Week 7 - Introduction to File Systems Flashcards
What are file systems and what do they do?
What is a file system?
A file system is a set of structures that is used to control how data is stored on a disk.
Without a file system there would be no means of telling where one bit of info (e.g a file) ended and the next started.
The FILE is the basic unit of storage in the file system
What does it do?
It manages file storage by allocating space and maintaing the space so it ois not overwritten.
It stores file metadata (data about the file - may incl time dates of MAC, seize, permissions, attributes, forks). BVaries with file system
List the common file system types
HARD DISK FS - we will focus on this, but others are listed below
OPTICAL DISK FS (CD / DVD)
TAPE DRIVE FS (magnetic tapes)
FLASH FS (e.g mobile devices)
NETWORK FS ( FS which are accessed over a netwrok)
USER FS (FS that exist temporarily in user space)
List the common HDD File Systems
FAT (early MS FS still often used on removeable storage because it is compatable with most other FS)
NTFS (current MS standard sinec Windows NT)
ReFS (new file system for windows)
EXT (Linux standard FS)
HFS, APFS (Mac standard FS)
What do forensicators look for?
- File contents (obvs!)
- Timestamps are vital metadata
- Forks (in Macs) or alternate data streams (ADS in NTFS) may contain hidden info
What are these?
- ADS in NTFS is an additional stream of data that can be associated with a file but is not the file data itself - it allows things like metadat or thumbnails to be stored alomngside the main file data.
- Forks in macs are similar to ADS, the file system historically supported two forks, the data fork and the resource fork. The resource fork contains things like metadata, icons, file type data and app data.
In summary, the FS is one of the main sources of digtial evidence available. It contains logical sytructures that organise the file data and the metadat on a disk.
Timelines of file access and modification can be developed showing user actions over a period of time.
