Category: DFIR Basics

• October 29, 2025

  NTFS Basics

  Introduction NTFS is the current file system for Windows-based OS that was developed by Microsoft. Released in 1993, NTFS was created to address issues with the FAT filesystem (Hassan, 2017). NTFS provides scalability, stability, and support for large storage devices (Carrier, 2005). This article goes over the basics of the NTFS and why it’s used…
• October 8, 2023

  CHS vs. LBA addressing

  Introduction CHS and LBA addressing schemes are methods for a computer to reference sectors on a drive. We’ll go over some basics to know first before tackling the differences between the two. Basics I might create a separate post on how a disk is read. The video below does a great job of introducing the…
• July 2, 2023

  Data Acquisition 101

  Introduction Data acquisition is usually one of the first steps in the digital forensic process. A data acquisition is the task of collecting digital evidence from electronic media. There are two ways to perform an acquisition: statically or live. I will refer to the word image in this post quite a bit, it is the…
• June 28, 2022

  Handling Digital Evidence

  Introduction A longstanding challenge of Digital Forensics is understanding how to handle digital evidence. Three guidelines that govern the handling of evidence include the Federal Rules of Evidence (FRE), the Daubert Standard, and case law. This post will go over these guidelines and why they are important to know. Authenticity of Digital Evidence The authentication…
• June 20, 2022

  Public vs Private sector

  Introduction There are two categories that digital forensic jobs align with, the public sector and the private sector. Public sector organizations are owned by the government or other state-run bodies. Private sector organizations are owned and controlled by individuals, groups, or business entities. The procedures and types of digital forensic investigations are different between each…
• June 7, 2022

  Digital Evidence and Devices

  What is Digital Evidence? Digital evidence is information stored on, received, or transmitted by an electronic device. An electronic device can be a PC, laptop, smartphone, and other devices that accomplishes a purpose electronically. Information on these devices can range from log files, Windows registry values, and bytes on a hard drive. This post will…
• June 1, 2022

  What is Digital Forensics?

  The Definition of Digital Forensics According to Ken Zatyko, the definition of digital forensics is the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics (hash function), use of validation tools, repeatability, and reporting. Don’t worry if…