File Systems
Partition Schemas
File Systems Overview
| Name | Partition size (min/max) | Cluster size (min/max) | File Max Size | fstab code |
|---|---|---|---|---|
| FAT16 | 16Mb/2Gb | 2Kb/32Kb | ||
| FAT32 | 32 KB (officially), 512 bytes (unofficially)- 2Tb π | 512b - 32Kb/64Kb (for large volumes) | ||
| NTFS 1.1 | 500Mb/8Gb π | 512B/8Kb | ||
| NTFS 3.0 | 500Mb/16EB | 512B/64Kb | ||
| HFS | ||||
| HFS+ | ||||
| APFS | ||||
| ext2 | 16Tb | 2Tb | ext2 |
|
| ext3 | 16Tb | 2Tb | ext3 |
|
| ext4 | 1Eb | 16Tb | ext4 |
|
| ReiserFS | 16Tb | 8Tb | resiserfs |
|
| JFS | 32Pb | 4Tb | jfs |
|
| XFS | 16Eb | 8Eb | xfs |
|
| Btrfs | 16Eb | 16Eb | ||
| HPFS | 4Mb-2Tb | 512b - 64Kb | 2Gb | n/a |
| CDFS | up to 700Mb | n/a | 700Mb | iso9660 |
| LFS | depends on the implementation | depends on the implementation | depends on the implementation | depends on the implementation |
| NSS | up to 8Tb | up to 64Kb | 8Tb | n/a |
Other file systems to consider for the exam:
APFS
APFS
APM and APFS seem to be unable to live together. APFS requires GUID. I have come to that conclusion when I tried formating the drive with a APM and then APFS with DiskUtility. The same goes for the MBR. APFS requires GPT.
https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
Advantages over HFS+:
-
Optimized for Flash/SSD Storage.
-
Full disk encryption is natively supported.
-
Snapshot support.
-
Timestamps are to-the-nanosecond.
-
9 quintillion files at most (18 zeroes).
-
Clones (aka copy-on-write). When the file is copied, it’s actually not duplicated. Instead, a new pointer is created. Once either of the files get changed, the actual copying process takes place.
ExtX
2
No journaling
3
Same but + journaling
4
New FS
FAT
Any FAT partition has two main parts: system area and data area. System area contains FAT boot record (every file system has a boot record), 1st FAT and 2nd FAT. FAT12 and FAT16 also have Root directory in the system area. Data area consists of Root directory in case of FAT32 and file and subdirectory data in clusters.
Versions
FAT12
For the cluster addressing there were 12 bits available, which is 2^12 clusters at most (4096 clusters).
HFS and HFS+
HFS
HFS+
Since 1998, since macOS 8.1. Was replaced by APFS.
Didn’t natively support full disk encryption (FV2 was added later). Timestamps were only to-the-second. Support up to 4 billion files.
https://developer.apple.com/library/archive/technotes/tn/tn1150.html
- Supports large files
- Efficient disk space usage
- unicode for filenames
- name forks
- file compression
- journaling. Journaling is a mechanism in which changes to a disk are first committed to a journal file, which acts as a buffer to ensure that all disk update transactions are fully completed. 1
- dynamic resizing, defragmentation
- not only for MacOS
References
1
Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 138). BCS Learning & Development Limited. Kindle Edition.
NTFS
Developed in collaboration with IBM. POSIX compliant. Official docs for NTFS here.
βοΈ Everything is a file! βοΈ All offsets are relative to the start of the data structures. βοΈ Apple macOS machines can read NTFS devices but do not support writing to them by default.
The entire logical volume is a data area (in contrast to FAT where there is a system area as well β).
In a Microsoft NT File System (NTFS), hot fixing of disk sectorsΒ prevents data from being stored in aΒ bad sectorΒ or cluster.
ReiserFS
Allows storing multiple files in a single sector. exclamation mark βοΈUnique to this FS!
XFS
Good for multimedia files.
Flash Memory Overview
In this article I’m going to give a general overview of how SSD works and how it’s different from an HDD.
SSDs consist of NAND memory chips, a power terminal and a data terminal. Due to its nature, data cannot be overwritten, therefore, it needs to be white clean first.
π Does it mean that there is no data in the unallocated or slack space?
Data is written in pages and deleted in blocks (multiple pages).