1 Understanding File Systems

!  File system
!  How are files organized on the disk?
!  Gives OS a road map to data on a disk

!  Type of file system an OS uses determines how data is

Windows System Artifacts stored on the disk

COMP 2555: Principles of Computer Forensics

!  A file system is usually directly related to an OS
Autumn 2014
http://www.cs.du.edu/2555
!  When you need to access a suspect’s computer to
acquire or inspect data

L4: Windows System Artifacts

!  You should be familiar with the computer’s platform

2 Exploring Microsoft File Structures

3 Microsoft File Structures (contd.)

!  In Microsoft file structures, sectors are grouped to form !  Clusters are numbered sequentially starting at 2
clusters !  Counting starts after a few initial sectors that hold the boot
!  Smallest storage allocation unit: storage is assigned in record, and a file structure database
multiples of clusters (not sectors)
!  OS assigns identifying numbers to these clusters, called
!  Clusters sizes can vary from 512 bytes to 128KB logical addresses
(usually as powers of 2)
!  Sector numbers are called physical addresses
!  Combining sectors into clusters minimizes the overhead
of writing or reading files to a disk
L4: Windows System Artifacts

L4: Windows System Artifacts

4 Common File System Codes
5 Identifying a File System in a Hex Editor

NTFS file system

Hexademical code File System

01 DOS 12-bit FAT
04 DOS 16-bit FAT (partitions size < 32MB)
06 DOS 16-bit FAT (partition size > 32MB)
07 NTFS
0B DOS 32-bit FAT
83 Linux native
EB BeOS

L4: Windows System Artifacts

L4: Windows System Artifacts

Used in the MBR/VBR partition table entry

6 Examining FAT Disks

7 Examining FAT Disks (contd.)

!  File Allocation Table (FAT) !  Cluster sizes vary according to the hard disk size and
!  File structure database that Microsoft originally designed for file system
floppy disks
Drive size No. of sectors per cluster FAT16 cluster size
!  Location of FAT on disk can be identified from the boot
8-32 MB 1 512 bytes
record of a FAT partition (start + no. of reserved sectors)
32-64 MB 2 1 KB
!  Root directory information in a FAT database begins 64-128 MB 4 2 KB
after the FAT (multiple copies of it) 128-256 MB 8 4 KB
!  Contains filenames, directory names, date and time stamps, 256-512 MB 16 8 KB
the starting cluster number, and file attributes 512-1024 MB 32 16 KB
!  One entry (called a directory entry) tells about one file/ 1-2 GB 64 32 KB
directory 2-4 GB 128 64 KB
L4: Windows System Artifacts

L4: Windows System Artifacts

!  FAT versions
!  Cluster 2 begins in the sector following the root
!  FAT12, FAT16 and FAT32
directory entries
8 Examining FAT Disks (contd.)
9 Examining FAT Disks (contd.)

!  Microsoft OSs allocate disk space for files by clusters

!  Results in drive slack
EOF
!  Unused space in a cluster between the end of an active file and the File slack
end of the cluster RAM slack
Sector
!  Drive slack includes:
!  RAM slack and file slack

FILE
!  An unintentional side effect of FAT16 having large
clusters was that it reduced fragmentation
!  As cluster size increased
Cluster (8 sectors here)

L4: Windows System Artifacts

L4: Windows System Artifacts

10 Examining FAT Disks (contd.)
11 File Fragmentation

!  When you run out of room for an allocated cluster !  When the OS stores data in a FAT file system, it assigns
!  OS allocates another cluster for your file a starting cluster position to a file
!  Data for the file is written to the first sector of the first
!  As files grow and require more disk space, assigned assigned cluster
clusters are chained together !  When this first assigned cluster is filled and runs out of
!  The chain can be broken or fragmented room
!  FAT assigns the next available cluster to the file
!  If the next available cluster isn’t contiguous to the
current cluster
!  File becomes fragmented
L4: Windows System Artifacts

L4: Windows System Artifacts

!  File Allocation Table helps link up these fragments
12 File Allocation Table
13 Deleting FAT Files

!  The OS stores the first cluster number of every file in a !  In Microsoft OSs, when a file is deleted
directory entry (contains metadata about file) !  Directory entry is marked as a deleted file
!  Subsequent clusters are looked up in the File !  With the 0xE5 (σ) character replacing the first letter of the filename
Allocation Table !  FAT chain for that file is set to 0 (unused clusters)

E.g. Start Cluster: 11

!  Data in the file remains on the disk drive
!  Area of the disk where the deleted file resides becomes
0 1 2 3 4 5 6 -1 8 unallocated disk space

No back pointer
8 9 10 18 12 13 14 25 16
!  Available to receive new data from newly created files or
16 17 -1 19 20 21 22 -1 24
other files needing more space
24 28 26 27 -1 29 30 31 41
!  Data from the old file resides on that space until it is
32 33 34 35 36 37 38 39 40
overwritten by the contents of another file

L4: Windows System Artifacts

L4: Windows System Artifacts

40 -1 42 43 44 45 -1 47 48
48 49 -1 -1 -1 -1 -1 -1 -1

14 References

!  Ch 6: B. Nelson, A. Phillips and C. Steuart, Guide to

Computer Forensics and Investigations. ISBN:
978-1-435-49883-9
!  FAT16 Structure: http://www.maverick-os.dk/
FileSystemFormats/FAT16_FileSystem.html
!  FAT32 Structure: http://www.maverick-os.dk/
FileSystemFormats/FAT32_FileSystem.html
L4: Windows System Artifacts