Forensics Comparison of NTFS and FAT

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours
Video Transcription
hi and welcome to everyday digital forensics. I'm your hostess, Sonya Jason. On In today's episode, we're gonna perform a forensics comparison of anti FS versus the fat file system.
In today's video, we're gonna compare the DFS and the fact file system based on the following structure differences.
You have your key structures, storage mechanisms,
file name and directories, file time and dates, foundation and encryption.
The examinations of the to file systems will be around the five
phalluses and categories, which will discuss Stater, but they are your file system content. Metadata found name and application.
So to start off. What's a file system?
Ah, fall system is a hierarchy of objects. Some objects, maybe a roof older apparent folder or a single object.
Visually, it's very similar to a family tree.
By definition of false ism is a process that manages how and where data on a storage disk,
typically your hard disk or SS sees is stored access and managed.
It is a logical disc opponent that manages a disc internal operations as it relates to computer and his abs shark to the user.
Before you dive into the comparison of our two false systems from a forensics perspective, I like to further to find a foul structure within the five categories
these categories in which we're defining the forensics differences between anti Fs and fat. 32. All the components of these file systems have a potential to provide forensics evidence in an investigation. The fastest, um, category tells you where the data structures are located, and then how big these data structures can be.
The content is the actual contents of the file and contains the majority of the file data you have your metadata, which is the data about the data. This is typically the file name, the fall size, any attribute for a particular file, every foul name. And this is responsible for given a name to each file
rather than a user having to remember address
the fall system, takes the name and maps it to a particular address. This is very similar to how Social Security number in the United States represents a person, and your last category is application. There's nothing particular for the organization, however. This is solely for the responsibility of special features in a file and
any system. There's different extensions, and each extension defines a particular application.
The cells, it how to run any develop applications that needs to open and how display the data.
So as an overview of NT fs in the fact file system, these were some of the things they're some of the overall differences of the two file systems NDFs began with Windows NT and 2000.
While You're Fat, 32
is permanently used in DOS and Windows versions prior to Windows XP.
The 32 fat defines its cluster values, so you have to toe the 32 max values for an entry based on features. NDFs provides a better meta data support and events. Date of structure, larger file size, larger volume, size and TFS has last access times. For a file. You have data access,
an organization efficiency
about 32 is often found as a default file system in your removable media and storage devices and is mostly seen as an additional partition with another operating system. So what does this mean to an examiner? An examiner were more likely Encounter an anti FS file system with a fat file system, as in a compliment.
And here Fast is used in Windows
are pretty systems contain user system and a West data. There's a larger volume set of data to review in comparison to your fat fall system, without said and NT if espouses, Some require longer time for an examination than a fat system.
Some of the key structures.
So NDFs has boot records. The structure starts in the 1st 150 to bite records of your foul system.
The boot record includes put coats, dis signatures and a table that maps to the primary partitions. One of the major differences between anti FS and the fat file system is that NDFs utilizes a journaling file system to keep track of changes in the system used
to keep track of changes in the system by the use of a journal. So the journey file system supports quicker reboot in the event of a system or power failure
in comparison to fat and anti. If us fat has a similar structure compared to any of us
not looking over to the fat 32 file system,
you have two main data structures. Your file allocation table and your directory entries. The fat system is a simpler structure, one compared to anti fs every file and directory is allocated to a data structure, specifically a directory entry. The directories are stored in clusters and if any are greater than one.
And if the direct has more than one clusters,
then the fat data structures used to locate individual entries.
Looking in the perspective and examiner, the NDFs has the journal entry system. NDFs has a journaling system that provides east of searching and review off these violets. Your dollars sign log file tracks the changes due to metal data. So here you have an actual log of the different events that are occurring, and then the comparison between
you're MF T in your M F T mirror
can identify corruption, modification and malicious behavior.
So when comparing your storage mechanisms, NDFs sees a smaller cluster sizes. You have the availability of slack space, which is the unused face left at the end of the cluster. This onion space cannot be used by another file so that this allocates more efficient ist sorge.
NDF as storage mechanism also uses the MF T file in order to map and analyze corruption,
it assigns data to one cluster
and you have your bit Matt MF team Meditative file, which finds the first available cluster and assigns that
your bit close I'm of Team Medal Datafile hold the listing that identifies any bad clusters.
The 32 file system makes it a little harder to locate if I was then anti FS, because coaster addresses do not start at the beginning of the foul system and must be found through the use of sector addressing. Since the data size is don't always match the closer size, There may be extra sectors at the end of a data area that are not part of this cluster or stack. So
part of that cluster may hold
two or more file information just to kind of fill up the space of that cluster. So you may have to dance around the different cluster addresses or your sector addresses just to determine and think
file allocation. Table your fat table.
There's an entry for every file, and if the entry value zero, the the cluster is not allocated to a file
moving over to file naming directories, NDFs stores and records findings. In the MF T file, the MFP mayor produces a copy of this
resonant attributes are attributes that are stored in the M of tea fouls such as your founding. And there's three attributes are important in the forensics of an anti FS system. These attributes contain amount of data for an MFP entry record,
you have your standard information, your file name and your data.
And CFS also supports multiple data streams.
So data stream is defined as a secret of bits where the application can write data to a specific location among stream, and then every file has an associate ID unnamed stream assigned to it. NDFs will allow that file to have alternative data streams that can be aligned with an unnamed stream.
So this helps support data that could be managed as a single unit.
Looking over to the fat 32 looking over to the factory to system, You can save data under two options. Your short founding, such as your
I'm a sauce or Long founding.
The eighth out, three found name is a compressor version of the long name. Every folder injury holds about 13 characters of a long name, and there's no support for multiple data streams. There's only one single data stream profile
so overall within file names and directories and CFS provides much more information
through its attributes than the fat 32 system. So it is Examiner, your people, our house, the location, sizes of all the data records for your attributes, knowing how to actually leverage your standard information found him and data in a forensics investigation is absolutely priceless.
Not only do they store this data, but even if the data is deleted, the attributes can be found and recovered. Not only do the do they store this data, but even if the file is deleted, the attributes can be used to find I recover the data later.
And then this is where you would use this information in your m f T Fowler MFP mirror
to recover the data.
So an example. The log file actually courts transactions and entries. In the case of a system file, so is an examiner. You'll be able to look at the log files, see if there's some sort of failure and any record that could help pinpoint to the loss or division of this file.
Up next is filed times and dates, so MF T For every file, you have four main dates. Your creation modified MF T entry modified and access.
So out of the three attributes, your standard information is your primary set of date and time stamps.
Your file name will holds those four day times above your meats and then data and actually doesn't use any daytime. Your fat 32. You get three time stamps to define a directory entry Last access last rid unless created
the time values are nonessential and could be falls under some circumstances. And malicious user actually can modify these with no traces or evidence of the original daytime.
Now over to file deletion
for NDFs. If you haven't seen a pattern, your master file table. Your MF TIF
table is your key structure for delusion. They holds an entry for every file or folder created and holds meta data for that file.
Your system may not display the fire all if within one of the MF T entry, attributes defines it as deleted. So your special indicated file will remain on mark and this allows assistant to allocate another file to his location.
So if you mark your file for deletion, your special indicator file will be selected, would be unmarked, and this tells the operating system that you can overwrite this copy,
otherwise it would typically skip it.
You have much better recover ability. In NDFs,
there are issues that may cause a file not to be deleted. You're about 32 is very similar in some fashion to NDFs.
The first characters of the directory entry is replaced by special characters off zero EC E five h,
and this tells a file system that you can ignore this file
the closer signs, so files are marked as available in the file allocation. So in the event you delete a file, it's gonna mark your cluster assignment to available. And then that's where the files overridden. If new data is written over the files area, it is no longer recoverable on undulated Now. The last key structure is your encryption
about 32. There's no design for encryption. There's no internal security measures. The only encryption option is through externals or third party encryption programs.
You almost like you see this within storage devices like your US bees. NDFs, however, was designed with access control security.
Anti FS can access by using low level disk utility tools
on one particular feature for anti FS is your encryption falls at some your E f s. This encrypts the files and folders
allows users access to these encrypted files when they log in. So in the event that investigator is seen or accessing your files through a dead accusation,
that fall system is encrypted. But if they log in through a live acquisition into your account, they will have access to the encrypted files.
You have to encryption mechanisms, your public and your private key When the file is encrypted that E. P S uses the public key.
So in today's video, we discussed what a file system is talked about the foul categories and then compared NDFs versus a fat foul system. Based on sixth.
We compared NDFs and the fat file system based on structural differences such as key structures, your storage mechanism found name and directories file time and dates, fascination and encryption. We saw that NDFs on multiple off the structure differences provided a lot more data for an examiner
in future videos that we're gonna perform alive and disk acquisition using some of the cyberia dot i t lots, we're gonna examine what happens when you delete a file,
discuss the performance of data carving and Sina graphic techniques.
See how to properly check and execute malicious files and continue exploring professional tools, both at a beginner and advanced level.
I hope you enjoyed this macho and I'll catch the next one.
Up Next