Understanding-File-Systems

Understanding File Systems

Leave a Comment / CHFI / By

Understanding File Systems in this computer not only computes data but also stores data. The issue of file structure and data storage is of prime concern. To solve this issue, manufacturers employ an effective storing and organization of the data on the computer called as a file system. The file system makes it easy to find and access the data. Data storage devices like hard disks or CD-ROMs can use the file system to store the data. The file system divides the file into smaller pieces and then stores them to hard disks or flash memory in clusters.

A file system is a set of data types employed for:

  • Storage
  • Hierarchical categorization
  • Management
  • Navigation
  • Access
  • Recovering the data

Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc. Users can access the files using the graphical user interfaces or command line user interfaces. File systems organize the data in the form of tree-structured directories. These are generally file cabinets and folders. Directories require authorized permission to access.

Types of File Systems

A file system refers to the structure a computer uses to organize data on media such as hard disks, CDs, DVDs, and many other storage devices or an index or database that contains the physical location of every piece of data on a hard drive or storage devices.

Related Product : Computer Hacking Forensic Investigator | CHFI

Following are the different types of file systems:

  • Disk file systems: A disk file system is a technique designed for storing and recovering the file on a storage device, usually a hard disk, directly or indirectly connected to the computer. A few examples of the disk file system are FAT, NTH, ext2, ISO 9660, ODS-5, and UDF.
  • Network file systems: A network file system is a type of file system, which helps the users to access the files on other computers connected through a network. The file systems are transparent to the user. A few examples of network file systems are NFS, CIFS, and GFS.
  • Database file systems: It is a new method of storing data on the computer and effectively managing the file system. Earlier file systems used hierarchical structured management, but the database file system identifies the files by their characteristics, such as the name of the file, type of the file, topic, author, or similar metadata. Therefore, a user can search for a file by formulating the SQL query or in natural For example, if the user needs to find the documents written, then the query “documents written by ABC” will show the results.
  • Flash file systems: This system stores the files or data in flash memory devices. In today’s world, these file systems are becoming prevalent with the increasing number of mobile devices. With these file systems, the cost per memory size decreases, and the capacity of flash memory will increase.
  • Tape file systems: It stores files on tape in a self-describing form. Magnetic tapes work as sequential storage media with significantly longer random data access time as compared to disks, posing challenges to the creation of a general-purpose file system with efficient management. Tape drives require a linear motion to unwind and wind potentially very long reels of media. This might take several seconds or minutes to move the read/write head.
  • Shared disk file systems: A shared disk file system works on the principle of accessing an external disk subsystem (SAN) through a number of The file system arbitrates access to that subsystem, to prevent write collisions.
  • Special-purpose fide systems: In a special-purpose file system, the software organizes files during the run time and uses them for tasks such as communication between computer processes or temporary file space. File-centric operating systems such as UNIX use this file system. Any file system that is not a disk file system or network file system is a special-purpose file system. For example, ‘/pros` in UNIX, can help to get information regarding processes and other operating system features.

Windows File Systems

File systems are the basic storage units of any device and Windows operating systems power most of the computing devices across the globe. Therefore, the investigators are liable to come across various systems running on Windows while investigating a security incident and need to have fair knowledge on how the OS stores the files. This section will demonstrate the methods, Windows OS employs, to store the files in order to help the investigators extract and analyze them.

Also Read : Identifying GUID Partition Table (GPT)

File Allocation Table (FAT)

FAT (File Allocation Table) is a file system, designed in 1976, for many operating systems such as DOS, Windows, OpenDOS, etc. Designed for small hard disks and a simple folder structure, the FAT file system got its name from the way it organizes folders and the file allocation table. The file allocation table stores all the files and resides at the beginning of the volume.

It creates two copies of the file allocation table to protect the volume from damage. The FAT file system stores the file allocation table and root folder in a permanent location. The volume formatted using the FAT file system form a cluster and size of the formatted volume determines the cluster size.  The system fits the duster number for the FAT file system in 16 bits and is in the power of two.

Few devices that implement FAT include flash memory, digital cameras, and other portable devices. Nearly almost all the operating systems installed on the personal computers implement FAT file system.

FAT File System Layout

The typical FAT32 file system will comprise of the following components:
  • Reserved Area: The first reserved sector is the Volume Boot Record or VBR, which comprises the BIOS Parameter Block (BPB) containing basic file system information, such as type of file system and pointers to the position of the other sections as well as the operating system’s boot loader code.
  • FAT Area: This area holds two duplicates (may change) of the file Allocation Table to help the system check for the empty or idle spaces. This area contains detailed information about clusters and their contents including files and directories. Extra copies contained in this file system are in perfect sync with writes and read, and will replace when the first or main FAT seems to include mistakes or damages.
  • Data Area: This region, which occupies the largest part of a partition, stores the actual file and directory data. The FAT file system fills the unused parts or spaces with a filler estimation of OxF6 based on the INT 1Eh’s Disk Parameter Table (DPT). The FAT supports read-only, hidden, system, and archive attributes.

FAT Partition Boot Sector

The Partition Boot Sector consists of data that the document framework uses to get to the volume. On x86-based PCs, the Master Boot Record utilizes the Partition Boot Sector on the framework parcel to stack the working framework portion documents.

In the UNIX operating system, this would be called a super block. it contains some general information.

The following is an example of the boot sector:
0000000 eb 3f 90 49 42 4d 20 20 33 2e 33 00 02 01 01 00 0000020 02 e0 00 40 Ob f0 09 00 12
00 02 00 00 00 00 00 0000040 00 00 00 00 00 00 00 00 00 00 70 00 ffff 49 42 0000060 4d 42 49
4f 20 20 43 4f 4d 00 50 00 00 08 00 18…        

The 2-byte numbers are stored in a little endian. The following table has the FAT12 version and is similar to FAT16 and FAT32 versions.

FAT Folder Structure

The FAT file system has a set of 32-byte folder entries for every folder.

Folder entries in the FAT system are as follows:
  • Name (eight-plus-three characters)
  • Attribute byte (8 bits worth of information, described later in this section)
  • Create time (24 bits)
  • Create date (16 bits)
  • Last access date (16 bits)
  • Last modified time (16 bits)
  • Last modified date (16 bits)
  • Starting cluster number in the file allocation table (16 bits)
  • File size (32 bits)

All operating systems that support FAT’s file system use the information present in the FAT folder.

Directory Entries and Cluster Chains

Directory entry is a data structure (32 bytes) allotted for each file and directory. Operating systems use directory entries to store additional metadata such as file passwords, access rights, owner IDs, file deletion data as well as attributes, size, starting cluster, date and time.

A file system divides the volume’s data area into identically sized clusters of different sizes depending on the type of FAT file system used and the size of the partition. When users store data, each file may occupy more than one of such clusters depending on its size. Thus, a chain of these clusters represent a file.

Filenames on FAT Volumes

When a user generates a file with a long filename, the Windows based system allocates an eight-plus-three name for the file and creates one or more secondary folder entries. These folder entries store a corresponding part of the long filename in Unicode. Windows assembles attribute bits such as the volume, read-only, system, and hidden file of the entry to represent parts of the filename.

FAT 32

FAT32 is a version of the file allocation table (FAT) that replaces the FAT16 file system and is available in Windows 95 OSR 2 and Windows 8•1 FAT32 uses smaller clusters with more address bits to support larger disks as well as offer better storage. It always creates a backup of the file allocation table instead of the default copy.

FAT32 Features

  • Utilizes space more effectively, about 10 to 15 percent, due to usage of smaller clusters
  • Highly robust as it can change the destination of the root folder and utilize the backup copy of the file allocation table
  • Consists of extended boot record to incorporate a backup copy of basic information structures
  • Have lesser failure rate compared to the FAT16 drives
  • More adaptable
  • Available anywhere on the drive as the root organizer on a FAT32 drive is a standard cluster chain
  • Does not have restrictions on the quantity of root folder entries
  • Allows users to disable repetitions of the file allocation table

Questions related to this topic

  1. How are files stored on disk?
  2. Why are disk files broken up into blocks?
  3. How are files stored on the disk when an OS is first installed?
  4. Where is file metadata stored?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment