Digital Evidence and Computer Crime, Second Edition

10.2 File Systems

The simplest Windows file systems to understand are the FAT (file allocation table) file systems: FAT12, FAT16, and FAT32. To locate data on a volume, these file systems use directories and a FAT. The root directory (e.g. C:\) is at a pre-specified location on the volume so that the operating system knows where to find it (recall Figures 8.5 and 10.1). This directory contains a list of files and subdirectories on a floppy diskette with their associated properties as shown here through Norton Disk Editor.^[2]

[] Disk Editor Object Edit Link View Info Tools Help More> Name .Ext ID Size Date Time Cluster 76 A R S H D V Sector 19 SALES Vol 0 4-13-03 3:36 pm 0 A - - - - V ix.doc LFN 0 - R S H - V skiways-getaf LFN 0 - R S H - V SKIWAY~1 DOC File 21504 5-13-03 11:58 am 184 A - - - - - todo.txt LFN 0 - R S H - V TODO TXT File 122 5-13-03 12:40 pm 226 A - - - - - t LFN 0 - R S H - V newaddress.tx LFN 0 - R S H - V NEWADD~1 TXT File 122 5-13-03 12:42 pm 227 A - - - - - greenfield.do Del LFN 0 - R S H - V σREENF~1 DOC Erased 19968 5-08-03 2:34 pm 275 A - - - - - april Del LFN 0 - R S H - V σPRIL Erased 0 5-08-03 2:41 pm 157 - - - - D - contacts.xls LFN 0 - R S H - V CONTACTS XLS File 16896 2-18-01 12:49 pm 314 A R - - - - Unused directory entry Sector 20 Unused directory entry Unused directory entry Root Directory Sector 19 A:\ Offset 0, hex 0

Figure 10.1: Root directory (skyways-getafix.doc, starts in cluster 184) → FAT → data in clusters 184-225 (42 clusters 512 bytes/clusters = 21504 bytes).

This view of the FAT shows the last modified date and time of each file. The last accessed data and the creation date and time can be displayed by selecting the "More→" menu.^[3] Notably, FAT file systems do not record the last accessed time, only the last accessed date. Listing the contents of a volume using the dir command displays some of this information but does not show the starting cluster - a critical component from the file system perspective. In addition to indicating where the file begins, the starting cluster directs the operating system to the appropriate entry in the FAT. The FAT can be thought of as list with one entry for each cluster in a volume. Each entry in the FAT indicates what the associated cluster is being used for. The following output from Norton Disk Editor shows a file allocation table from the same floppy diskette.

[ ] Disk Editor Object Edit Link View Info Tools Help 0 0 0 0 0 0 0 0 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 <EOF> <EOF> <EOF> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 FAT (1st Copy) Sector 1 Drive A: Cluster 184, hex B8

Clusters containing a zero are those free for allocation (e.g. when a file is deleted, the corresponding entry in the FAT is set to zero). If a FAT entry is greater than zero, this is the number of the next cluster for a given file or directory. For instance, the root directory indicates that file "skyways-getafix.doc" begins at cluster 184. The associated FAT entry for cluster 184, shown in bold, indicates that the file is continued in cluster 185. The FAT entry for cluster 185 indicates that the file is continued in cluster 186, and so on (like links in a chain) until the end-of-file (EOF) marker in cluster 225 is reached. In this example, Cluster 226 relates to a different file ("todo.txt") that occupies only one cluster and therefore does not need to reference any other clusters and simply contains an EOF.

Subdirectories are just a special type of file containing information such as names, attributes, dates, times, sizes, and the first cluster of each file on the system. For instance, before the directory named "april" on the floppy diskette was deleted and overwritten, it occupied cluster 157 and contained the following:

This translates to the following directory listing with four deleted files:

Name Created Written Accessed Size Cluster . 05/08/03 02:41:44PM 05/08/03 02:41:44PM 05/08/03 0 157 .. 05/08/03 02:41:44PM 05/08/03 02:41:44PM 05/08/03 0 0 σskiways.doc 03/19/80 12:03:50AM 03/03/80 12:03:30AM 01/14/80 4294901760 6553600 σKIWAYS.DOC 05/08/03 02:28:06PM 04/14/03 09:00:40AM 05/08/03 19968 118 σglobalcom.doc 03/03/80 12:03:24AM 03/04/80 12:01:28AM 03/15/80 6488175 7143424 σLOBAL~1.DOC 05/08/03 02:27:54PM 04/14/03 09:01:16AM 05/08/03 19968 2 σhandbright.doc03/07/80 12:03:18AM 03/04/80 12:01:28AM 03/08/80 6488175 7602176 σANDRI~1.DOC 05/08/03 02:28:02PM 04/14/03 09:00:12AM 05/08/03 19968 79 σenginuity.doc 03/09/80 12:03:42AM 03/04/80 12:01:28AM 03/20/80 6488175 7929856 σNGINU~1.DOC 05/08/03 02:27:58PM 04/14/03 08:58:32AM 05/08/03 19456 41

When an individual instructs a computer to open a file in a subdirectory (e.g. "C:\april\handbright.doc"), the operating system goes to the root directory, determines which cluster contains the desired subdirectory (cluster 157 for "april"), and uses the directory information in that cluster to determine the starting cluster of the desired file (cluster 79 for "handbright.doc"). If the file is larger than one cluster, the operating system refers to FAT for the next cluster for this file. The entire file is read by repeating this "chaining" process until an EOF marker is reached.

FAT12 uses 12-bit fields for each entry in the FAT and is mainly used on floppy diskettes. FAT16 uses 16-bit fields to identify a particular cluster in the FAT and there must be fewer than 65,525 clusters on a FAT16 volume. This is why larger clusters are needed on larger volumes - a 1 Gbyte volume can be fully utilized with 65,525 16 kB clusters (32 sectors per cluster) whereas a 2 Gbyte volume requires clusters that are twice as big; that is, 65,525 32 kB clusters (64 sectors per cluster). FAT32 was created to deal with larger hard drives by using 28-bit fields in the FAT (4 bits of the 32-bit fields are "reserved"). FAT32 also makes better use of space, by using smaller cluster sizes than FAT16 - this can be a disadvantage for investigators because it can reduce the amount of slack space.^[4]

NTFS is significantly different from FAT file systems, storing information in a Master File Table (MFT), supporting larger disks more efficiently (resulting in less slack space), and providing file and directory level security using Access Control Lists (ACLs), and more. The MFT is a list of records that contains most of the information needed to locate data on the disk. Records in the MFT contain the created, last modified, and last accessed dates and times. Directories are treated much like any other file in NTFS but are called index entries and store directory entries in a B-Tree to accelerate access and facilitate resorting when entries are deleted. Instead of using ASCII to represent data such as file and folder names, NTFS uses an encoding scheme called Unicode. This difference must be taken into account when performing text searches.

NTFS creates MFT entries as they are needed. However, recovering deleted files in NTFS can be complicated by the fact that unused entries in the MFT are reused before new ones are created. Therefore, when a file is deleted, the next file that is created may overwrite the MFT entry for the deleted file. However, if many files are created and then deleted, causing the MFT to grow, those entries will remain indefinitely since new files will reuse earlier entries in the MFT. Another feature of NTFS that makes it more difficult to recover a deleted file is that it keeps directory entries sorted by name. When a file is deleted, a resorting process occurs that may overwrite the deleted directory entry with entries lower down in the directory, breaking a crucial link between the file name and the data on disk.

NTFS is a journaling file system, retaining a record of file system operations that can be used to repair any damage caused by a system crash. There are currently no tools available for interpreting the journal file (called "$Logfile") on NTFS to determine what changes were made. This is a potential rich source of information from a forensic standpoint that will certainly be exploited in the future. For more detailed discussion of NTFS, see the Handbook of Computer Crime Investigation, Chapter 7 (Sheldon 2002).

^[2]This floppy diskette is referenced in a case example later in this chapter. A bitstream copy of this disk is available on the Web site associated with this book (http://www.disclosedigital.com/decc2/).

^[3]FAT represents time since January 1, 1980 and NTFS represents times as the number of 100-nanosecond intervals since January 1, 1601 00:00:00 UTC.

^[4]FAT16 file systems in Windows 95 and later versions support long file names, storing the long names using Unicode format in special entries in the parent directory. For more detailed discussion see Sammes and Jenkinson (2000, pp. 164–165).