You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Understanding file systems is essential for digital forensics. A file system determines how data is organised, stored, and retrieved on a storage device. Forensic examiners must understand file system internals to locate active files, recover deleted data, and interpret metadata that reveals user and system activity.
| File System | Operating System | Key Features |
|---|---|---|
| NTFS | Windows | Journaling; ACLs; Alternate Data Streams (ADS); encryption (EFS) |
| FAT32 | Windows, removable media | Simple structure; no journaling; 4 GB file size limit |
| exFAT | Removable media, cross-platform | No journaling; supports large files; widely compatible |
| ext4 | Linux | Journaling; extents; large file and volume support |
| HFS+ | macOS (legacy) | Journaling; resource forks; case-insensitive by default |
| APFS | macOS, iOS | Copy-on-write; snapshots; native encryption; space sharing |
| XFS | Linux (enterprise) | High-performance journaling; large file system support |
Storage devices are divided into fixed-size units:
| Concept | Description |
|---|---|
| Sector | The smallest addressable unit on a physical disk (traditionally 512 bytes; modern drives use 4096 bytes) |
| Cluster (allocation unit) | A group of contiguous sectors treated as a single unit by the file system (e.g. 4 KB in NTFS) |
| Partition | A logical division of a physical disk |
| Volume | A formatted partition with a file system |
Master File Table (MFT)
Entry 0: $MFT (the MFT itself)
Entry 1: $MFTMirr (mirror of first entries)
Entry 5: Root directory (\)
Entry N: user_file.docx
├── File name: user_file.docx
├── Created: 2026-01-10 14:30:00
├── Modified: 2026-01-12 09:15:22
├── Accessed: 2026-01-14 16:00:00
├── Size: 45,312 bytes
└── Data runs: clusters 1000-1010
NTFS provides several forensically significant structures:
| Artefact | Description |
|---|---|
| Master File Table (MFT) | Central metadata table; one entry per file and directory |
| $LogFile | Transaction journal for file system operations (assists recovery after crash) |
| $UsnJrnl | Update Sequence Number Journal; records every change to files and directories |
| $I30 index | Directory index that can contain references to deleted files |
| Alternate Data Streams (ADS) | Hidden data streams attached to files; used legitimately and by malware |
| $Bitmap | Tracks which clusters are allocated and which are free |
| $Boot | Contains the boot sector and NTFS parameters |
# Create an ADS (Windows)
echo "hidden data" > normal_file.txt:secret_stream
# List ADS
dir /r normal_file.txt
# Output: normal_file.txt:secret_stream:$DATA
# Read an ADS
more < normal_file.txt:secret_stream
Tip: Always check for Alternate Data Streams during an NTFS forensic examination. Malware and data exfiltration tools have been known to hide payloads in ADS.
When a file is deleted, the data is not immediately destroyed:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.