You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Understanding file systems is essential for digital forensics. A file system determines how data is organised, stored, and retrieved on a storage device. Forensic examiners must understand file system internals to locate active files, recover deleted data, and interpret metadata that reveals user and system activity.
| File System | Operating System | Key Features |
|---|---|---|
| NTFS | Windows | Journaling; ACLs; Alternate Data Streams (ADS); encryption (EFS) |
| FAT32 | Windows, removable media | Simple structure; no journaling; 4 GB file size limit |
| exFAT | Removable media, cross-platform | No journaling; supports large files; widely compatible |
| ext4 | Linux | Journaling; extents; large file and volume support |
| HFS+ | macOS (legacy) | Journaling; resource forks; case-insensitive by default |
| APFS | macOS, iOS | Copy-on-write; snapshots; native encryption; space sharing |
| XFS | Linux (enterprise) | High-performance journaling; large file system support |
Storage devices are divided into fixed-size units:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.