Site Loader
Rock Street, San Francisco

File system is the place to store
and recovery data; depend to the operating system it may FAT (File Allocation
Table) or NTFS (New Technology file system). If we look through the  file structure, Storage
Mechanisms and file name, file date and time, security feature we can find many feature difference between these two

 

File structure

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Depend to the array bit of the
entries in the actual FAT structure on the disk. FAT file system has many
different versions like FAT 12, FAT 16, FAT 32. The major physical layout
components of FAT file system are:

 Reserved area (volume boot sector)- include
the data in the file system category

 File allocation table – contain the primary
and backup FAT structure

 Data area- contain the cluster which allocated
store file and directory content

 

 There normally two FATs (FAT1 and FAT2) in a FAT
file system but the exact number of FAT and total size of FAT need determine in
the boot sector. If digital forensic investor need identify the file name,
size, start address of the file content and other metadata, they need check the
directory entry in the file allocate table

  
NTFS is common file system for the windows PC; NTFS has better metadata
support and data structure than FAT file system, unlike FAT file system NTFS do
not have special layout all the important data is allocated as files. The first
16 sectors are boot record, disk signatures and table of primary partitions. The
center of the NTFS file system is the MFT (Master File Table) it keeps the
record all the file and folder in the NTFS volume. File name start with $ are
MFT stored metadata file. . The following table showing the major system files
of NTFS system and their functions.

 

File name

File function

$ MFT

Master file table, each MFT record is
1024 bytes long

#MFTMirr

Backup of MFT

$LogFile

The file used for system recovery and integrity

$Volume

Identify information about NFT version
and volume name

$AtterDef

Attribute information

$BitMap

Track the allocation of eight cluster

$Boot

Contain the partition boot sector and
boot code

$BadClus

Bad cluster information of the partition

$Secure

Secure information of the file

 

 

 

 

 

Storage Mechanisms and file name

 

The NTFS and FAT file system both keep the
data in the cluster, but the NTFS use smaller cluster size which means the NTFS
can store more data. As we discuss before NTFS use Master file Table but FAT
use directory entries and file allocation table, when the forensics investor
exam the NFTS disk they can find file information from 0 sectors .there are 3
attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAME
and $DATA attribute. All the file name and directory information are in these
three attribute. FAT file system the data won’t be record after reserved area
and FAT areas, also same extract sector after data area when the forensic
investor exam FAT file system they need check the hide data in these sectors.  In FAT file system the entire file will save
under long file name

 

File date and time

 

When the forensic investor exam a file
system they need careful about the file date and time stamps. NTFS store the
file’s date and time in UTC (Coordinated Universal Time) but FAT stores the
file on computer local time.

 

Security

 

FAT file system cannot encryption form internal,
the only way to secure is external program. Compare with FAT file system NTFS
have been improved their security system; NFTS have access control and file
encryption. The file only can access after the user login.

 

 

 

Post Author: admin

x

Hi!
I'm Dora!

Would you like to get a custom essay? How about receiving a customized one?

Check it out