FAT File System

GIAC Certified Forensic Examiner Objectives:

Fundamental Digital Forensics

  • The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.

Overview

This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

Digital devices store information in Random Access Memory (RAM) or on storage systems like a hard disk or a solid-state drive (SSD). We will investigate the different file systems from Windows. Normally, operating systems provide this service “behind the scenes,” but it is critical that you understand how these file systems work as a digital forensics specialist. File systems that are common to Microsoft operating systems include FAT (File Allocation Table) and NTFS (New Technology File System). There are several versions of FAT, including FAT12, FAT16, FAT32, exFAT, and FATX. The NTFS offers security, whereas the FAT file system is known for its compatibility with many operating systems. This lab investigates the common file systems that are utilized by Windows.

OUTCOMES:

In this lab, you will learn to:

  1. Examine the FAT and NTFS File Systems
  2. Use a HEX Editor to Explore a FAT Partition
  3. Verify and view image details
  4. Analyze a FAT Partition with Autopsy
Courses

Key terms and descriptions

Autopsy
The open-source digital investigation tool (digital forensic tool), Autopsy, runs on Windows, Linux, OS X, and other UNIX systems. Autopsy can be used to analyze disk images and perform in-depth analysis of file systems such as NTFS and FAT.
FAT
The acronym FAT stands for File Allocation Table. FAT table holds information about where files are stored on a volume. When a file is deleted from the disk, the entry or entries for those files are removed from the table and the space is marked as available. However, the file, or parts of the file, will remain on the disk until overwritten by information from new files.
FAT12
The FAT12 file system is typically used on floppy disks. A FAT12 partition is limited to 32 megabytes. The use of this file system is uncommon in modern times. However, FAT12 partitions can be read with modern operating systems such as Windows 8.
FAT16
A FAT16 partition can be up to 2 gigabytes. The FAT16 file system was used primarily with MS-DOS, Windows 3.11, Windows 95a, and Windows NT. None of those operating systems can read the FAT32 file system without third party drivers. Although FAT16 partitions can be read with modern operating systems such as Windows 8 (as well as Linux and Mac OS X), its use is in decline because of the 2-gigabyte limitation.
FAT32
A FAT32 partition can be up to 2 terabytes. (There are workarounds to make larger FAT32 partitions.) It is also important to know that a FAT32 volume cannot hold a file that is larger than 4 gigabytes. This limitation makes FAT32 less practical than NTFS.
NTFS
The New Technology File System (NTFS) was originally introduced with the Windows NT. NTFS is a journaling file system, which means it keeps a log of changes being written to the disk. If a computer is shut down improperly, it will have a better chance of recovery if it has a journaling file system. Files and folder access can be restricted with the security feature of NTFS. Starting with Windows 2000, Microsoft included the Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect against unauthorized access.
Wipe
A wipe will erase all of the 0’s and 1’s written to the hard disk. If a wipe is done correctly, all data will be erased and recovery of artifacts will be near impossible.