Before we can start analyzing an operating system (OS), we need to go over some operating systems concepts, as is relevant for a forensic analysis.
There are two types of storage on a computer: Memory (RAM) and hard disks.
Memory is volatile, meaning that if it loses power the data is lost. It is used for temporary storage. Hard disks are nonvolatile, that the data is not lost when it loses power. It is used for permanent storage.
A simple metaphor for understanding RAM is that of a desk and a garage. When doing work at your desk you can almost immediately look at something else on your desk, but if you want to look at something in the garage you have to get up and go to the garage, find it, and bring it back to your desk. Only then can you look at it.
RAM is at a relative premium to disk space. RAM is now measured in GB’s, while hard disks are currently measured in TB’s. However, the time to access a hard disk is around a million times longer than RAM.
To summarize, our computers use hard disks for long-term storage, and RAM as the working space. The next question to ask is: What data is stored on the hard disk that we can use?
An OS needs to store different types of information on a hard disk, to be able to answer the following questions:
A point worth mentioning is that modern OS’s try to separate user data from program data, to prevent a user from accessing another user’s data. However older OS’s were designed for use by only a single user, and their programs were designed the same way. So why does this make a difference? Because some programs might not store their data in the a folder belonging to the user- they store it in a publicly accessible location, like the location where that program is installed.