File system is the place to storeand recovery data; depend to the operating system it may FAT (File AllocationTable) or NTFS (New Technology file system). If we look through the filestructure, Storage Mechanisms and file name, file dateand time, security we can find many feature differencebetween these two File structureDepend to the array bit of theentries in the actual FAT structure on the disk. FAT file system has manydifferent versions like FAT 12, FAT 16, and FAT 32. The major physical layoutcomponents of FAT file system are: Reserved area (volume boot sector) – includethe data in the file system category File allocation table – contain the primaryand backup FAT structure Data area- contain the cluster which allocatedstore file and directory content There normally two FATs (FAT1 and FAT2) in a FATfile system but the exact number of FAT and total size of FAT need determine inthe boot sector. If digital forensic investor need identify the file name,size, start address of the file content and other metadata, they need check thedirectory entry in the file allocate table Windowsstart using NTFs since window 2000; NTFS has better data structure and metadatasupport than FAT file system, unlike FAT file system NTFS do not have speciallayout all the important data is allocated as files. The first 16 sectors are bootrecord, disk signatures and table of primary partitions. The center of the NTFSfile system is the MFT (Master File Table) it keeps the record all the file andfolder in the NTFS volume. File name start with $ are MFT stored metadata file.
. The following table showing the major system files of NTFS system and theirfunctions. File name File function $ MFT Master file table, each MFT record is 1024 bytes long #MFTMirr Backup of MFT $LogFile The file used for system recovery and integrity $Volume Identify information about NFT version and volume name $AtterDef Attribute information $BitMap Track the allocation of eight cluster $Boot Contain the partition boot sector and boot code $BadClus Bad cluster information of the partition $Secure Secure information of the file Storage Mechanisms and file name storageformat The NTFS and FAT file system both keep thedata in the cluster, but the NTFS use smaller cluster size which means the NTFScan store more data. As we discuss before NTFS use Master file Table but FATuse directory entries and file allocation table, when the forensics investorexam the NFTS disk they can find file information from 0 sectors .there are 3attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAMEand $DATA attribute. All the file name and directory information are in thesethree attribute. FAT file system the data won’t be record after reserved areaand File Allocation Table areas, also same extract sector after data area whenthe forensic investor exam FAT file system they need check the hide data inthese sectors. In FAT file system the entirefile will save under long file name File date and time When the forensic investor exam a filesystem they need careful about the file date and time stamps.
NTFS store thefile’s date and time in UTC (Coordinated Universal Time) but FAT stores thefile on computer local time. Security FAT file system cannot encryption form internal;the only way to secure is external program. Compare with FAT file system NTFShave been improved their security system; NFTS have access control and fileencryption.
The file only can access after the user login.