Home 
Contact CFI 
Secure Client Area 


 EVIDENCE RECOVERY: HOW HARD DRIVES WORK 

A hard drive, sometimes referred to as the "C:" drive, contains several hard round platters coated on both sides with a magnetic material designed to store information as binary numbers, magnetic patterns of 0’s and 1’s. The platters are mounted on a spindle that rotates at high speed, generally 5,000 to 10,000 rpm.


Electromagnetic read/write devices, known as ‘heads,’ mounted on sliders and connected to an actuator arm, are positioned over the surface of the disk. A logic board controls the motion of the heads, the process for reading and writing data, and the protocol for communicating with the rest of the computer.

Think of the inside of a hard drive which is similar to the inside of a jukebox, with the record being the platter, the jukebox tone arm being the hard drive’s actuator arm, and the needle being the read/write heads.

How Data is Stored - The surface of each platter can hold tens of billions of individual ‘bits’ of data. Groups of bits, of either a 0 or 1, could be eight, sixteen, or thirty-two bits in length. These bits form a ‘byte,’ representing an alphabetical character or numerical number. Most desktop and server hard drives are 3.5 inches in diameter and notebook PCs have 2.5-inch and 1.8 inch drives. A large capacity drive, measured in gigabytes (GB), can store hundreds of billions of individual bits of data and is commonly available for under $200.

Each platter has two surfaces capable of holding data (the top and bottom), and each surface has a read/write head. Thus on a hard drive with three platters, there are a total of six ‘surfaces’ with information being read by six heads.

The recording surface of each platter is divided into concentric tracks (circles), and the vertical area of similar tracks on multiple platters is referred to as a "cylinder." These tracks are further subdivided into sectors and clusters, which are groups of sectors. The logical organization of information on the platter is similar to slices of a pie. Data is stored in all sectors of each track, except parts of the outside track, which is generally reserved for the file allocation table (FAT) directory. The FAT contains the file names and the locations of active files on the disk. The file allocation table tells the computer’s operating system which sectors (the "geographic location") contain data. A sector typically will hold 512 bytes of data (about the length of this sentence), plus "address" information used by the drive controller circuitry. There can be over 40 million sectors on a 20 GB hard drive. "Formatting" a hard drive is the process by which the disk surface is organized into tracks and sectors.

Sectors are also grouped sequentially into clusters, and generally there are 32 sectors per cluster. More often than not, data is stored sequentially in sectors within the clusters.

Reading and Writing Digital Data - When a user clicks on a file to open it, the application being used passes the file name to the computer operating system, which consults the FAT to determine the address (platter track and sector) where the first portion of the file is located. The operating system transmits this information to the disk controller, which positions the heads on the actuator arm over the correct physical location. The initial cluster will contain the address of subsequent sectors from which the controller must retrieve data. The controller retrieves the packets of data and reassembles them in the correct order before sending the ‘file’ to the central processing unit (CPU) for display on the screen.

Disk systems, unlike tape, do not store records together physically. With tape, each time a change is made to a block of data, such as an insertion in a text file, the entire block of "data" is rewritten onto the tape with the new data incorporated. When a similar change is made to text stored on disk, the original file usually remains intact. The disk-controller checks the file allocation table for the location of an unallocated cluster (a group of sectors available to store data), and inserts the data there.

Thus the various parts of a file, such as this article, can be scattered randomly among hundreds of sectors and clusters on various tracks. [Hence the term, random access device, meaning a drive that can retrieve or store data in any order to any location on the disk. Sequential access devices, such as backup tapes, store data in sequential order, and are unable to retrieve data as quickly.]

Allocated clusters contain data that is "active" according to the file allocation table. Unallocated clusters may contain data, but in storage space that the computer is no longer using for active files (see Deleted Files below). Thus, although unallocated clusters frequently contain "residual" data, this space will be randomly used (overwritten) to store new active data.