the file structure devices
File system is the destination to store and recovery data, depend towards the operating system it may FAT (File Allocation Table) or NEW TECHNOLOGY FILE SYSTEM (New Technology file system). Compare with BODY FAT and NEW TECHNOLOGY FILE SYSTEM file system there are numerous feature big difference in file framework, Storage Components and data file name, record date and time, protection feature
File composition
Rely to the mixture bit of the entries inside the actual BODY FAT structure for the disk. BODY FAT file system has many different variations like BODY FAT 12, FAT 16, BODY FAT 32. Difficulties physical design components of EXCESS FAT file system will be:
Reserved place (volume start sector)- range from the data inside the file system category
File portion table ” contain the main and back up FAT composition
Data area- contain the cluster which allocated store record and directory site content
Generally there normally two FATs (FAT1 and FAT2) in a EXCESS FAT file system however the exact volume of FAT and total size of FAT want determine in the boot sector. If digital forensic trader need identify the data file name, size, start treat of the file content and also other metadata, they require check the directory site entry inside the file allocate table
NTFS is common file system for the windows COMPUTER, NTFS have better metadata support and data framework than BODY FAT file system, contrary to FAT file system NTFS do not have special design all the essential data is allocated since files. The first sixteen sectors happen to be boot record, disk autographs and table of primary partitions. The middle of the NTFS file system is the MFT (Master File Table) it keeps the record all the document and folder in the NTFS volume. File name begin with $ will be MFT placed metadata document.
The following table demonstrating the major system files of NTFS system and their capabilities.
- File brand
- File function
- $ MFT
- Master file table, each MFT record is 1024 bytes lengthy
- #MFTMirr
- Back up of MFT
- $LogFile
The document used for system recovery and integrity $Volume
Identify information about NFT edition and volume level name $AtterDef
Attribute data $BitMap
Track the allowance of 8-10 cluster $Boot
Contain the zone boot sector and footwear code $BadClus
Bad bunch information in the partition $Secure
Secure info of the data file
Storage Components and document name
The NTFS and FAT file-system both keep your data inside the cluster, nevertheless the NTFS make use of smaller bunch size this means the NTFS can retail store more data. As we discuss before NEW TECHNOLOGY FILE SYSTEM use Grasp file Desk but FAT use directory site entries and file allowance table, when the forensics buyer exam the NFTS drive they can get file details from zero sectors. there are 3 attribute important for the forensic analysis $STAND_INFORMATION, $FILE_NAME and $DATA attribute. Each of the file term and directory information are in these three attribute. BODY FAT file system your data won’t be record after reserved area and FAT areas, also same extract sector after info area when the forensic entrepreneur exam BODY FAT file system they want check the hide data during these sectors. In FAT file system the entire file will save underneath long data file name
File day and time
When the forensic buyer exam folders system they want careful about the file time and period stamps. NEW TECHNOLOGY FILE SYSTEM store the file’s particular date and time in UTC (Coordinated Universal Time) but FAT stores the file upon computer neighborhood time.
Reliability
BODY FAT file system simply cannot encryption type internal, the only way to secure is definitely external program. Compare with BODY FAT file system NEW TECHNOLOGY FILE SYSTEM have been superior their security alarm, NFTS have access control and file security. The record only can access after the user login.
- Category: science
- Words: 696
- Pages: 3
- Project Type: Essay