Disk forensics is an essential competence in digital forensics. Before we start diving into disk forensics, it’s crucial to have some knowledge of disk structure. The smallest unit on a disk is called a “sector,” which is normally 512 bytes in size. They are the smallest unit of input/output (I/O). This means that if we were to read a file containing a single byte, the hard disk controller has to read the entire sector which contains this byte.

The partition table defines the layout of the disk. It tells the number of partitions that exist on the disk and where they are located. This partition table is normally at the start of a disk. There exist many different types of partition tables, but the two main ones we are going to see are master boot record (MBR) also called DOS partitions and the other is GUID partition table (GPT). These partitions are areas that can contain a file system. A file system provides a predetermined framework for organizing and storing data within a partition, enabling the structured storage and retrieval of data in a predefined manner.

The most common file systems include:

• FAT or ExFAT – Commonly used for removable media.
• NTFS – The standard for Windows systems.
• Ext4 – Used in Linux and Android distributions.
• APFS – Employed on Apple devices.

There are also areas on the disk called unallocated space. This area is not part of any partition and should theoretically not contain any data. However, in practice, there might be historical ...