an error code and stops.

Step 2 — BIOS or UEFI initialises hardware. The firmware scans for a bootable device (hard disk, USB, optical disc, network) in the configured priority order.

• BIOS (Basic Input/Output System): the legacy firmware standard. It is 16-bit, runs in "real mode," and looks for the Master Boot Record (MBR) — the first 512 bytes of the disk — which contains a small bootloader and the partition table. BIOS supports disks up to 2 TB and a maximum of four primary partitions.
• UEFI (Unified Extensible Firmware Interface): the modern replacement. It is 32/64-bit, uses the GUID Partition Table (GPT) which supports disks over 2 TB and up to 128 partitions. UEFI also supports Secure Boot — it verifies that the bootloader is digitally signed by a trusted authority, blocking unsigned rootkits from loading.

Step 3 — Bootloader loads the OS kernel.

• On Windows (UEFI): bootmgfw.efi → winload.efi → Windows kernel (ntoskrnl.exe)
• On Windows (BIOS): bootmgr → winload.exe → Windows kernel
• On Linux: GRUB reads its configuration, selects the kernel image (vmlinuz), loads initramfs, then hands off to the kernel

Step 4 — Kernel and services start. The kernel initialises the file system, loads device drivers, starts system services, and creates the user login session.

From a forensic perspective, the MBR or EFI System Partition (ESP) are high-value artefacts. A bootkit — a rootkit that persists in the boot sector — executes before the OS and before any security software, making it very difficult to detect from within a running OS. Examiners image the entire disk including the first sectors, not just the data partitions.

1.4File System Types

A file system is the method the OS uses to organise, store, and retrieve files on a storage device. Different operating systems use different file systems, and each leaves different forensic artefacts.

FAT32 (File Allocation Table, 32-bit) is the oldest of the common file systems. Its key limitation is a maximum file size of 4 GB and a maximum volume size of 8 TB (though many implementations cap it at 2 TB). FAT32 has no access permissions, no journaling, and no metadata beyond basic timestamps. It is still found on USB drives and SD cards for cross-platform compatibility. Forensically, FAT32 is simple to parse: deleted directory entries are marked with byte value 0xE5 but remain intact in the directory table until overwritten.

NTFS (New Technology File System) is the default file system for Windows since Windows NT. NTFS is far richer than FAT32:

• $MFT (Master File Table): Every file and directory has an entry in the MFT — 1 024 bytes per record storing the file's attributes, timestamps, and data location. When a file is deleted, its MFT record is marked as available but not immediately zeroed, so deleted-file metadata persists.
• $LogFile: NTFS journals all metadata changes. Forensically, the journal records recent file operations even after deletion.
• Alternate Data Streams (ADS): A single file can carry multiple named data streams beyond its primary content. Malware uses ADS to hide payloads inside innocent-looking files. Example: document.txt:hidden.exe.
• Full access permissions (ACLs), file ownership, and MACB timestamps (Modified, Accessed, Changed, Born).

ext4 is the default Linux file system. Ext4 uses inodes — data structures that store a file's metadata (size, timestamps, permissions, data block locations) separately from the file's name. It supports extents (contiguous block ranges for large files) and a journal. Forensically, the inode table and journal are primary targets for recovering deleted file information.

APFS (Apple File System) is Apple's modern file system for macOS and iOS, introduced in 2017. Key features: copy-on-write (when a file is modified, old blocks are not immediately overwritten, enabling snapshots — point-in-time copies that preserve evidence of files the user thought they deleted), nanosecond timestamps, and native full-volume or per-file encryption. APFS snapshots are a forensic goldmine.

exFAT is a Microsoft extension of FAT32 designed for large flash drives. It removes the 4 GB file size limit but has no journaling and minimal metadata, making forensic analysis harder than NTFS.