File system is the place for storeand recover data place in a computer system, depend to the operating system itmay FAT (File Allocation Table) or NTFS (New Technology file system). Compare with FAT and NTFS file system thereare many feature difference in file structure, StorageMechanisms and file name, file date and time, security feature File structureDepend to the array bit of theentries in the actual FAT structure on the disk. FAT file system has manydifferent versions like FAT 12, FAT 16, FAT 32.
The major physical layoutcomponents of FAT file system are: Reserved area (volume boot sector)- includethe data in the file system category File allocation table – contain the primaryand backup FAT structure Data area- contain the cluster which allocatedstore file and directory content There normally two FATs (FAT1 and FAT2) in a FATfile system but the exact number of FAT and total size of FAT need determine inthe boot sector. If digital forensic investor need identify the file name,size, start address of the file content and other metadata, they need check thedirectory entry in the file allocate table NTFS is common file system for the windows PC; NTFS have better metadatasupport and data structure than FAT file system, unlike FAT file system NTFS donot have special layout all the important data is allocated as files. The first16 sectors is boot record include the boot cord, disk signatures and table ofprimary partitions is the important file for the digital forensic investor toidentify the device partitions. The center of the NTFS file system is the MFT(Master File Table) it keeps the record all the file and folder in the NTFSvolume. File name start with $ are MFT stored metadata file. . The following tableshowing the major system files of NTFS system and their functions. Storage Mechanisms and file name The NTFS and FAT file system both keep thedata in the cluster, but the NTFS use smaller cluster size which means the NTFScan store more data.
As we discuss before NTFS use Master file Table but FATuse directory entries and file allocation table, when the forensics investorexam the NFTS disk they can find file information from 0 sectors .there are 3attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAMEand $DATA attribute. All the file name and directory information are in thesethree attribute. FAT file system the data won’t be record after reserved areaand FAT areas, also same extract sector after data area when the forensicinvestor exam FAT file system they need check the hide data in these sectors.
In FAT file system the entire file will saveunder long file name File date and time When the forensic investor exam a filesystem they need careful about the file date and time stamps. NTFS store thefile’s date and time in UTC (Coordinated Universal Time) but FAT stores thefile on computer local time. Security FAT file system cannot encryption form internal,the only way to secure is external program. Compare with FAT file system NTFShave been improved their security system; NFTS have access control and fileencryption.
The file only can access after the user login.