File Systems Analysis

Understanding NTFS, FAT, ext4 & More

Section 3 of 12

NTFS (New Technology File System)

Overview

Default file system for Windows. Supports large files, journaling, encryption, compression, and advanced permissions.

Key Features

  • Maximum file size: 16 EB (exabytes)
  • Journaling for crash recovery
  • Built-in encryption (EFS)
  • Compression support
  • Access Control Lists (ACLs)

Forensic Artifacts

$MFT (Master File Table)

Database of all files and directories - critical for forensics

$LogFile

Transaction log for journaling - tracks file system changes

$UsnJrnl (USN Journal)

Change journal tracking all file modifications

Alternate Data Streams (ADS)

Hidden data attached to files - can hide malware

FAT File Systems (FAT12/16/32, exFAT)

FAT32

File Allocation Table - older, simpler file system still widely used on USB drives and memory cards.

Characteristics

  • • Max file size: 4 GB
  • • Max volume size: 2 TB
  • • No built-in encryption
  • • Simple structure

Forensic Value

  • • Easy to analyze
  • • Good for recovery
  • • Deleted entries visible
  • • Common on removable media

exFAT (Extended FAT)

Modern version of FAT designed for flash drives and large files. Overcomes FAT32 limitations.

Improvements

  • • No 4 GB file size limit
  • • Max volume: 128 PB
  • • Better for flash media
  • • Cross-platform support

Common Uses

  • • SD cards (SDXC)
  • • USB flash drives
  • • External hard drives
  • • Camera storage

Linux File Systems (ext2/3/4)

ext4 - Fourth Extended File System

Current default file system for most Linux distributions. Evolved from ext2 and ext3 with improved performance and features.

ext2

  • • No journaling
  • • Simple and fast
  • • Used for /boot
  • • Good for USB drives

ext3

  • • Added journaling
  • • Backward compatible
  • • Crash recovery
  • • Legacy systems

ext4

  • • Larger file sizes
  • • Extents (not blocks)
  • • Delayed allocation
  • • Current standard

ext4 Forensic Considerations

Key Structures

  • Superblock: File system metadata
  • Inodes: File metadata and pointers
  • Block Groups: Organizational units
  • Journal: Transaction log

Challenges

  • • Deleted data zeroed by default
  • • Harder recovery than NTFS
  • • Timestamps in Unix epoch
  • • Journal analysis complex

File Recovery Techniques

1

File System Metadata Recovery

Analyzing file system structures ($MFT, inodes) to recover deleted files. Works when metadata still exists but data marked as deleted.

2

File Carving

Searching raw disk for file signatures (headers/footers) without relying on file system. Can recover files even after formatting or when metadata is destroyed.

JPEG header: FF D8 FF E0

PNG header: 89 50 4E 47 0D 0A 1A 0A

PDF header: 25 50 44 46

3

Slack Space Analysis

Examining unused space at end of allocated file clusters. Can contain fragments of previously deleted files or hidden data.

4

Journal Analysis

Examining file system journals (NTFS $LogFile, ext3/4 journal) to understand recent file system operations and recover transaction data.

Tools for File System Analysis

The Sleuth Kit (TSK)

Command-line tools for analyzing disk images and file systems.

# List files including deleted

fls -r -d image.dd

# Recover file by inode

icat image.dd 1234 > recovered.txt

Autopsy

GUI frontend for The Sleuth Kit with powerful analysis features.

  • • Timeline analysis
  • • Keyword searching
  • • File type detection
  • • Hash set matching

Foremost / Scalpel

File carving tools for recovering files based on headers/footers.

foremost -i image.dd -o output/

MFT Explorer

Windows tool for deep NTFS $MFT analysis by Eric Zimmerman.

  • • Parse Master File Table
  • • View deleted entries
  • • Analyze timestamps
  • • Export to CSV