 So this week I'll be talking about data storage along with this lecture I'll also be posting a lot of links on the forum providing more information about each of the topics that I'm talking about. So whenever we're talking about data, data on computers or on your phone or cameras or whatever else you're working with, we store data in its lowest representation as a collection of ones and zeros. So these ones and zeros we have to convert or interpret from ones and zeros into information that a human can understand. So we can't directly observe, for example, a picture on a hard drive. We have to actually convert that picture into information that we can make sense of. So applying this to digital investigations we also need to interpret digital evidence when automatic viewers fail to display it properly. So we have ones and zeros and those ones and zeros potentially represent information that we can say is digital evidence. However, sometimes the tools we're using may not work properly so we need to know how do we actually convert those ones and zeros into information we can use. We also must be able to manually repeat the results of automated tools. In digital forensics everything you do should be repeatable. So we need to understand how our tools are actually working, how our tools are converting those ones and zeros into information that we can actually use in a court of law. We also must be able to recover as much data as possible when the data is partially destroyed. So sometimes parts of the data might be missing or otherwise destroyed or changed in some way. So if we only have parts of the data, how can we recover, for example, part of a picture? So what we'll be talking about this week is, first off, how to, where data is actually located whenever we're dealing with computer systems and how to acquire that data in a way that we can use it for forensic investigations. So first off, whenever we're representing data, we say that the physical layer is the lowest layer that we can represent data on. So it's the lowest level of data storage and it's kind of the layer you can touch. So think about a USB stick or hard drive or even your mobile phone. All of those are things you can touch and they also store data or information that could be like your pictures, right? So there is a physical storage, something you can touch that stores data in some way. So physical hard drive, potentially random access memory, which we'll talk about more later. There's a couple different ways that we commonly store data now on the physical layer. The first and oldest, I guess, way is on hard disk drives and these are the hard drives you would normally find in your computer. In these cases, the ones and zeros are represented by a magnetic charge. So on the disk, there's a magnetic charge. If there's a magnetic charge, it's a one. If there's not, it's a zero. So we can go through and read magnetic charges on the disk and reconstruct the ones and zeros from that. We then convert those ones and zeros into information that we can understand. There's also newer types of hard drives coming out now and also random access memory. And those types of hard drives are called solid state drives. These are kind of like USB sticks and also newer hard drives. And in those hard drives, the ones and zeros, the physical layer, is represented by an electric charge. So rather than having a physical magnetic charge, we have a physical electric charge. So solid state drive, electric charge, hard disk drive, magnetic charge. And from these physical devices, we create for forensics something called a physical disk image. It's essentially copying the data directly off of the physical disk and making a representation of it, which we'll talk about and we'll actually do this week. So it copies the data directly from storage device and we say it is a bit for bit copy because one, one, one or zero is what we call one bit. So for every bit that is on the physical storage, it will make an exact copy of that. And I'll tell you how we actually determine whether it's exact or not. So the next layer, after the physical layer, we have something called the logical layer or the layer at which we need to configure the physical disk to be able to use it to store data or information. So the logical layer is defined as a division of physical storage space into, or is a division of physical storage into logical sections, basically splitting up the storage space to use the storage space for different things. And there's lots of different reasons we might have logical disks, but we won't really go into those right now. I'll put more links in the forum. We tend to call these logical, logical divisions or logical volumes in windows. We call them partitions or volumes. In OSX we call them slices. And it allows the splitting of the disk into usable sections, maybe for different purposes. So basically we have this physical hard drive and we have to get it ready to be able to store data. So to do that, we have to make a logical kind of container inside. So using a data structure we'll talk about next time, we create a logical container inside the physical disk. That way we can store things inside of it. A logical disk image, so we can also, we just talked about physical disk image, which is making a bit-for-bit copy of the physical device. A logical disk image copies only what is in the partition, usually at a higher level or the file system level. So basically we only get currently accessible files that are on that partition, usually smaller size, but it may not be able to recover all deleted files. So whenever we're taking a logical disk image, we usually are missing some information that might be related or important to the case. So we tend to go with physical disk images, but the physical disk images will be much bigger. So after we have a partition or a logical disk, then we can put on a file system. And a file system, exactly like what it sounds like, a file system is a method for storing and retrieving data from storage. So the file system itself is just a method for storing the data that you want to save and be able to retrieve later. So imagine, for example, you take a picture of your cat and you want to save that and be able to open it back up. How does your computer know where the entire data for the cat is located on the storage device? And the way it knows that essentially is whatever file system it uses keeps track of the location of each of the parts of that cat picture. That way, whenever you click on the cat picture, it can open back up and find all of the data correctly. We normally install a file system on a partition and different partitions can have different file systems. So in Windows, for example, your C drive is one partition. You have at least one physical disk and you have C drive, which is at least one partition. You might also, however, have a D drive. That could be another partition on the same physical disk and they might have different file systems on them. They're treated like completely different objects, essentially. They're completely separated. Types of file systems. So Windows uses NTFS by default and it supports several other file systems. OSX or Mac uses HFS Plus and it also supports other file systems. OSX uses EXT4 and it can use a lot of other file systems. And then FAT32 or EXFAT is usually what your USB stick is formatted with and it is supported by most devices. So there's lots of different file systems that we can install. Some operating systems support by default certain file systems, whereas other operating systems will support other file systems. But we can install many different file systems depending on the operating system or the device we're trying to use. So just a quick overview. First we have a physical disk and on the physical disk we need to create a logical partition, which is essentially just a container where we can store data. In this logical partition, we then install usually a file system. That way we can keep track of any of the files we want to save on that partition and recover them later. Once we have a file system then we can install something like an operating system or just start saving data. Once the file system is installed, the operating system can be installed and the way the data will be saved on a storage disk is managed by the file system. Like I said, there's lots of different types of file systems and they all save data a little bit differently. They all have pros and cons basically depending on what features you're looking for for your data storage. So our task as forensic investigators is to take the data that's stored on a disk, either the logical partition, the physical disk, or even just a file and make sense of that data. So in the next lecture I'll talk about data structures, but we actually go through how to make sense of this data that we find on these disks. Thank you very much.