Chapter 4: Computer Systems

The discussion traces the progression from Power-On Self-Test through BIOS or UEFI firmware initialization and concludes with operating system handoff, establishing how these early stages are critical to understanding system behavior during forensic examination. The chapter contrasts legacy BIOS architecture with modern UEFI implementation, emphasizing UEFI's enhanced security features including Secure Boot mechanisms, support for GUID Partition Tables with expanded storage capacity, and improved firmware functionality. Subsequent sections address the practical challenges of forensic evidence acquisition through examination of specialized boot media such as PALADIN and WinFE, which create isolated, write-protected environments essential for maintaining evidence integrity during investigation. The treatment of storage hardware encompasses both traditional hard disk drive technology with its platter-based mechanisms and read/write head operations, as well as solid-state drive architecture, detailing how physical storage structure directly impacts data recovery procedures. Partitioning scheme analysis covers both Master Boot Record and GUID Partition Table approaches, explaining how these structures organize storage capacity and affect forensic recovery possibilities. File system exploration divides attention between FAT32, covering its File Allocation Table structure, directory entry organization, and deletion recovery processes, and NTFS, which employs a Master File Table, file attributes, run lists, and resident versus non-resident data storage mechanisms. The chapter concludes by addressing hidden storage areas including Host Protected Area and Device Configuration Overlay regions, along with slack space and unallocated cluster analysis, all critical techniques for locating concealed or deleted evidence during comprehensive forensic investigations.