WEBVTT 0:00:09.740000 --> 0:00:14.780000 Okay, so we're going to talk about volumes and partitions. 0:00:14.780000 --> 0:00:17.100000 We're going to start off with partitions. 0:00:17.100000 --> 0:00:20.300000 What is a partition? 0:00:20.300000 --> 0:00:23.660000 And so essentially it's going to be a logical subdivision of the hard 0:00:23.660000 --> 0:00:30.180000 disk. There can be one or more partitions on a hard disk. 0:00:30.180000 --> 0:00:36.380000 Let's just remember that every disk requires at least one partition in 0:00:36.380000 --> 0:00:38.060000 order for it to function. 0:00:38.060000 --> 0:00:43.520000 Okay, so what is a volume? 0:00:43.520000 --> 0:00:44.860000 Oh, that's a weird one. 0:00:44.860000 --> 0:00:51.360000 Okay, so in a volume, it's similar to a partition. 0:00:51.360000 --> 0:00:57.800000 But the key thing on here is that a volume can span multiple disks via 0:00:57.800000 --> 0:01:00.460000 a RAID or via volume management tools. 0:01:00.460000 --> 0:01:05.580000 And that's when we get into a little bit more advanced disk management 0:01:05.580000 --> 0:01:09.980000 either in Windows, on the disk management, or even in Linux. 0:01:09.980000 --> 0:01:15.280000 When you're going to say mount a disk or multiple disks into a folder, 0:01:15.280000 --> 0:01:21.720000 or when you're going to take multiple drives and turn them into a partition 0:01:21.720000 --> 0:01:24.640000 in a sense, then you're creating a volume. 0:01:24.640000 --> 0:01:28.620000 So what I would say a definition for our purposes is that a volume can 0:01:28.620000 --> 0:01:33.740000 span multiple disks either via RAID or some other type of volume management 0:01:33.740000 --> 0:01:37.080000 tool. But you know what? 0:01:37.080000 --> 0:01:41.040000 In the end for forensics, it doesn't really matter, especially when we 0:01:41.040000 --> 0:01:44.100000 get down to the imaging of a device. 0:01:44.100000 --> 0:01:47.380000 What we're going to do is we're going to take a physical image, and it's 0:01:47.380000 --> 0:01:51.440000 going to matter how the BIOS presents that physical disk to us. 0:01:51.440000 --> 0:01:55.760000 So what matters is the understanding that a volume and a partition are 0:01:55.760000 --> 0:02:01.000000 sections of persistent storage media, and that the usable devices must 0:02:01.000000 --> 0:02:02.540000 have at least one. 0:02:02.540000 --> 0:02:06.840000 What matters is being able to explain your knowledge and experience with 0:02:06.840000 --> 0:02:08.940000 performing a collection or analysis. 0:02:08.940000 --> 0:02:13.160000 It may be key to an investigation or a testimony. 0:02:13.160000 --> 0:02:17.640000 And have you ever brought a brand new external hard drive or flash drive, 0:02:17.640000 --> 0:02:20.500000 and when you plug it into your computer, it prompts you to name it in 0:02:20.500000 --> 0:02:25.360000 format? That is the process of creating a volume or a partition as well 0:02:25.360000 --> 0:02:28.160000 as labeling it and creating a file system. 0:02:28.160000 --> 0:02:31.620000 So in a lot of this, I have a challenge for you. 0:02:31.620000 --> 0:02:34.020000 And I want you to take some time. 0:02:34.020000 --> 0:02:40.840000 Now that you know what a volume or a partition is, can you make one? 0:02:40.840000 --> 0:02:43.600000 What tools can you use to make one? 0:02:43.600000 --> 0:02:46.260000 There's a lot of built -in tools, right? 0:02:46.260000 --> 0:02:53.240000 If you open up your computer, whether it's Linux or Windows or a MacBook, 0:02:53.240000 --> 0:03:00.180000 go to the disk utilities on it and figure out how to create a partition, 0:03:00.180000 --> 0:03:03.880000 how to create multiple partitions, how to format a partition, and then 0:03:03.880000 --> 0:03:05.740000 how to create volumes. 0:03:05.740000 --> 0:03:08.540000 You look at the right management features of it. 0:03:08.540000 --> 0:03:14.940000 Look at how you can format a part of a physical disk and then attach it 0:03:14.940000 --> 0:03:17.860000 to a file folder in Linux or in Windows. 0:03:17.860000 --> 0:03:23.060000 You know, challenge yourself and go and do that now before you forget 0:03:23.060000 --> 0:03:28.420000 how to do it, because doing it in the tactile way of that is going to 0:03:28.420000 --> 0:03:31.720000 make you be able to explain it so much better in the future.