In this chapter, we took the time to cover some of the basics about non-volatile storage media, which stores data even after there is no power supplied to the medium. Non-volatile media includes different types of hard disk drives, such as mechanical and solid-state PATA and SATA drives, flash drives, and memory cards.

Newer storage media devices including SSDs use a special type of flash memory called NAND flash to store data. This flash memory is by far faster and more durable than traditional mechanical drives, as the devices contain no moving parts; however, they are still quite costly for now.

We also had a look at various filesystems associated with various operating systems, and saw that the smallest allocation of data is called a Cluster, in which can reside slack space. Slack space is unused space within a cluster, in which data can be hidden. Data itself has different states and can be at rest, in motion, or in use. Regardless of the state of the data, there always resides some information about the data itself, called metadata.

Any data accessed by the user or OS is temporarily stored in volatile memory or RAM. Although data can be stored for lengthy periods on non-volatile memory, it is lost when electrical charges to volatile memory (RAM) are also lost. An area of the hard disk called the paging file can act as virtual RAM, allowing the computer to think it has more RAM than installed.

I do encourage you to do more research and expand your knowledge on these topics, allowing you to gain more understanding of what was covered. Let's now move on to the next chapter, where we'll learn about investigative procedures and best practices for incident response, such as acquiring volatile data and procedures for working with and analyzing live machines.