Introduction to File Systems

GIAC Digital Forensic Examiner Objective:

Fundamental Digital Forensics

The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.

Overview

According to CyberSecurity Magazine, “digital forensics is the process of investigating crimes committed using any type of computing device.” Digital forensics is also responsible for investigating cyber attacks. One area that a digital forensics specialist must understand is how data is stored on any type of computing device. Digital forensic investigators acquire, preserve, examine, and present digital evidence that can be used in a court of law. This lab investigates the common file systems that are used by Windows, Mac, and Linux operating systems.

outcomes

In this lab, you will learn to:

Examine different Windows and Linux file systems
Partition and formatting file systems in Windows
Format and wiping Linux file system

Courses

Digital Forensics Fundamentals Skill Lab

Key terms and descriptions

FAT

File Allocation Table is a table that holds information about where files are stored on a volume. When a file is deleted from the disk, the entry or entries for those files are removed from the table and the space is marked as available. However, the file, or parts of the file, will remain on the disk until overwritten by information from new files that are written to the disk.

NTFS

New Technology File System was originally introduced with the Windows NT. NTFS is a journaling file system which means it keeps a log of changes being written to the disk. If a computer is shut down improperly, it will have a better chance of recovery if it has a journaling file system. Files and folder access can be restricted with the security feature of NTFS. Starting with Windows 2000, Microsoft included the Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect against unauthorized access.

EXT2/3/4

The Extended File Systems 2, 3, and 4 are used by the Linux operating systems. Both EXT3 and EXT4 are journaling file systems. EXT2 does not have journaling.

Format

A format will not erase the data from the volume. Rather, it will delete the references to the file in the FAT or Master File Table ($MFT) and make those spaces on the disk as available. Forensic recovery of files may be possible on a formatted disk.

Wipe

A wipe will erase all of the 0’s and 1’s written to the hard disk. If a wipe is done correctly, all data will be erased and recovery of artifacts will be near impossible.