File file and directory content There normally two

File system is the place to store and recovery data; depend to the operating system it may FAT (File Allocation Table) or NTFS (New Technology file system).  Compare with FAT and NTFS file system there are many feature difference in file structure, Storage Mechanisms and file name, file date and time, security feature

 

File structure

Depend to the array bit of the entries in the actual FAT structure on the disk. FAT file system has many different versions like FAT 12, FAT 16, FAT 32. The major physical layout components of FAT file system are:

 Reserved area (volume boot sector)- include the data in the file system category

 File allocation table – contain the primary and backup FAT structure

 Data area- contain the cluster which allocated store file and directory content

 

 There normally two FATs (FAT1 and FAT2) in a FAT file system but the exact number of FAT and total size of FAT need determine in the boot sector. If digital forensic investor need identify the file name, size, start address of the file content and other metadata, they need check the directory entry in the file allocate table

   NTFS is common file system for the windows PC; NTFS have better metadata support and data structure than FAT file system, unlike FAT file system NTFS do not have special layout all the important data is allocated as files. The first 16 sectors are boot record, disk signatures and table of primary partitions. The center of the NTFS file system is the MFT (Master File Table) it keeps the record all the file and folder in the NTFS volume. File name start with $ are MFT stored metadata file. . The following table showing the major system files of NTFS system and their functions.

 

File name

File function

$ MFT

Master file table, each MFT record is 1024 bytes long

#MFTMirr

Backup of MFT

$LogFile

The file used for system recovery and integrity

$Volume

Identify information about NFT version and volume name

$AtterDef

Attribute information

$BitMap

Track the allocation of eight cluster

$Boot

Contain the partition boot sector and boot code

$BadClus

Bad cluster information of the partition

$Secure

Secure information of the file

 

 

 

 

 

Storage Mechanisms and file name

 

The NTFS and FAT file system both keep the data in the cluster, but the NTFS use smaller cluster size which means the NTFS can store more data. As we discuss before NTFS use Master file Table but FAT use directory entries and file allocation table, when the forensics investor exam the NFTS disk they can find file information from 0 sectors .there are 3 attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAME and $DATA attribute. All the file name and directory information are in these three attribute. FAT file system the data won’t be record after reserved area and FAT areas, also same extract sector after data area when the forensic investor exam FAT file system they need check the hide data in these sectors.  In FAT file system the entire file will save under long file name

 

File date and time

 

When the forensic investor exam a file system they need careful about the file date and time stamps. NTFS store the file’s date and time in UTC (Coordinated Universal Time) but FAT stores the file on computer local time.

 

Security

 

FAT file system cannot encryption form internal, the only way to secure is external program. Compare with FAT file system NTFS have been improved their security system; NFTS have access control and file encryption. The file only can access after the user login.

 

 

 

BACK TO TOP