File system is the place to storeand recovery data; depend to the operating system it may FAT (File AllocationTable) or NTFS (New Technology file system).
If we look through the file structure, StorageMechanisms and file name, file date and time, security feature we can find many feature difference between these two File structureDepend to the array bit of theentries in the actual FAT structure on the disk. FAT file system has manydifferent versions like FAT 12, FAT 16, FAT 32. The major physical layoutcomponents of FAT file system are: Reserved area (volume boot sector)- includethe data in the file system category File allocation table – contain the primaryand backup FAT structure Data area- contain the cluster which allocatedstore file and directory content There normally two FATs (FAT1 and FAT2) in a FATfile system but the exact number of FAT and total size of FAT need determine inthe boot sector. If digital forensic investor need identify the file name,size, start address of the file content and other metadata, they need check thedirectory entry in the file allocate table NTFS is common file system for the windows PC; NTFS has better metadatasupport and data structure than FAT file system, unlike FAT file system NTFS donot have special layout all the important data is allocated as files. The first16 sectors are boot record, disk signatures and table of primary partitions.
Thecenter of the NTFS file system is the MFT (Master File Table) it keeps therecord all the file and folder in the NTFS volume. File name start with $ areMFT stored metadata file. . The following table showing the major system filesof NTFS system and their functions. File name File function $ MFT Master file table, each MFT record is 1024 bytes long #MFTMirr Backup of MFT $LogFile The file used for system recovery and integrity $Volume Identify information about NFT version and volume name $AtterDef Attribute information $BitMap Track the allocation of eight cluster $Boot Contain the partition boot sector and boot code $BadClus Bad cluster information of the partition $Secure Secure information of the file Storage Mechanisms and file name The NTFS and FAT file system both keep thedata in the cluster, but the NTFS use smaller cluster size which means the NTFScan store more data.
As we discuss before NTFS use Master file Table but FATuse directory entries and file allocation table, when the forensics investorexam the NFTS disk they can find file information from 0 sectors .there are 3attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAMEand $DATA attribute. All the file name and directory information are in thesethree attribute. FAT file system the data won’t be record after reserved areaand FAT areas, also same extract sector after data area when the forensicinvestor exam FAT file system they need check the hide data in these sectors.
In FAT file system the entire file will saveunder long file name File date and time When the forensic investor exam a filesystem they need careful about the file date and time stamps. NTFS store thefile’s date and time in UTC (Coordinated Universal Time) but FAT stores thefile on computer local time. Security FAT file system cannot encryption form internal,the only way to secure is external program. Compare with FAT file system NTFShave been improved their security system; NFTS have access control and fileencryption. The file only can access after the user login.