A file system in a computer is the manner in which files are named and logically placed for storage and retrieval. It can be considered as a database or index that contains the physical location of every single piece of data on the respective storage device, such as hard disk, CD, DVD or a flash drive. This data is organized in folders, which are called directories. These directories further contain folders and files. Show For storing and retrieving files, file systems make use of metadata, which includes the date the file was created, data modified, file size, and so on. They can also restrict users from accessing a particular file by using encryption or a password. Files are stored on a storage media in “sectors”. Unused sectors can be utilized for storing data, typically done in sector groups known as blocks. The file system identifies the file size and position and the sectors that are available for storage. If a structure for organizing files wouldn’t exist, it would not be possible to delete or retrieve files, or to keep two files with the same name since all the files would exist in the same folder. For example, it is because of folders that we are able to name two different image files with the same name, as both exist in two different folders. But if two files are in the same directory, they cannot have the same name. Most of the applications need a file system to work, hence every partition needs to have one. Programs are also dependent on file systems, which means that if a program is built to be used in Mac OS, it will not run on Windows. FAT or File Allocation Table is a file system used by operating systems for locating files on a disk. Due to fragmentation, files may be scattered around and divided into sections. FAT system keeps a track of all parts of the file. FAT has existed as a file system since the advent of personal computers. Features
FAT 32 File SystemThis is an advanced version of the FAT File system and can be used on drives ranging from 512 MB to 2 TB. Features
The figure below shows partitioning layout in FAT and FAT 32 file systems. NTFS File SystemThe NTFS File System stands for New Technology File System. Features
EXT File SystemsExtended file system (EXT), Second Extended file system (EXT2) and Third Extended file system (EXT3) are designed and implemented on Linux. The EXT is an old file system that was used in pioneer Linux systems. EXT2 is probably one of the most widely used Linux file systems. EXT 3 also includes same features as EXT 2, but also includes journaling. Features
What is a file format?A file format is a layout and organization of data within the file. If a file is to be used by a program, it must be able to recognize and have access to the data in the file. For instance, a text document can be recognized by a program such as Microsoft that is designed to run text files but not by a program that is designed to run audio or video files. A file format is indicated along with the file name in the form of a file extension. The extension contains three or four letters identifying the format and is separated from the file name by a period. Some common types of filesThere are many types of file formats that have their respective programs for processing the files. Some of the common file formats are:
Steps in the file system forensics processCarrying out a forensic analysis of file systems is a tedious task and requires expertise every step of the way. Following are the steps that can help analyze a file system for data that may provide evidence in a forensic investigation. AcquisitionThe system should be secured to ensure that all data and equipment stays safe. In other words, all media required for forensic analysis should be acquired and kept safe from any unauthorized access. Find out all files on the computer system including encrypted, password-protected, hidden and deleted (but not overwritten) files. These files must be acquired from all storage media that include hard drive and portable media. Once acquired, forensic investigators have to make a copy of them so that the original files are kept intact without the risk of alteration. This can be done in four ways:
Validation and discriminationBefore you analyze an image, you need to validate it to ensure the integrity of the data. Hashing algorithms help forensic investigators determine whether a forensic image is exact copy of original volume or disk. This validates the integrity of an evidence and conforms to its admissibility into the court. ExtractionNext comes data extraction, which involves the retrieving of unstructured or deleted data and needs to be processed for forensic investigation. Many computer users think that a file, once deleted, will disappear forever from the hard disk. However, this is not true. Deleting files only removes it from the disc contents table. In FAT systems it is called the File Allocation Table, while in NTFS it is called the Master File Table. Data is stored in clusters on the hard disc and consists of a certain number of bits. Parts of files are mostly scattered throughout the disc, and deleting the files makes it difficult to reconstruct them, but not impossible. With increased disk capacity, it now takes longer for all fragments of a file to be overwritten. In many cases, the criminals may have hidden the data that can turn out to be useful for forensic investigation. Criminals with basic technical knowledge have many options available for hiding data such as disk editor, encryption, steganography, and so on. Recovering and reconstructing this data can be time consuming, but generally it produces fruitful evidence. Extracting data from unallocated space is file carving. It is a helpful technique in digital forensics that finds deleted or hidden files from the media. A hidden file can lie in any areas such as slack space, unallocated clusters or lost clusters of the digital media or disk. For using file carving, a file should have a header which can be located by performing a search which continues till the file footer is located. Data that lies between these two points is extracted and then analyzed for file validation. ReconstructionExtracted data can be reconstructed using a variety of available software tools that are based on various reconstruction algorithms such as bottom-up tree reconstruction and inference of partition geometry. Reconstructed data is thoroughly analyzed for further evidence and put forth in the form of a report. In order to keep a track record of every step of the investigation, document every procedural step. Evidence presented without proper documentation may not be admissible in court. This documentation should not only include the recovered files and data, but also the physical layout of the system along with any encrypted or reconstructed data. Forensic analysis of time-based metadata can help investigators correlate distinct information quickly and to find notable time and dates of activities related to improper computer usage, spoliation and misappropriation. To know more about computer and mobile system forensics, you might be interested in the following resources: |