How to investigate files

Project Name: How to investigate files
Description:How to investigate files includes understanding of file system and there features, attributes. The new file system forensic analysis includes all new features security aspects of operating systems.

Author: Rohit D Sadgune

Summary of Content                     

File system forensic analysis or File Forensics manages all the data rested on computer hard drives. Maintaining the path records of the physical locations of all the data elements on digital disk while allowing users to retrieve files promptly whenever they need it.

The file system acts as a digital index that lets a computer instantly find a specific file, regardless of the size or configuration of the storage drive or where the data bytes associated with the file resides on the drive’s storage platters.

Every operating system, from MS-DOS to Windows 95, Windows XP and Linux, has its own file system. But although all file systems perform the same basic functions, they vary in design and sophistication.

FAT – File systems have very long journey which for windows it starts with MS-DOS and early versions of Windows. Operating systems arranges files under FAT file system. Basically it is a logical representation of clusters and maps. The locations of file data to those areas using a file allocation table (FAT). FAT is also called FAT16 because it uses a 16-bit address space for tracking files and clusters.

FAT clusters vary with the size of the disk. FAT 16-bit address space can support up to 65,536 clusters (216). With a 65MB disk, cluster sizes were just 1KB in size, but they ballooned as disks emerged that were able to hold gigabytes of data. And since only a single file can be written to a cluster, this created inefficiencies that ended up wasting as much as 50% of available space on a 2GB disk drive.

FAT32 – FAT32 file systems was started with Windows 95 OEM Service Release 2 (OSR2), introduced a 32-bit address space. In FAT 32 file system the size of file allocation table is increased and due to this cluster size also increased and hence it could support more clusters that were smaller in size on large disk drives, reducing the potential for wasted drive space.

The major innovation in FAT32 was that it could handle file names with up to 255 characters, whereas FAT could only handle names with up to eight characters. Using this user were able to create file with long names and meaningful description contents.

The advantage of FAT32 is that it has extended the maximum addressable volume size from 2GB to 2TB and improved reliability by allowing the operating system to create a copy of file allocation table so as to recover files in damaged situation but FAT32 also added to file system overhead and was therefore inefficient to run on disks smaller than 260MB.

NTFS–With Windows NT Operating system New Technology File System (NTFS) introduced With a 64-bit address space and the change capability of clusters size independently of the disk drive size, NTFS meanwhile eliminated the cluster size limitation problem.

NTFS has come up with new benefits and strong features which including file and directory security attributes, file encryption and support for storage volumes of up to 16TB and 232 clusters.

NTFS has changed the traditional file allocation table format with the Master File Table (MFT), which persist more information about files than FAT. The MFT holds the references of all files and directories which are there on disk drive including associated metadata such as security settings.

The NTFS also introduced prominent level of fault tolerance. NTFS has come up with logs of disk operation activity prior to committing the transaction. If the situation arises with operating system crashes during an update it can analyze the log file and restore the data. Whenever there is an error in read or write operation  NTFS triggers the blocks and bad clusters and data to a new location. NTFS is having backup of file allocation table for any conditional damages to file system.

NTFS’s has many features & attributes which requires some predefined space i.e why it is unsuitable for disks smaller than 400MB.NTFS cannot support Floppy Fisk.