Day 1.2b - FileSystem

FILE
UNLEASH
SYSTEM
Digital Forensics
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and Forensics
Society
The Basics
What is a File System?
The Basics
• A file system controls how data is stored and retrieved on a

computer system. It is like an inventory system keeping track of
goods in a warehouse.
• File systems can be used on numerous different types of storage

devices that use different kinds of media. The most common
storage device in use today is a hard disk drive. Others include
flash memory, magnetic tapes, and optical discs.
• There are many different kinds of file systems and they behave
very differently. Each has its own structure or organization.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
3
Security and Forensics Society
The Basics
• There must be data or files that describe the layout and size of
the file system.
• To understand how files are stored, deleted and recovered from
the disk, a forensic examiner needs to understand the file
system from the raw level.
• When a partition is formatted, among other things, the data
structures needed for its specific file system are created.
• The boundaries and type of the partition are set forth in a
partition table.
4
The Basics
Every file system serves these 4 basic functions:

1) Track the name of the object (i.e. file / folder)
2) Track the starting extent (location of the first cluster)
3) Track the fragmentation of the object (sequence of clusters)
4) Track the allocation status of each cluster
*Cluster: The smallest data storage unit (group of sectors). It is

also known as allocation unit or block.
5
The Basics
FAT NTFS ExFAT
6
FAT
A basic understanding FAT system
FAT
• File Allocation Table or FAT is a computer file system

architecture originally purchased by Bill Gates and then
developed by Bill Gates and Marc McDonald during 1976–1977.
• It is the primary file system for various operating systems
including DR-DOS, OpenDOS, FreeDOS, MS-DOS, OS/2 (v1.1)
and Microsoft Windows (up to Windows Me)
• The FAT file system is relatively straightforward and is
supported by virtually all existing operating systems for
personal computers.
• This makes it an ideal format for memory cards and a
convenient way to share data between operating systems.
8
FAT
Version FAT Max no. of Clusters

(deducting reserved area)
FAT12 12 bit 4,084 clusters
FAT16 16 bit 65,524 clusters
FAT32 228 bit 268,435,456 clusters

(4 bits reserved)
9
FAT
Reserved Area FAT1 FAT2 Root Directory Data Area
FAT12/16 Location of Cluster 2
FAT32 Location of Cluster 2
10
FAT
FAT 12/16 FAT 32
Location After FAT Can be Anywhere (typical at

cluster 2)
Max size 32 sectors (Fixed size) Dynamic
Max no. of entries 512 entries Dynamic
11
FAT
1) File Allocation Table / FAT

2) Directory Entry
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and
Forensics Society
12
FAT
Functions
1) Track the fragmentation of the object
2) Tracks the allocation status of clusters
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
13
FAT
Allocation Status of Clusters
Unused 0000
The next Cluster in use by the # (any other value)
current object
Last cluster in a file/ EOF FFFF
Bad cluster FFF7
14
FAT
Function of Directory Entry

1) Track the name of the object (i.e. file / folder)
2) Track the starting extent (location of the first cluster)
• Every object (file and folder) is referenced and described in a separate

directory entry.
• Each directory is 32 bytes in length:
➢ Name (8.3 DOS name)
➢ Attribute byte (8 bits): archive, read-only, hidden, system
➢ Create time (24 bits)
➢ Create date (16 bits)
➢ Last access date (16 bits)
➢ Last modified time (16 bits)
➢ Last modified date (16 bits.)
➢ Starting cluster number in the file allocation table (16 bits), (32bits for FAT32)
➢ File size (32 bits)
15
FAT
• For entries with a Long File Name (LFN):

➢ A series of 32-byte entries are created preceding the entry to store the LFN
➢ Up to 255 characters
and Forensics Society 16
FAT
Long File Name
17
FAT
• Cluster: the smallest unit (group of sectors) in which data is stored.

It is also known as allocation unit or block. It is decided when you
format the filesystem, it is a multiple of 2 to the power n.
• Data Area starts with Cluster number 2, there is no cluster 0 and 1.
• If the file size exceeds the size of one cluster, it is assigned as many
additional clusters as are needed.
18
FAT
From the example,

• FILE1.TXT is occupying cluster 2, 3 and 4.
• FILE3.TXT is occupying cluster 7.
• What about FILE2.TXT?
19
FAT
1) Format Disk
• From scratch : Create (1) Root Directory; and (2) File Allocation Table
• Quick format: Clear the Root Directory and FAT
2) Create an object:
File.txt MACTime 2500 2
• A 32-byte directory entry is created.
2 0000 2 0003
• FAT is updated to reflect the allocation of the file data.
3 0000 3 0004
4 0000 4 FFFF
• Data is written to the disk.
5 0000 5 0000
6 0000 6 0000
7 0000 7 0000
8 0000 8 0000
20
FAT
3) Delete an object:
• The first byte of the directory entry will be changed to 0xE5
• The relevant record in FAT will be zeroed out to release the space.
• Data remains. Recovery is simple if the file data stream is contiguous
• Fragmented file recovery is not guaranteed.
File.txt MACTime 2500 2
0xE5ile.txt MACTime 2500 2
2 0003 2 0000
3 0004 3 0000
4 FFFF 4 0000
5 0000 5 0000
6 0000 6 0000
7 0000 7 0000
8 0000 8 0000
21
FAT
File Fragmentation
• File fragmentation refers to the situation that file data stream
cannot be kept contiguous.
• Leads to system performance degradation in spinning hard disk
but not in SSD. That’s why you should have heard of the process
of “defrag”
22
FAT
Possibility of Data Recovery

• The deleted file’s directory entry will not stay forever. It will be
cleaned up upon defragmentation.
• Once this directory entry is gone, there will be no hint to
recover the file.
• Data carving becomes the last resort.
23
FAT
File Slack
• If a new file is written to the clusters
where a deleted file reside, and the
new file is not occupying the whole
space, file slack exists
• File Slack: data between the end of
logical file and end of physical file.
24
ExFAT
A basic understanding of ExFAT system
ExFAT
• Extended FAT
• Introduced with Windows CE 6.0 in November 2006
Spring 2008 Vista Service Pack 1 Released with exFAT

capabilities
January 2009 SDXC (eXtended Capacity) memory card
specification announced. exFAT designated as the
exclusive File System for use by host devices as
the standard.
January 2009 Windows XP drivers available directly from
Microsoft
March 2009 SDXC cards released by Pretec
Spring 2010 Host devices set to be released.
26
ExFAT
Initiative for designing a new file system:

• Removable Media (FAT is fine)
• Large Multimedia Files (2GB File limitation in FAT)
• Limited Overhead (FAT is more lightweight to NTFS)
• Transactional FAT Compatible
27
ExFAT
dfr-05-nest-xfat.dd
28
ExFAT
exFAT FAT
Max size 64 ZB theoretical max 2 TB
File size 64 ZB 4 GB
File per directory 2,796,202 65,536
Access control lists Yes No
Support TFAT Yes No
Support UTC Yes No (Local time)
Timestamp 10ms Mtime:2s,
granularity Ctime:10ms, Atime:1
day
Supported by WinXP SP2, Win2k03 Win95, Win98, Win2k,
SP2, Vista SP1, WinXP, Win2k03,
and Forensics Society Win2k08, Vista, Win7
29
ReadyBoost support Win7 only From Vista

ExFAT
File Size 64ZiB (Microsoft recommends

512TiB)
Maximum Files per Directory 2,796,202
File Name Length 255 Characters
Volume Size 64ZiB (Microsoft recommends
512TiB)
30
ExFAT
Sectors 0-11 VBR

(Main Boot Region: 12 sectors)
Sectors 12-23 Backup Boot Region
(12 sectors)
FAT Region
Data Region
31
ExFAT
Byte Definition
0-2 Jump Code
3-7 OEM Name
11-63 Zeros
64-67 Partition Sector Offset
72-79 Total Sectors on the Volume
80-83 FAT Location in sectors
84-87 Physical Size of FAT in sectors
88-91 Physical Sector Location of the Bitmap (Cluster Heap)
92-95 Number of Clusters
96-99 First Cluster of the Root Directory
100-103 Volume Serial Number
104-105 File System Revision Number
106Ivan Chow, Karson
Copyright © 2022 Volume Flags
Chan & Ricci IEONG Information Security
32
ExFAT
Byte Definition
107 Active FAT
108 Byte per Sector
109 Sectors per cluster
110 Number of FAT on the Volume
112 Percentage in Use
33
ExFAT
1) $Bitmap - Track cluster allocation status

2) File Allocation Table - Track file fragmentation
3) Directory Entry - Track file properties
34
ExFAT
• Directory entries are a series of 32-byte records.

• A file has at least 3 records
Directory Entry Record 0x85
• Track attributes and created, accessed and modified times.
Stream Extension 0xC0
• Tracks size and starting extent of the file, and also tracks the size
of filename.
File Name Extension 0xC1
• Contains the filename in Unicode characters.
35
ExFAT
36
ExFAT
4-byte value of time
The time stamp format used in the ExFAT is same as FAT

Timezone setting:
https://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274
37
ExFAT
38
ExFAT
39
ExFAT
1) When a file is created

• Three 32-byte directory records are created.
• $Bitmap is updated to reflect allocation of clusters.
• If the file is not fragmented, FAT remains unchanged (value 1 indicates no
fragmentation).
• Data is written to clusters.
40
ExFAT
2) When a file is deleted

• First bit of each of the 3 records is changed from 1 to 0
• If the first bit is “1”, then the record is in use.
• If the first bit is “0”, then the record is not in use
0x85 1000 0101 0000 0101 0x05

0xC0 1100 0000 → 0100 0000 0x40
0xC1 1100 0001 0100 0001 0x41
• Bitmap is zeroed out. FAT is untouched.

• Data remains until overwritten.
41
NTFS
A basic understanding of NTFS system
NTFS
• NTFS: New Technologies File System

• The standard file system of Windows NT, including its later
versions Windows 2000, Windows XP, Windows Server 2003,
Windows Server 2008, and Windows Vista.
43
NTFS
NTFS Version OS Name OS Version Released Date

NTFS v 1.2 Windows NT3.51 3.51 July 1993
NTFS v 1.2 Windows NT4.0 4.0 August 1996
NTFS 3.0 Windows 2000 5.0 February 2000
NTFS 3.1 Windows XP 5.1 September 2001
NTFS 3.1 Windows 2003 5.2 April 2003
NTFS 3.1 Windows Vista 6.0 November 2006
44
NTFS
• Every object is a file, with an corresponding entry in MFT.

• Any sector can be allocated to a file (except the VBR sectors)
• Two major components: $MFT & $Bitmap
• File system metadata files: store the file system’s administrative
data
45
NTFS
• No specific layout: the entire volume is a data area.

• MFT Zone: Microsoft reserves part of the file system, the MFT
Zone, which is a collection of consecutive clusters that are not
used to store file or directory content unless the rest of the disk
is full. (By default, Microsoft allocates 12.5% of the file system to
the MFT).
• VBR located in first sector. Backup VBR at the end of volume.
46
NTFS
• First 16 sectors of the volume (usually 8 sectors are used)

• Backup copy located at the last sector of the partition
• Signature: 0xAA55
• Content:
➢ Size of each cluster,
➢ Number of sectors in the file system
➢ Starting cluster address of the MFT
➢ Size of each MFT entry
➢ A serial number for the file system
➢ Boot code
47
NTFS
• When a volume is formatted as NTFS, an $MFT file and other

metafiles are created.
• Metafiles are the files NTFS uses to implement the file system
structure.
• Two major files are the $MFT and $Bitmap.
• The first 16 records of the $MFT are reserved for metafiles
48
NTFS
• The files are listed under the root directory but hidden from
most users.
• With the exception of the boot code, the on-disk location of
these data could be anywhere in the file system.
• The date and time stamps are set to the time that the file system
was created.
49
NTFS
• Tracks the allocation status of all clusters within the volume.

• 1 byte controls 8 clusters (1 bit → 1 cluster)
• e.g. 3F -> 0011-1111, i.e. 6 clusters are allocated.
50
NTFS
• $MFT - The Master File Table is a central database for tracking

every single items residing in the filesystem.
• It is a file ($MFT). The $MFT file itself can become fragmented
• The starting location of the MFT is given in the boot sector.
• It contains at least one record for every file or folder in the
volume, including a record for itself.
51
NTFS
• Each $MFT record is 1,024 bytes in length

• Each record is given an address based on its location in the
table, starting with 0.
• The first 16 records are reserved for metafiles.
• The first record (entry 0) in the table is named $MFT.
• The $DATA attribute of entry 0 contains the location of the
clusters used by the MFT, so the layout of the MFT is determined
by processing entry 0 in the MFT.
• When a file is created, modified, or deleted, the relevant record
will be created, changed, or updated.
52
NTFS
Overview
A Record comprises a header and multiple attributes.

53
NTFS
Example
54
NTFS
Header
Flags
55
NTFS
• A file can have up to 65,536 file attributes, and so it may need

more than one MFT record to track all the.
• When additional MFT records are allocated to a file, the original
MFT record becomes the base MFT record.
• The base MFT record stores the location of the other records of
the file.
• It also has an $ATTRIBUTE_LIST type attribute that contains a list
with each of the file’s attributes and the MFT address in which it
can be found.
• The non-base MFT entries do not have the $FILE_NAME and
$STANDARD_INFORMATION attributes in them.
56
NTFS
Attributes
Every MFT record composes of multiple attributes. All attributes
have two parts: the header and the data.
• Header: identifies the type of attribute, its size, and its name.
• Data: The content is specific to the type of attribute and can be
of any size.
➢ Data can be resident or non-resident. Small files and directories (typically
600 bytes or smaller) are entirely contained within the file's MFT record
(known as resident file).
57
NTFS
Attributes
Three main file attributes:
• Standard Information Attributes (SIA)
• Filename Attributes (FNA)
• two or more attributes may exist, one for short file name, and the other one
for LFN and other namespace
• Data Attributes (DA)
58
NTFS
Attribute: $STANDARD_INFORMATION
• It exists for every file and directory.
• Contains temporal, ownership, and security information.
• A flag for general properties of the file, such as read only,
system or archive.
• It also tells whether the file is compressed, sparse, or encrypted.
• Four temporal values:
1) Creation Time: The time that the file was created.
2) Modified Time: The time that the content of the $DATA or $INDEX
attributes was last modified.
3) MFT Modified Time: The time that the metadata of the file was last
modified. Note that this value is not shown in Windows when you select the
properties of a file.
4) Accessed Time: The time that the content of the file was last accessed.
59
NTFS
Attribute: $STANDARD_INFORMATION
There are at least 2 sets of temporal values stored in every single MFT record,
namely inside SIA and FNA.
60
NTFS
Attribute: $FILE_NAME
• It exists for every file and directory.
• Contains the file name, size, temporal information, and the file
reference for the parent directory
• File name is stored in Unicode
• Some files may have $FILE_NAME attributes for both the LFN
and the short file name.
• Four temporal values (not always the same as to SIA)
• A flag field that can identify if the record is for a directory, read-
only, a system file, compressed, encrypted, and so on.
61
NTFS
Attribute: $DATA
• It can be of any size, including 0 bytes.
• If the file size is small (~<600bytes) when created, the data will
be stored in the $MFT record, the file is called resident file.
• When the file grows larger that no longer be able to fit in the $MFT record,
it becomes non-resident and data will be written to clusters. A non-resident
will never become resident file.
• When a file has more than one $DATA attribute, the additional
attributes are sometimes referred to as alternate data streams
(ADS).
• Additional $DATA attributes must have names and can also be used to hide
data.
62
NTFS
63
NTFS
• Hard link allows multiple paths to refer to the same file.

• When a hard link is created, an additional file name reference is
made to the data.
• When a file name is deleted, other hard links will remain and
point to the data.
• Hard links are on-disk local references to data, they can exist
only within the same volume. It cannot span volumes or
computers.
64
NTFS
• Symbolic links or soft links are file-name aliasing

• They are interpreted dynamically and can be relative or
absolute paths that refer to locations on any storage device or
even onto different system
• Delete the original file will result in loss of the data and
symbolic link will point to non-existing file
• Fsutil behavior set SymLinkEvaluation can be used for
evaluating the policy allows on symbolic link
• Implemented using reparse points. Reparse data is user-
defined data about file or directory which has a block of data
called reparse data associated with it.
65
NTFS
• Every change recorded in the $Logfile starts with a header

• The LSN here relates back to the file record in the MFT for the
change that is being recorded.
66
NTFS
• Under $Extend folder

• This change journal “is a file that records when changes are
made to files and directories”.
• - Time of change
- Reason for the change
- File/directory’s name
- File/directory’s attributes
- File/directory’s MFT record number
- File record number of the file’s parent directory
- Security ID
- Update Sequence Number of the record
- Information about the source of the change
67
NTFS
FAT16 FAT32 NTFS
Max File Size 232 - 1 232 - 1 byte 264 bytes - 1 KB

byte (On disk format)
244 bytes - 64 KB
(Implementation)
Max Volume Size 4 GB 32 GB or 127.53 264 allocation units
GB (On disk format),
232 allocation units

(Implementation)
Files per Volume 216 approx. 4 million 232 - 1
68
NTFS
1) Quick Format
• The $Bitmap is cleared
• A new $MFT is written down to the same location of the previous $MFT if
the volume size and cluster size remains the same.
• Most of the old $MFT records still there and clusters were not cleared out.
69
NTFS
1) When a file is created:

• A record is created in $MFT.
• The data is written to volume.
• If the data is non-resident, the $Bitmap is updated to reflect the cluster(s) in
use to hold the file’s data.
2) When a file is deleted:

• The corresponding $MFT record is flagged as referring to a deleted object
(The resident data and data runs still remain until overwritten).
• If the data is non-resident, the $Bitmap is updated to reflect the cluster(s)
are available.
• The data remain until it is overwritten. Recovery is possible.
• If the MFT record is reused, information about the previous file will be lost.
Data carving becomes the last resort again.
70
NTFS
Condition 1
If it is in the recycle bin
• The file technically is not deleted.
• Windows and other OS usually wont display deleted files.
71
NTFS
Condition 2:
If the pointer is still there
• FAT:
1) assume the file is contiguous,
2) jump according to the FAT allocation.
• NTFS: gather the datarun in the MFT record
File Recovery is not guaranteed
72
NTFS
Condition 3:
If the file entry is still there, but the first cluster is used by another
existing file
• It’s also called overwritten files, normally not recoverable.
73
NTFS
Condition 4:
If the file entry is lost
• You don’t have any clues to find the location of the file.
• File Carving…….
74
NTFS
• Data is can carved out according to known file header/signature.

For example:
➢ PDF -> %PDF
➢ ZIP -> PK
• File metadata, e.g. filename, MAC time, cannot be found as they

are stored in the file entry.
• Example: JPEG
➢ Header: 0xFFD8FFE1
➢ Footer: 0xFFD9
75
References
File System Forensic Analysis (by Brian Carrier)
EnCase Computer Forensics - The Official EnCE: EnCase

Certified Examiner Study Guide 3rd Edition (by Steve Bunting)
NTFS.com
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and Forensics
Society
76

Day 1.2b - FileSystem

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day 1.2b - FileSystem

Uploaded by

Copyright:

Available Formats

FILE

• A file system controls how data is stored and retrieved on a

• File systems can be used on numerous different types of storage

Every file system serves these 4 basic functions:

*Cluster: The smallest data storage unit (group of sectors). It is

FAT NTFS ExFAT

• File Allocation Table or FAT is a computer file system

Version FAT Max no. of Clusters

FAT16 16 bit 65,524 clusters

FAT32 228 bit 268,435,456 clusters

Reserved Area FAT1 FAT2 Root Directory Data Area

FAT12/16 Location of Cluster 2

FAT32 Location of Cluster 2

Reserved Area FAT1 FAT2 Root Directory Data Area

FAT 12/16 FAT 32

Location After FAT Can be Anywhere (typical at

Max no. of entries 512 entries Dynamic

1) File Allocation Table / FAT

Reserved Area FAT1 FAT2 Root Directory Data Area

Allocation Status of Clusters

Function of Directory Entry

• Every object (file and folder) is referenced and described in a separate

• For entries with a Long File Name (LFN):

Long File Name

Reserved Area FAT1 FAT2 Root Directory Data Area

• Cluster: the smallest unit (group of sectors) in which data is stored.

From the example,

0xE5ile.txt MACTime 2500 2

Possibility of Data Recovery

Spring 2008 Vista Service Pack 1 Released with exFAT

Initiative for designing a new file system:

ReadyBoost support Win7 only From Vista

File Size 64ZiB (Microsoft recommends

Sectors 0-11 VBR

107 Active FAT

108 Byte per Sector

109 Sectors per cluster

110 Number of FAT on the Volume

112 Percentage in Use

1) $Bitmap - Track cluster allocation status

• Directory entries are a series of 32-byte records.

Directory Entry Record 0x85

• Track attributes and created, accessed and modified times.

Stream Extension 0xC0

File Name Extension 0xC1

• Contains the filename in Unicode characters.

4-byte value of time

The time stamp format used in the ExFAT is same as FAT

1) When a file is created

2) When a file is deleted

0x85 1000 0101 0000 0101 0x05

• Bitmap is zeroed out. FAT is untouched.

• NTFS: New Technologies File System

NTFS Version OS Name OS Version Released Date

• Every object is a file, with an corresponding entry in MFT.

• No specific layout: the entire volume is a data area.

• First 16 sectors of the volume (usually 8 sectors are used)

• When a volume is formatted as NTFS, an $MFT file and other

• Tracks the allocation status of all clusters within the volume.

• $MFT - The Master File Table is a central database for tracking

• Each $MFT record is 1,024 bytes in length

A Record comprises a header and multiple attributes.

• A file can have up to 65,536 file attributes, and so it may need