Chapter 9, “Memory Analysis,” covered the skills needed to analyze volatile data stored in RAM, and in this chapter, we focus on analysis of data stored on nonvolatile storage such as hard disks and solid‐state drives. Although many attackers use techniques to minimize interaction with disks as a forensics countermeasure, there is nonetheless a lot that can be learned by performing a deep‐dive analysis into the data stored on disks. Because such an analysis can be time‐consuming, this level of examination may be reserved for a sampling of impacted hosts or for a more complete analysis of the first host determined to be impacted by the incident. Often, a forensic analysis of the nonvolatile data can help identify additional indicators of compromise, provide details of the attack vector, detail the timeline of an attack, uncover additional attacker techniques, or otherwise benefit the overall incident response. In this chapter, we focus on those areas of digital forensics that are often applicable to incident response scenarios.