Computer Hardware Fundamentals for Forensic Examiners

The motherboard is the routing fabric. The CPU socket sits next to the DRAM slots on a short, fast memory bus. The chipset (Intel calls it the Platform Controller Hub, AMD has its own naming) sits between the CPU and the slower peripherals: SATA ports for HDD and 2.5 inch SSD, PCIe lanes for the GPU and M.2 NVMe slots, USB controllers, the audio codec and the network controller. A forensic examiner cares about the chipset because it sets the maximum throughput for an imaging operation. A USB 2.0 chipset will image a 1 TB disk in over four hours regardless of how fast the target drive is.

Firmware on the motherboard lives on a small SPI flash chip soldered near the chipset. On legacy boards this held the BIOS. On any Indian laptop or desktop sold in the last decade it holds UEFI. UEFI matters forensically because it owns the boot decision (it picks which device to boot from, in what order), it stores the boot-order list in NVRAM that survives power-off, and it can enforce Secure Boot by checking signatures on the bootloader.

The CMOS battery is the small CR2032 cell on the board. It backs the real-time clock and a handful of firmware settings. If it dies, the system loses the date and time on reboot, and the examiner is the one who has to notice that the timestamps in event logs (covered in Windows Forensic Artifacts) may be wrong by months. An I4C bulletin issued in 2024 specifically warned state cyber cells to record CMOS battery status during seizure because field cases were producing log timelines that could not be reconciled with CCTV.

A modern x86 CPU executes from a tiny pool of general-purpose and vector registers (a few hundred bytes total), backs them with an L1 cache of around 32-64 KB per core, an L2 cache of a few hundred KB to 1-2 MB per core, and a shared L3 cache of 8-64 MB per package. The instruction set is x86-64 on Intel and AMD laptops; ARM64 on Apple Silicon Macs and on most Indian mid-range phones. The same instruction can sit in a register for a nanosecond and never reach RAM at all.

For a forensic examiner, the practical implication is that nothing in registers or L1 is recoverable, ever, by any tool currently in field use. The first thing acquirable, in principle, is RAM, and only if the machine is still powered. Cold boot attacks on DRAM, which exploit a few seconds of memory remanence after power-off, exist in the academic literature but are not field practice in Indian SOCO units in 2026. Multicore and hyperthreading matter because they decide whether a running process is suspended (and therefore stable enough to dump) or is actively writing to RAM while the dump runs.

The Volatility Framework (3.x in 2026) is the standard open-source tool for parsing a RAM image once it is captured. CFSL Hyderabad's cyber wing teaches Volatility on its examiner courses.

DDR3, DDR4 and DDR5 are the dominant DRAM generations on Indian field machines in 2026. DDR3 is still present on legacy government desktops procured before 2015. DDR4 is the bulk of corporate fleet. DDR5 is on newer laptops and gaming desktops. The forensic examiner does not need the electrical differences, but does need to know that each generation uses a physically different DIMM slot, so a swap test (move the DIMM to a known good board) requires matched hardware.

ECC (Error-Correcting Code) RAM is standard on servers and workstations. It adds parity bits per word that detect and correct single-bit errors. ECC is not security: it does not protect against tampering, only against random bit flips. A few cases in Indian banks have hinged on whether a corrupt log entry was an ECC-corrected error (still trustworthy) or an uncorrected double-bit error (not trustworthy); the server hardware log usually tells the analyst which.

What sits in RAM at the moment a machine is seized:

• Decrypted keys for FDE volumes. BitLocker on Windows, FileVault on macOS, LUKS on Linux all keep the master key in RAM while the volume is mounted. Pulling the plug without a RAM image throws away the only path to a non-destructive decryption.
• Running process memory. Browsers (Chrome, Edge, Firefox) keep the active tab contents, form data, autofill, and in-memory cookies in RAM. The on-disk profile only catches data that has been flushed.
• Cleartext credentials. Many Indian banking customer-facing apps cache the login token in RAM after the user signs in. The token is gone from RAM the moment the app is killed.
• Network state. Open sockets, the current ARP cache and the in-kernel route table all live in RAM and are part of the order-of-volatility hierarchy.
• Paging metadata. The page table that maps virtual to physical addresses is in RAM. The page file or swap on disk holds spilled pages and may persist data that RAM has overwritten.

A hard disk drive (HDD) stores data on rotating magnetic platters. The drive controller addresses physical locations by cylinder, head and sector (CHS) internally, but exposes a flat logical block address (LBA) range to the operating system. When a file is deleted on an HDD, the file system clears the directory entry and marks the clusters free, but the platters still hold the magnetic pattern. Forensic recovery from an HDD, using tools like Autopsy, FTK, EnCase, or Belkasoft, has been routine practice for two decades on this basis. CFSL Hyderabad ran one of the first national HDD-recovery training programmes in 2011 and the workflow has changed little for spinning disks.

Solid-state drives (SSDs) store data in NAND flash cells. There are no moving parts. The controller maintains a flash translation layer (FTL) that maps logical block addresses, which the OS sees, to physical pages, which are where the data actually lives. NAND has a finite write-erase endurance (typically 1,000 to 100,000 cycles per cell depending on whether it is SLC, MLC, TLC or QLC), so the controller does wear leveling: it spreads writes across the array and may rewrite static data to less-used cells. The implication for forensics is that the physical location of a file's bits drifts over time, and the controller, not the OS, decides when a "deleted" block is actually scrubbed.

TRIM is the command the file system sends to tell the SSD "these LBAs are free." The controller can then schedule garbage collection on the physical pages backing those LBAs. On a healthy Windows or Linux system with TRIM enabled, a deleted file's underlying NAND pages are typically erased within seconds to minutes, and the data is unrecoverable. This is the central forensic problem with modern storage.

M.2 is the physical form factor. NVMe is the protocol that runs over PCIe to the M.2 slot. An M.2 stick can run either SATA (slower, older M.2 SATA SSDs) or NVMe (faster, current); the examiner has to identify which before choosing an adapter. Indian laptops sold since 2022 are nearly all M.2 NVMe.

Optical media (CD, DVD, Blu-ray) appear in older Indian case files but are almost never seen in new seizures in 2026. When they do appear, they are non-rewritable in the majority of cases, which simplifies the integrity question. eMMC chips on phones and budget tablets behave like a soldered-in flash drive with limited TRIM support; mobile forensics (Cellebrite, Magnet AXIOM, Oxygen, MOBILedit) addresses them separately.

Every networked computer has at least one Network Interface Controller (NIC). On modern Indian laptops the wired NIC is on the motherboard, and the wireless NIC is a separate M.2 module on a CNVi or PCIe slot (Intel AX200, AX210 and the MediaTek equivalents are common). Each NIC has a 48-bit Media Access Control (MAC) address burned into firmware at manufacture; the first 24 bits are the Organisationally Unique Identifier (OUI) that maps to the vendor.

The forensic examiner cares about MAC for three reasons. First, the MAC is logged at the LAN switch and on the home or office Wi-Fi access point, so it ties the seized machine to a specific connection record. Second, the MAC is broadcast in plaintext on every Wi-Fi probe request the machine sends, which means CERT-In and state cyber cell investigators can correlate against Wi-Fi sensor logs at airports, hotels and ISP-managed routers. Third, MAC spoofing is trivial (a single ip link set command on Linux, a registry tweak on Windows), so the burned MAC and the announced MAC may disagree.

Wired versus wireless adapter differences that show up in casework:

• Wired NIC logs end at the link layer. A switch port records the MAC; a managed switch may also record the time the port came up.
• Wireless adapter holds a profile list (in Windows, under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles) showing every Wi-Fi network the machine has connected to, with SSID, BSSID, first-connected and last-connected timestamps.
• Tethered cellular adapter (USB modem or phone-as-modem) introduces an IMEI and a SIM, both of which the examiner should record separately. IMEI seizure protocol is covered later in the module under mobile forensics.

CERT-In's vulnerability advisory CIVN-2024-0093 (representative example) on a Wi-Fi driver supply-chain issue illustrates that the driver version on the seized adapter may itself be the relevant evidence in an intrusion case, not just the user-space logs. The wireless profile list is stored in HKLM\SOFTWARE (the System hive on disk).

The hardware-level power-on workflow is short, deterministic and the same on every x86 machine the examiner will see in Indian field practice. Understanding it is what tells the examiner what is gone the instant power is cut, what is still on the board, and what only exists if the machine boots normally.

1. Power good signal from the PSU
   The power supply asserts the PWR_OK / PG line once its rails have stabilised. Until this signal goes high, the CPU is held in reset. Pulling the AC plug is what removes this signal in field practice.
2. CPU reset vector fetch
   On release of reset, the CPU starts executing at the architectural reset vector (on x86, near the top of memory). The first instructions are in UEFI firmware on the SPI flash chip, not in RAM, not on disk.
3. POST and hardware enumeration
   Power-On Self Test. UEFI inventories DRAM, runs CPU microcode updates, enumerates PCIe devices, initialises the chipset, and sets up the early console. POST errors are written to UEFI NVRAM and survive power-off.
4. Boot device selection
   UEFI consults its NVRAM boot-order list (still on the board, backed by CMOS battery) and picks the first available bootable device. Secure Boot, if enabled, verifies the bootloader signature against the firmware's key store before handing over.
5. Bootloader handoff
   Control is transferred to the bootloader on the chosen disk: bootmgr.efi on Windows, GRUB or systemd-boot on Linux, BOOTX64.EFI for an installer USB. From this point the operating system takes over (see Operating Systems, Boot Process and File Systems).

What survives a power cycle, ranked from most to least durable:

• Soldered NAND on the SSD and eMMC, including the over-provisioning area that is not visible to the OS without controller-specific tools.
• Platter contents on an HDD, until the next write to those sectors.
• UEFI NVRAM on the SPI flash, holding boot order, Secure Boot keys, and a few firmware logs.
• CMOS RTC and a handful of settings, kept alive by the CR2032.
• DRAM contents for a few seconds at room temperature, longer if the DIMM is chilled (cold-boot attack territory, not field practice in India in 2026).
• CPU registers and L1/L2/L3 cache for the very brief interval between the power-good drop and the CPU losing its rails. For forensic purposes, treat as zero.

Volatility-aware imaging order is the natural follow-up for what an Indian first responder actually does at the scene given this hardware model. The digital forensics past-paper question that recurs is: "Rank, in increasing order of forensic durability after power-off, the following: SSD over-provisioning area, CPU L2 cache, UEFI NVRAM, DDR4 DRAM." The expected ranking, increasing durability, is L2 cache, DRAM, UEFI NVRAM, SSD over-provisioning.