Disk Forensics
What is Disk Forensics?
Disk ForensicsThe analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Disk forensics is the historically central branch of digital forensics: it works on bit-for-bit images of storage devices and reconstructs activity from file systems (NTFS, APFS, ext4, FAT), journals, metadata, slack and unallocated space. Investigators examine MFT records, USN journals, $LogFile, prefetch, jump lists, link files, browser stores, Windows event logs, and shellbags to build timelines. Tools such as Autopsy/Sleuth Kit, EnCase, X-Ways, FTK, and Plaso/log2timeline automate parsing and timeline creation. Modern challenges include full-disk encryption (BitLocker, FileVault, LUKS), SSD TRIM/garbage-collection, and cloud-synchronised content, all addressed within NIST SP 800-86 and ISO/IEC 27037 best practice.
● Examples
- 01
Recovering a user's deleted documents from NTFS unallocated space with Autopsy.
- 02
Parsing prefetch and ShimCache to confirm execution of a malicious binary.
● Frequently asked questions
What is Disk Forensics?
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts. It belongs to the Forensics & IR category of cybersecurity.
What does Disk Forensics mean?
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
How do you defend against Disk Forensics?
Defences for Disk Forensics typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Disk Forensics?
Common alternative names include: Computer disk forensics, Storage forensics.