CyberGlossary

Forensics & IR

Disk Forensics

Also known as: Computer disk forensics, Storage forensics

Definition

The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.

Disk forensics is the historically central branch of digital forensics: it works on bit-for-bit images of storage devices and reconstructs activity from file systems (NTFS, APFS, ext4, FAT), journals, metadata, slack and unallocated space. Investigators examine MFT records, USN journals, $LogFile, prefetch, jump lists, link files, browser stores, Windows event logs, and shellbags to build timelines. Tools such as Autopsy/Sleuth Kit, EnCase, X-Ways, FTK, and Plaso/log2timeline automate parsing and timeline creation. Modern challenges include full-disk encryption (BitLocker, FileVault, LUKS), SSD TRIM/garbage-collection, and cloud-synchronised content, all addressed within NIST SP 800-86 and ISO/IEC 27037 best practice.

Examples

  • Recovering a user's deleted documents from NTFS unallocated space with Autopsy.
  • Parsing prefetch and ShimCache to confirm execution of a malicious binary.

Related terms