This is a question about digital forensics and how it relates to Windows file systems, specifically FAT and NTFS. How might knowledge about these two file structures (NTFS and FAT) be useful to a digital forensics examiner? How would it help them with their process? Please explain in detail. Thank you!
Yes, NTFS and FAT are very useful now a days and in future,especially in the forensics arena. With constantly changing technology, operating systems and file systems will be constantly updating to support the technology. As a forensic examiner it is important to keep up with and understand these new file systems. The next step is a look into ReFS, and how it compares to past file system forensic analysis. Also, since ReFS will be introduced with the new Windows 8 server, an analysis on data extracted from the OS could be looked at, with respect to the control and organization of the resilient file system.
Both systems offer forensic evidence that is significant and mandatory in an investigation.Knowing how these file systems work and the layout of key structures, storage mechanisms, associated metadata, and file system characteristics is essential to being able to forensically investigate a computer or other device. The New Technology File System (NTFS) and File Allocation Table (FAT32) are two key file systems that will be compared and contrasted, since both are still actively used and encountered often.
Now that we are aware of all the characteristics of both file allocation systems,reasoning behind forensic choices. In my capacity as a forensic computer investigator, one of my functions is to make perfect images of suspect hard drives with no data pollution. We have many ways of performing this task but the preferred method is to use the ENCASE tools. ENCASE can easily be used in a Windows or DOS environment. ENCASE can be used for single hard disks or servers. Usually, the drives we have to image are as large as the largest hard disk on the market. To access the suspect’s drive we plug in the FASTBLOCthrough our laptop (PCMCIA) and send the raw data to an external hard disk by using the ENCASE program in a Windows 2000 environment on our forensic laptop. While using this procedure, the evidence drive (the one containing the image) can be formatted in either FAT 32 or NTFS, since Windows 2000 recognize both. That process is mainly how we proceed with our forensic imaging of IDE drives.
In the forensic world we know that our expertise will be challenged repeatedly by the judicial system and we have to be consistent with all the procedures that we use and be able to explain the unexplainable. Basically we need to defend our work and the results attached to it. In our case the problem experienced by the investigators with the different file allocation table was reviewed and the process of wiping, formatting and partitioning was modified to be uniform and problem free when on site. As of now every investigator has to include in their tool box at least one hard disk of both format (FAT 32 and NTFS). These hard drives will be wiped, formatted and partitioned the same way all the time. We use a wiping utility in accordance with the Department of National Defense standard 5220.22-M (DND) meaning three passes are performed on every disk, the disks are formatted then partitioned in FAT 32 (irrelevant of the disk sizes) or NTFS. It was a learning experience that fortunately did not affect the end result of our investigation but made our inquiring minds work overtime to figure out the problem.
In order to facilitate our work in the future, we would need to either use FAT 32 hard disks or switch our Native DOS program to NTFS DOS.
Get Answers For Free
Most questions answered within 1 hours.