File Systems

Windows File Systems

• Windows OS use file systems such as FAT, FAT32, NTFS, etc. NTFS stores metadata
of files and folders in a system file called Master File Table (MFT).
• Examining the $MFT file provides information such as MAC times, file name, file
location, etc., which is of forensic interest.
• Forensic investigators also should possess knowledge on file allocation and
deletion that helps them recover lost data during investigation.
 File Allocation Table (FAT)

• The File Allocation Table (FAT), designed in 1976, is a file system for many OSes
such as DOS, Windows, and OpenDOS.
• Designed for small hard disks and a simple folder structure, the FAT file system is
named after the way it organizes folders and a file allocation table, which stores all
the files and resides at the beginning of the volume.
• FAT has three versions (FAT12, FAT16, and FAT32), which differ in terms of the size
of the entries in the FAT structure.
• FAT creates two copies of the file allocation table to protect the volume from
damage.
• The file allocation table and root folder are stored in a permanent location.
• FAT include flash memory, digital cameras, and other portable devices.
• Almost all OSes installed on personal computers implement the FAT file system.
 New Technology File System (NTFS)

• New Technology File System (NTFS) is one of the latest file systems supported by
Windows.
• It is a high-performance file system that repairs itself; it supports several advanced
features such as file-level security, compression, and auditing.
• NTFS provides data security as it has the capability to encrypt or decrypt data, files,
or folders.
• It uses a 16-bit Unicode character set naming method for files and folders.
• It allows users worldwide to manage their files in their native languages.
• Moreover, it has fault tolerance for the file system.
Cont’d
• If the user makes any modifications or changes to the files, NTFS makes a note of
all changes in specific log files.
• If the system crashes, NTFS uses these log files to restore the hard disk to a
reliable condition with minimal data loss. NTFS also utilizes the concept of
metadata and master file tables.
• Metadata contains information about the data stored in the computer.
• A master file table also contains the same information in a tabular form, but
compared to metadata, this table has less capacity to store data.
• An access-control list (ACL) allows the server administrator to access specific files
• NTFS features integrated file compression
• NTFS provides data security on both removable and fixed disks
NTFS Architecture
NTFS System Files
Linux File Systems
Filesystem Hierarchy Standard (FHS)
• Linux has a single hierarchical tree structure representing the file
system as a single entity.
• It supports many different file systems and implements a basic set of
common concepts, which were originally developed for UNIX.
• Some Linux file-system types are Minix, Filesystem Hierarchy Standard
(FHS), ext, ext2, ext3, xia, MS-DOS, UMSDOS, VFAT, /proc, NFS, ISO
9660, HPFS, SysV, SMB, and NCPFS.
• Minix was Linux’s first file system
Linux File System Architecture
Apple File System (APFS)
 Apple File System (APFS)
• macOS File Systems Apple’s macOS is a UNIX-based OS and uses a
different approach in storing data when compared to Windows and
Linux.
• So, the forensic techniques that are generally used for Windows and
Linux cannot be applied to macOS.
• Forensic investigators should possess in-depth understanding of
UNIX-based systems in order to perform forensic examination on
macOS file systems.
Cont’d
• APFS (Apple File System), is a file system developed and introduced by
Apple for macOS High Sierra and later versions as well as iOS 10.3 and
later versions in the year 2017.
• It replaced all the file systems used by Apple and is suitable for all
Apple OSes including iOS, watchOS, tvOS, and macOS.
• The Apple File System (APFS) comprises of two layers:
• The container layer: It organizes information on the file-system layer and
stores higherlevel information such as volume metadata, encryption state,
and snapshots of the volume
• The file-system layer: It consists of data structures that store information
such as file metadata, file content, and directory structures
 Autopsy

https://www.autopsy.com/download/
Cont’d
• Some of the modules provide the following functions:
▪ Timeline analysis: Advanced graphical event viewing interface
(video tutorial included)
▪ Hash filtering: Flags known bad files and ignores known good files
▪ Keyword search: Indexed keyword search to find files that mention
relevant terms
▪ Web artifacts: Extracts history, bookmarks, and cookies from
Firefox, Chrome, and
Internet Explorer
▪ Data carving: Recovers deleted files from unallocated space using
PhotoRec
Win hex
Features:

▪ Disk editor for hard disks, floppy disks, CD-ROMs, DVDs, ZIP files,
SmartMedia cards, etc.
▪ Native support for FAT12/16/32, exFAT, NTFS, Ext2/3/4, Next3®,
CDFS, and UDF
▪ Built-in interpretation of RAID systems and dynamic disks
▪ Various data recovery techniques
▪ RAM editor, providing access to physical RAM and virtual memory
of other processes
▪ Data interpreter
Cont’d
• Editing data structures using templates
▪ Concatenating and splitting files; unifying and dividing odd and
even bytes/words
▪ Analyzing and comparing files
▪ Flexible search and replace
▪ Disk cloning
▪ Drive images and backups
▪ Application programming interface (API) and scripting
▪ 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, etc.)
▪ Securely erasing (wiping) confidential files and cleansing hard drives
▪ Importing from all clipboard formats, including ASCII hex values
• http://www.winhex.com/winhex/hex-editor.html