Understanding file system –I

Dear friends forensic experts are usually asked to retrieve unstructured or deleted
files, hidden data as in case of steganography, encrypted data which may link the criminal
with crime so recovering and reconstructing all this information can be of utmost
importance which is quite tedious job and require a thorough knowledge about the file
system and extensive experience regarding the same.

So let’s know what are file system and its importance, what are different types of file
system so let’s start

I am Dr. Navjot Kaur Kanwal

Dear friends

As you know there are wide variety of storage devices where data can be stored like
internal and external hard drives, memory cards, USB flash drives CD, DVD etc. Data is
stored on them in the form of files which may be a text file, video files, audio files, data file,
image files, program file etc. all are stored as files .They are systematically organized on the
disk so that can be easily retrieved when needed.

We all know that computers are not restricted till calculations, we create word
documents, we listen to music, we play videos, we do research and generate a lot of
database so modern computer has to store many different types of data in form of text,
audio, video, images and even physical quantities like light sound, light, temperature and
pressure, again all this is stored as files. But how these files are managed in storage devices
and who is taking care of all this??

We refer this file management as file system which is a method of organizing, storing,
retrieving and even updating files from a storage medium. In order to keep files organized
there are folders, like we use for handling our documents which are further managed by
directories or you can say that a system of directories and several levels of sub-directories is
called as the ’File System’.
A file system provides a means to organize a drive. It specifies how data is stored on the
drive and what types of information can be attached to files like filenames, permissions, and
other attributes.

For instance, Think storage media like a big library where books, journals, magazines,
research thesis are kept where different classification system are used to arrange the books
similarly file system is the manner in which files are named and logically arranged on storage
media . It is like Index page that contains the physical location of every single piece of data
on the respective storage device. The files are organized in folders, which are called
directories. So to locate a file your computer system need path—from directory to
subdirectory to folder to file.
Now how a file system knows which file is to be located?

So remember, to locate a file, a file system uses a path—from directory to subdirectory to

folder to file.

For storing and retrieving files, file systems make use of metadata, which specifies the date
of creation of file, when it was modified, file size, and so on. That means operating systems
need not to find the whole drive for locating a file, it just has to go for file system.

Let’s see how files are arranged on these storage media??

Dear friends….. we talked in length about storage media and we learnt that hard disk
constitute of different tracks which refers to the circular path on the surface of a disk, each
track is divided into different slices like on pie called as sectors. These sectors act as a
reference point for storage so whether it is hard drives, optical disc or floppies,
each sector stores a fixed amount of data, usually 512 bytes for hard disk drives, 2048 bytes
for CD-ROMs and DVD-ROMs. Now in reference to storage we also mention about blocks
which is a group of sectors that the operating system can address. A block may be one
sectors or a combination of 2, 4, and 16 to 128 sectors. Files are stored at the start of a block
and usually take up entire blocks and it is important to mention that due to continuous
deletion and rewrite also called file system aging, the file system lay out the contents of the
files in non continuous manner called as data fragmentation.

It is the duty of file system to identify the vacant sectors to store a file of given size and
It has to continuously keep a record of used and unused sectors, size, position and name of
the file stored or you can say, a file system is a structured representation of data and a set
of metadata where files are read by its position and size.

Different file system is used in different operating system which means that if a
program is built for windows, it will not run on android because Programs are also
dependent on file systems. Windows mainly supports three different file systems which are
FAT32, extended FAT and NTFS. Mac-OS uses HFS+ and don’t work with Windows whereas
Linux has its own file systems.

But why so Many file systems are there?

This is because every user has its unique requirements so to fulfill different requirements,
such as storage arrangement, durability, reliability and consistency, so large number of file
systems are developed to serve different purposes efficiently. Some are dedicated file
system For example; the ISO 9660 file system is designed specifically for optical discs. All of
them greatly vary in the way data is organized. Some are faster having additional security
features, and some support drives with large storage capacities. Some file systems are more
robust and resistant to file corruption; although it is very difficult to have all the
characteristics in a single file system but each operating system develops its own file system
to fulfill all these criteria’s. Let us now go through the file systems of different operating
systems one by one:
 Let’s go through various File systems of Windows like FAT, exFAT and NTFS

● FAT or the FILE ALLOCATION TABLE

As earlier mentioned that File system is responsible for keeping a record all the files stored
on storage media as per their size and position in a systematical manner where FAT is one of
the oldest and simplest file system used by operating system to keep a record of all the files,
it was introduced in 1977 and have its origin from disk operating system. File allocation
Table keeps the record of all the scattered parts of a file due to fragmentation. It can
support long file name, with full file path being as long as 255 characters followed by file
extension. File name should start with alphanumeric characters. Files in FAT are further
stored in directories where each directory is an array of 32-byte records

Let’s see how different attributes of a file are recorded in File Allocation Table which
contains a block an array of block descriptors. The key design in file allocation table is that
each file is represented as a linked list of blocks, where the last part of block gives the idea
of the location of next block. This also specifies that whether a block is occupied or not, like
a zero value indicates that the block is not used where the information regarding starting
block of a particular file is stored in Directory Table Format along with metadata.

There have been many versions of File allocation Table like FAT12, FAT16, and
FAT32 where the numbers 12, 16 and 32 refers to the number of bits used to specify a file
system block. FAT12 and FAT16 were exclusively used for floppy disks but almost obsolete
now. FAT32 is also an old file system which was introduced in Windows 95 in 1995 and
replaced FAT16 file system; it is still prevalent for memory cards, digital cameras, USB drives
and other portable devices. Provides a better usage of disk space and more storage-efficient
and supports up to 2TB of size. A highly compatible system, works with all versions of
Windows, Mac, Linux, game consoles, and practically anything with a USB port, since it had
a drawback that it could support only a maximum of 8Tera byte of partition size. To address
this issue, exFAT was introduced, which doesn't have any realistic limitations concerning the
size of files or partitions.(exFAT) that is Extended File Allocation Table , it was introduced in
2006 and optimized for flash drives without the limitations of FAT32 and can manage file
systems created on huge partitions. It was early used in Linux systems. EXT2 is probably one
of the most widely used Linux file systems. Talking about compatibility, it works with all
versions of Windows and modern versions of Mac OS X. Considered safe file system in the
sense that the Files are immediately overwritten when deleted with random data to prevent
someone to gain access to the previous data but Its optimum use is advised when you need
larger file size and more partition limit than FAT32.

Then there is NTFS, the New Technology File System, the most prevalent type of file system
used in modern versions of windows operating system by default, introduced in 1993 with
Windows NT, a comparatively new type of file system which is much more efficient, secure
than its forerunner FAT32 and support a lot of new features like file compression,
journaling, access control, encryption etc. but show less compatibility with other operating
system.

In NTFS files are stored as a file descriptor in the Master File Table which contains all the
information regarding a file like size, allocation, name, etc. The first 16 entries of the Master
File Table are retained for the BitMap, which keeps record of all free and used clusters, for
the Log used for journaling records and for the BadClus containing information about bad
clusters. The first and the last sectors of the file system contain file system settings like the
boot record or the superblock. NTFS uses 48 and 64 bit values to reference files, thus being
able to support data storages with extremely high capacity. This is a good option for
Windows Server line as provide a good folder and file security by allowing permissions for
files and folders.

Files and partition sizes are larger in NTFS than those of FAT. It can support a file from the
range of 4GB to 64 GB and partition can be of a size as large as 16 Exabytes.

It is highly preferable file system because

It provides Access Control for every file and folder in the list, a reliable and recoverable file
system which makes use of transaction logs for updating files and folders automatically and
It also provides bad-cluster mapping means it can detect bad clusters or erroneous space in
the disk, retrieve the data in those clusters, and then store it in another space.

Then there is ReFS, or the Resilient File System which is the latest development of Microsoft
introduced in 2012 with Windows servers. It has altogether new type of file system and is
mainly structured in a form of the B+- tree, this system is highly fault tolerant with lot of
new add on features

Let’s now look at the File systems of Linux

Open-source Linux aims at implementing, testing and using different types of file systems.
The most popular Linux file systems include: Ext, Ext2, Ext3, Ext4 - a “native” Linux file
system. Since open source undergo continuous developments and improvements. Ext3 file
system is just an extension of Ext2 that uses transactional file writing operations with
a journal. Ext4 is a further development of Ext3, extended with the support of optimized file
allocation information (extents) and extended file attributes.

ReiserFile system is a good substitute for Linux file system for storing a huge number of
small files. It is a journaling type of file system and has specialty of handling large numbers
of small files and used as a default file system in number of Linux distributions.

Then there is XFS or Extents File system, referred as Next generation file system, a
high-performance 64-bit file system created by Silicon Graphics Incorporation in 1993 and
was first used in the Unix-based IRIX operating system (OS) in 1994.Again a journaling type
of file system which keeps a track of changes in a log before committing the changes to the
main file system.

Then there is JFS or Journaled File system, initially built by IBM for its own computing
systems but presently it is an open-source file system and employed in most modern Linux
versions.

Btrfs or butter or better fs, which is an abbreviation for b-tree file system, is a file system
based on the copy-on-write (COW) principle; a technique which efficiently copy data
resources in a computer system, this file system was originally designed at Oracle
Corporation for use in Linux. This advanced file system with add on features is highly fault
tolerant and reliable.

Let’s have a look on various File systems of MacOS

Apple's MacOS mainly uses two file systems: HFS+, an extension to their Hierarchical File
System (HFS) used on old Macintosh computers, and recently released APFS.

HFS+ used to be the primary file system of Apple desktop system, including Mac computers,
iPods, as well as Apple X Server products, now it has been replaced by APFS in MacOS High
Sierra. The HFS+ file system uses B-trees for placing and locating files. The information
regarding free and used allocation blocks is kept in the Allocation File.

APFS or Apple File System is a proprietary file system for MacOS High Sierra and later, it
works efficiently with modern flash drives and solid-state drives. This 64-bit file system is
highly efficient and uses the copy-on-write (CoW) method and offers a lot of data integrity
and space-saving features. All the file contents and metadata about files, folders along with
other APFS structures are kept in the APFS container.

Then finally let’s see what are the file system are used in BSD, Solaris, UNIX operating
systems:
The most common file system for these operating systems is the Unix File System or UFS
also often referred to as FFS (Fast File System).

Then there is a Clustered file system

In modern computing technologies, where there is more and more trend of distributed
storage, so clustered file system has come in fashion like ZFS “Zettabyte File System” of Sun
Solaris OS, likewise there is “Virtual Machine File System” , Red Hat Linux ‘s“Global File
System” etc. A clustered file system is shared as it is mounted on multiple servers at the
same time therefore such file system are highly extensible.

Dear friend’s let’s now summarize and conclude

The file system is used to manage data by storing, retrieving and updating data. We
discussed about different types of file systems being used by different operating systems.
The most conventional file systems used now a day’s are FAT 32, NTFS and HFS. If we talk
about the ideal features in a file system, it should show compatibility with multiple versions,
there should be file permission for security purpose, it should quickly recover errors in case
of system failure, should keep copies for backup, follow encryption, there should be well
defined partition size limit etc. So, there’s always room for improvement therefore the
system developers are always in process to developing a file system which is faster, more
stable, and more scalable for large storage devices, and have better features than the earlier
systems.
Having the thorough knowledge about the file system is helpful in digital forensics to
find the deleted or hidden files from the media. A hidden file which may lie in any area of
digital media or disk like slack space, unallocated clusters or lost clusters can be traced by
file carving. Data can be extracted, reconstructed using a variety of available software tools
that are based on various algorithms such as bottom-up tree reconstruction and inference
of partition geometry. Reconstructed data is thoroughly analyzed for preparing report to be
presented in the court.

So dear friends, I stop here that’s all I have for today’s lecture on file system, see you in next
module, Take Care, Good Bye