Before we can start analyzing an operating system (OS), we need to go over some operating  systems concepts, as is relevant for a forensic analysis. 

Memory vs Disk 

There are two types of storage on a computer: Memory (RAM) and hard disks.  

Memory is volatile, meaning that if it loses power the data is lost. It is used for temporary storage.  Hard disks are nonvolatile, that the data is not lost when it loses power. It is used for permanent storage. 

A simple metaphor for understanding RAM is that of a desk and a garage. When doing work at  your desk you can almost immediately look at something else on your desk, but if you want to look at something in the garage you have to get up and go to the garage, find it, and bring it back to your desk. Only then can you look at it. 

RAM is at a relative premium to disk space. RAM is now measured in GB’s, while hard disks are currently measured in TB’s. However, the time to access a hard disk is around a million times longer than RAM. 

To summarize, our computers use hard disks for long-term storage, and RAM as the working space. The next question to ask is: What data is stored on the hard disk that we can use? 

What would an Operating System store on a hard disk? 

An OS needs to store different types of information on a hard disk, to be able to answer the following questions: 

  • How can it boot the OS? 
    • It needs the required programs and data that are needed to run the OS. 
  • What devices were attached? 
  • How do we know who can logon to the machine? 
    • It needs the users and their passwords
  • Where are a users files stored? 
  • How are users prevented from accessing things belonging to other users? 
    • We need to store Access Control, or who is allowed to access what. 
  • How can the OS run faster, and be more user-friendly? 
    • It can store data for programs that are frequently ran. 

A point worth mentioning is that modern OS’s try to separate user data from program data, to prevent a user from accessing another user’s data. However older OS’s were designed for use by only a single user, and their programs were designed the same way. So why does this make a difference? Because some programs might not store their data in the a folder belonging to the user- they store it in a publicly accessible location, like the location where that program is installed.