File systems determine how data is organized, stored, and accessed on storage devices. Understanding file systems is essential in digital forensics because it helps investigators locate files, recover deleted data, interpret metadata, and analyze storage structures. Different operating systems use different file systems, and each has its own structure, rules, and forensic artifacts.
This chapter covers the basics of four major file systems: NTFS, FAT32, EXT4, and APFS.
NTFS (New Technology File System)
NTFS is the default file system used by modern Windows operating systems. It is known for reliability, advanced features, and strong metadata structures.
Key Features of NTFS
-
Supports large files and drives
-
Journaling for crash recovery
-
File permissions (ACLs)
-
File compression and encryption (EFS)
-
Hard links and symbolic links
Forensic Artifacts in NTFS
-
Master File Table (MFT): Contains records for every file and directory. One of the most important forensic sources.
-
$LogFile: Tracks file system changes, useful for timeline reconstruction.
-
$Bitmap: Shows allocated and unallocated clusters.
-
$Recycle.Bin: Stores deleted files with identifiable metadata.
-
$UsnJrnl: Tracks changes to files and folders, useful for activity tracing.
Strengths
-
Rich metadata
-
Excellent recoverability
-
Detailed logs
Weaknesses
-
Complexity increases analysis difficulty
-
Journaling may overwrite old data quickly
FAT32 (File Allocation Table 32)
FAT32 is an older file system still used in USB drives, memory cards, and some embedded systems. Its structure is simple and lightweight.
Key Features of FAT32
-
Wide compatibility across systems
-
Simple layout
-
Ideal for removable devices
Forensic Artifacts in FAT32
-
File Allocation Table: Maps which clusters belong to which file.
-
Directory entries: Contain basic file metadata.
-
Slack space: Often contains remnants of deleted data.
-
Unallocated space: May store recoverable deleted files.
Strengths
-
Easy to analyze due to simple design
-
Good for raw data recovery
Weaknesses
-
No journaling
-
No file permissions
-
Limited maximum file size (4 GB)
EXT4 (Fourth Extended File System)
EXT4 is the default file system for most Linux distributions. It is modern, reliable, and supports large storage structures.
Key Features of EXT4
-
Journaling for crash recovery
-
Extents for efficient storage
-
Delayed allocation (affects data recovery)
-
Backward compatibility with EXT2/EXT3
Forensic Artifacts in EXT4
-
Inodes: Store file metadata and pointers to data blocks.
-
Journal: Logs file system changes, useful for recovery.
-
Superblock: Stores information about the file system structure.
-
Block groups: Organize file system into manageable sections.
-
Lost+Found directory: Stores orphaned files.
Strengths
-
Efficient structure
-
Good support for large files
-
Strong metadata
Weaknesses
-
Delayed allocation may overwrite deleted data quickly
-
More complex than FAT32
APFS (Apple File System)
APFS is the default file system for macOS, iOS, and modern Apple devices. It is optimized for SSDs and flash storage.
Key Features of APFS
-
Strong encryption support
-
Snapshots for point-in-time recovery
-
Space sharing across volumes
-
Fast performance on SSDs
Forensic Artifacts in APFS
-
Containers and volumes: APFS uses container-based storage, which affects imaging.
-
Snapshots: Preserve previous states of the file system.
-
Extended attributes: Store metadata outside regular file structures.
-
APFS logs: Provide insights into file system activity.
Strengths
-
Built-in encryption
-
Snapshots preserve historical data
-
Efficient for SSDs
Weaknesses
-
Encryption complicates forensic access
-
More difficult to analyze due to newer design
-
Tools for APFS analysis are still evolving
Summary of Differences
NTFS
-
Windows default
-
Rich metadata
-
Strong forensic value
FAT32
-
Used in USB drives
-
Simple and easy to analyze
-
Limited features
EXT4
-
Linux default
-
Uses inodes and journaling
-
Efficient but complex
APFS
-
Apple default
-
Modern, encrypted, snapshot-based
-
Complex forensics workflow
Understanding these file systems helps investigators identify structures, parse metadata, recover deleted data, and handle evidence across different operating systems.