Application Category

Some file systems contain data that belongs in the application category. These data are not essential to the file system, and they typically exist as special file system data instead of inside a normal file because it is more efficient. This section covers one of the most common application category features, which is called journaling.

Technically, any file that an OS or an application creates could be designed as a feature in a file system. For example, Acme Software could decide that its OS would be faster if an area of the file system were reserved for an address book. Instead of saving names and addresses in a file, they would be saved to a special section of the volume. This might cause a performance improvement, but it is not essential for the file system.

File System Journals

As any computer user knows, it is not uncommon for a computer to halt and crash. If the OS was writing data to the disk or if it was waiting to write some data to disk when the crash occurred, the file system could be in an inconsistent state. There could be an allocated metadata structure with allocated data units, but no pointers between them and no file name pointing to the metadata structure.

To find the inconsistencies, an OS runs a program that scans the file system and looks for missing pointers and other signs of corruption. This can take a very long time for large file systems. To make the scanning program's job easier, some file systems implement a journal. Before any metadata changes are made to the file system, an entry is made in the journal that describes the changes that will occur. After the changes are made, another entry is made in the journal to show that the changes occurred. If the system crashes, the scanning program reads the journal and locates the entries that were not completed. The program then either completes the changes or rolls them back to the original state.

Many file systems now support journaling because it saves time when booting large systems. The journal is in the application category because it is not needed for the file system to operate. It exists to make the consistency checking faster.

File system journals may turn out to be useful in investigations, although to date they have not been fully utilized. A journal shows which file system events recently occurred, and this could help with event reconstruction of a recent incident. Most forensic tools do not process the contents of a file system journal. TSK has tools called jls and jcat that list the contents of some journals.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures




File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier © 2008-2020.
If you may any questions please contact us: