Part 5 of 7
0%
Part 5 Module 2: Digital Evidence & Forensics

File Systems & Data Recovery

📖Reading Time: 25-30 min
💾Technical Content
🔧Recovery Techniques

Introduction to File Systems

A file system is the method used by an operating system to organize and store files on storage media. Understanding file systems is crucial for digital forensics because they determine how data is stored, accessed, and deleted - and more importantly, how deleted data can potentially be recovered.

💡Why File Systems Matter in Forensics

When a user deletes a file, the actual data usually remains on the disk - only the file system's record of the file is removed. Understanding how different file systems handle deletion is key to successful data recovery.

Common File Systems

💾

FAT (FAT12/16/32)

File Allocation Table - simple structure, used in USB drives, memory cards, older Windows. Limited file size (4GB for FAT32). Good recoverability.

💻

NTFS

New Technology File System - Windows standard. Supports large files, journaling, encryption, compression. Rich metadata. MFT stores file records.

🐧

ext4

Fourth extended file system - Linux standard. Journaling, large file support, extents. Inodes store file metadata. Good recovery potential.

🍏

APFS/HFS+

Apple File System / Mac OS Extended. APFS is copy-on-write with encryption. HFS+ is journaled. Both common on Mac devices.

File System Max File Size Platform Journaling Recovery Difficulty
FAT324 GBUniversalNoEasy
exFAT16 EBUniversalNoModerate
NTFS16 EBWindowsYesModerate
ext416 TBLinuxYesModerate
APFS8 EBmacOS/iOSYesDifficult

How File Deletion Works

When you delete a file, the operating system doesn't immediately overwrite the data. Instead, it marks the space as "available" for new data. The original data remains until overwritten.

File System Structure After Deletion

Boot Sector
FAT/MFT
Root Directory
File A
Deleted B
File C
Deleted D
Free

Deleted files still contain data until overwritten

Deletion Process by File System

  • FAT: First character of filename replaced with special character (0xE5), clusters marked as free in FAT
  • NTFS: MFT entry marked as inactive, but metadata often preserved. $BITMAP updated to show clusters as free
  • ext4: Inode marked as deleted, block bitmap updated. Journal may contain pre-deletion info

Slack Space

Slack space refers to the unused space within allocated disk clusters. It's a valuable source of forensic evidence because it may contain fragments of previously stored data.

Understanding Slack Space

File Data (600 bytes)
Slack Space (424 bytes)

1 Cluster = 1024 bytes | File uses 600 bytes | 424 bytes remain as slack

Types of Slack Space

  • RAM Slack: Space between end of file and end of its sector - may contain random RAM data
  • Drive Slack: Space between end of last sector and end of cluster - contains previous file data
  • Volume Slack: Space between end of file system and end of partition
Forensic Value

Slack space may contain fragments of deleted files, passwords, communication snippets, or other sensitive data. Always analyze slack space during forensic examination.

Data Recovery Techniques

1. File Carving

File carving recovers files based on their content (headers and footers) rather than file system metadata. It works even when file system structures are damaged or missing.

# Common file signatures (headers)
JPEG: FF D8 FF E0 (or FF D8 FF E1)
PNG:  89 50 4E 47 0D 0A 1A 0A
PDF:  25 50 44 46 (%PDF)
ZIP:  50 4B 03 04
DOCX: 50 4B 03 04 (same as ZIP - it's a container)
EXE:  4D 5A (MZ)

2. MFT/Inode Recovery

For NTFS/ext4, recovery tools can parse the Master File Table or inode tables to find references to deleted files, often including complete file paths and timestamps.

3. Journal Analysis

File system journals (NTFS $LogFile, ext4 journal) may contain pre-deletion records that help reconstruct deleted files.

4. Unallocated Space Analysis

Searching unallocated (free) space for known patterns, keywords, or file signatures to recover deleted content.

Recovery Tools Overview

Tool Type Best For License
AutopsyFull SuiteComprehensive analysisOpen Source
PhotoRecFile CarverPhoto/document recoveryOpen Source
ScalpelFile CarverCustom signature carvingOpen Source
R-StudioRecoveryRAID/complex recoveryCommercial
FTK ImagerImaging/PreviewQuick analysisFree
Important Limitation

Data recovery is not guaranteed. If deleted data has been overwritten by new data, recovery is generally impossible. The more the disk has been used after deletion, the lower the recovery chances.

📝

Practical Exercise 5.1

File System Analysis

Scenario: You receive a USB drive from a suspected fraud case. The suspect claims they deleted all evidence.

  1. What file system would you expect on a typical USB drive?
  2. Describe the steps to recover deleted files
  3. Where would you look for partial data if files were overwritten?
  4. What information might you find in slack space?
  5. How would you document your recovery findings?

🎯 Key Takeaways

  • File deletion usually only removes file system pointers, not actual data
  • Different file systems (FAT, NTFS, ext4) have different structures and recovery implications
  • Slack space often contains fragments of previous file content
  • File carving can recover files even without intact file system metadata
  • Recovery success depends on how much new data has been written since deletion

Finished studying this part?

PreviousSection 65B/63 BSA Compliance Next PartMetadata Analysis