10.2 File Systems

10.2 File Systems

The simplest Windows file systems to understand are the FAT (file allocation table) file systems: FAT12, FAT16, and FAT32. To locate data on a volume, these file systems use directories and a FAT. The root directory (e.g. C:\) is at a pre-specified location on the volume so that the operating system knows where to find it (recall Figures 8.5 and 10.1). This directory contains a list of files and subdirectories on a floppy diskette with their associated properties as shown here through Norton Disk Editor.^[2]

    []                                 Disk Editor    Object  Edit  Link  View  Info  Tools  Help  More>    Name      .Ext  ID      Size      Date     Time    Cluster 76 A R S H D V    Sector 19    SALES           Vol         0    4-13-03  3:36 pm        0    A - - - - V    ix.doc          LFN                                      0    - R S H - V    skiways-getaf   LFN                                      0    - R S H - V    SKIWAY~1 DOC    File    21504    5-13-03  11:58 am     184    A - - - - -    todo.txt        LFN                                      0    - R S H - V    TODO     TXT    File      122    5-13-03  12:40 pm     226    A - - - - -    t               LFN                                      0    - R S H - V    newaddress.tx   LFN                                      0    - R S H - V    NEWADD~1 TXT    File      122    5-13-03  12:42 pm     227    A - - - - -    greenfield.do   Del LFN                                  0    - R S H - V    σREENF~1 DOC    Erased  19968    5-08-03  2:34 pm      275    A - - - - -    april           Del LFN                                  0    - R S H - V    σPRIL           Erased      0    5-08-03  2:41 pm      157    - - - - D -    contacts.xls    LFN                                      0    - R S H - V    CONTACTS XLS    File    16896    2-18-01  12:49 pm     314    A R - - - -                    Unused directory entry    Sector 20                   Unused directory entry                   Unused directory entry     Root Directory                                                  Sector 19     A:\                                                       Offset 0, hex 0 

Figure 10.1: Root directory (skyways-getafix.doc, starts in cluster 184) → FAT → data in clusters 184-225 (42 clusters 512 bytes/clusters = 21504 bytes).

This view of the FAT shows the last modified date and time of each file. The last accessed data and the creation date and time can be displayed by selecting the "More→" menu.^[3] Notably, FAT file systems do not record the last accessed time, only the last accessed date. Listing the contents of a volume using the dir command displays some of this information but does not show the starting cluster - a critical component from the file system perspective. In addition to indicating where the file begins, the starting cluster directs the operating system to the appropriate entry in the FAT. The FAT can be thought of as list with one entry for each cluster in a volume. Each entry in the FAT indicates what the associated cluster is being used for. The following output from Norton Disk Editor shows a file allocation table from the same floppy diskette.

    [ ]                               Disk Editor    Object  Edit  Link  View  Info  Tools  Help      0          0         0         0         0         0         0         0    185        186       187       188       189       190       191       192    193        194       195       196       197       198       199       200    201        202       203       204       205       206       207       208    209        210       211       212       213       214       215       216    217        218       219       220       221       222       223       224    225      <EOF>     <EOF>     <EOF>         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0         0         0         0         0         0         0      0          0       315       316       317       318       319       320    321        322       323       324       325       326       327       328    329        330       331       332       333       334       335       336    337        338       339       340       341    FAT (1st Copy)                                                    Sector 1    Drive A:                                               Cluster 184, hex B8 

Clusters containing a zero are those free for allocation (e.g. when a file is deleted, the corresponding entry in the FAT is set to zero). If a FAT entry is greater than zero, this is the number of the next cluster for a given file or directory. For instance, the root directory indicates that file "skyways-getafix.doc" begins at cluster 184. The associated FAT entry for cluster 184, shown in bold, indicates that the file is continued in cluster 185. The FAT entry for cluster 185 indicates that the file is continued in cluster 186, and so on (like links in a chain) until the end-of-file (EOF) marker in cluster 225 is reached. In this example, Cluster 226 relates to a different file ("todo.txt") that occupies only one cluster and therefore does not need to reference any other clusters and simply contains an EOF.

Subdirectories are just a special type of file containing information such as names, attributes, dates, times, sizes, and the first cluster of each file on the system. For instance, before the directory named "april" on the floppy diskette was deleted and overwritten, it occupied cluster 157 and contained the following:

This translates to the following directory listing with four deleted files:

    Name           Created             Written             Accessed  Size       Cluster    .              05/08/03 02:41:44PM 05/08/03 02:41:44PM 05/08/03  0          157    ..             05/08/03 02:41:44PM 05/08/03 02:41:44PM 05/08/03  0          0    σskiways.doc   03/19/80 12:03:50AM 03/03/80 12:03:30AM 01/14/80  4294901760 6553600    σKIWAYS.DOC    05/08/03 02:28:06PM 04/14/03 09:00:40AM 05/08/03  19968      118    σglobalcom.doc 03/03/80 12:03:24AM 03/04/80 12:01:28AM 03/15/80  6488175    7143424    σLOBAL~1.DOC   05/08/03 02:27:54PM 04/14/03 09:01:16AM 05/08/03  19968      2    σhandbright.doc03/07/80 12:03:18AM 03/04/80 12:01:28AM 03/08/80  6488175    7602176    σANDRI~1.DOC   05/08/03 02:28:02PM 04/14/03 09:00:12AM 05/08/03  19968      79    σenginuity.doc 03/09/80 12:03:42AM 03/04/80 12:01:28AM 03/20/80  6488175    7929856    σNGINU~1.DOC   05/08/03 02:27:58PM 04/14/03 08:58:32AM 05/08/03  19456      41 

When an individual instructs a computer to open a file in a subdirectory (e.g. "C:\april\handbright.doc"), the operating system goes to the root directory, determines which cluster contains the desired subdirectory (cluster 157 for "april"), and uses the directory information in that cluster to determine the starting cluster of the desired file (cluster 79 for "handbright.doc"). If the file is larger than one cluster, the operating system refers to FAT for the next cluster for this file. The entire file is read by repeating this "chaining" process until an EOF marker is reached.

FAT12 uses 12-bit fields for each entry in the FAT and is mainly used on floppy diskettes. FAT16 uses 16-bit fields to identify a particular cluster in the FAT and there must be fewer than 65,525 clusters on a FAT16 volume. This is why larger clusters are needed on larger volumes - a 1 Gbyte volume can be fully utilized with 65,525 16 kB clusters (32 sectors per cluster) whereas a 2 Gbyte volume requires clusters that are twice as big; that is, 65,525 32 kB clusters (64 sectors per cluster). FAT32 was created to deal with larger hard drives by using 28-bit fields in the FAT (4 bits of the 32-bit fields are "reserved"). FAT32 also makes better use of space, by using smaller cluster sizes than FAT16 - this can be a disadvantage for investigators because it can reduce the amount of slack space.^[4]

NTFS is significantly different from FAT file systems, storing information in a Master File Table (MFT), supporting larger disks more efficiently (resulting in less slack space), and providing file and directory level security using Access Control Lists (ACLs), and more. The MFT is a list of records that contains most of the information needed to locate data on the disk. Records in the MFT contain the created, last modified, and last accessed dates and times. Directories are treated much like any other file in NTFS but are called index entries and store directory entries in a B-Tree to accelerate access and facilitate resorting when entries are deleted. Instead of using ASCII to represent data such as file and folder names, NTFS uses an encoding scheme called Unicode. This difference must be taken into account when performing text searches.

NTFS creates MFT entries as they are needed. However, recovering deleted files in NTFS can be complicated by the fact that unused entries in the MFT are reused before new ones are created. Therefore, when a file is deleted, the next file that is created may overwrite the MFT entry for the deleted file. However, if many files are created and then deleted, causing the MFT to grow, those entries will remain indefinitely since new files will reuse earlier entries in the MFT. Another feature of NTFS that makes it more difficult to recover a deleted file is that it keeps directory entries sorted by name. When a file is deleted, a resorting process occurs that may overwrite the deleted directory entry with entries lower down in the directory, breaking a crucial link between the file name and the data on disk.

NTFS is a journaling file system, retaining a record of file system operations that can be used to repair any damage caused by a system crash. There are currently no tools available for interpreting the journal file (called "$Logfile") on NTFS to determine what changes were made. This is a potential rich source of information from a forensic standpoint that will certainly be exploited in the future. For more detailed discussion of NTFS, see the Handbook of Computer Crime Investigation, Chapter 7 (Sheldon 2002).

^[2]This floppy diskette is referenced in a case example later in this chapter. A bitstream copy of this disk is available on the Web site associated with this book (http://www.disclosedigital.com/decc2/).

^[3]FAT represents time since January 1, 1980 and NTFS represents times as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.

^[4]FAT16 file systems in Windows 95 and later versions support long file names, storing the long names using Unicode format in special entries in the parent directory. For more detailed discussion see Sammes and Jenkinson (2000, pp. 164–165).