RSS Feed

File Systems Overview

Created: 18.10.2020
Name Partition size (min/max) Cluster size (min/max) File Max Size fstab code
FAT16 16Mb/2Gb 2Kb/32Kb
FAT32 32 KB (officially), 512 bytes (unofficially)- 2Tb 🔍 512b - 32Kb/64Kb (for large volumes)
NTFS 1.1 500Mb/8Gb 🔍 512B/8Kb
NTFS 3.0 500Mb/16EB 512B/64Kb
ext2 16Tb 2Tb ext2
ext3 16Tb 2Tb ext3
ext4 1Eb 16Tb ext4
ReiserFS 16Tb 8Tb resiserfs
JFS 32Pb 4Tb jfs
XFS 16Eb 8Eb xfs
Btrfs 16Eb 16Eb
HPFS 4Mb-2Tb 512b - 64Kb 2Gb n/a
CDFS up to 700Mb n/a 700Mb iso9660
LFS depends on the implementation depends on the implementation depends on the implementation depends on the implementation
NSS up to 8Tb up to 64Kb 8Tb n/a

Other file systems to consider for the exam:

B. High Performance File System (HPFS) C. Log-structured file system (LFS) (can be used to install OS) D. Compact Disc File System (CDFS) (can be used to install OS) E. Novell Storage Services (NSS)

ZFS is a file system that was originally developed by Sun Microsystems for the Solaris operating system. It is now available on various platforms including Linux, FreeBSD, and macOS. ZFS is designed to be a highly scalable and robust file system, with support for large storage volumes and advanced features such as data compression, snapshots, and data integrity checking.

Two entries marked with a🔍 are from M. Graves’ book “Digital Archeaology” book. I have not found any other information about max partition size on NTFS 1.1 and FAT32 max partition size is claimed to be 2,048 Gb, which doesn’t correlate with other resources.

There are: file name, file metadata and the contents of the file itself. They are not in the same place. File metadata contains filename and also a ptr to the sector, where the file’s contents starts and size of data. Theoretically, we could change the file metadata to make it point to another cluster… 🤔

Name Cluster size last accessed
malware.txt 654 80 October 13, 2020

Essential data - can be trusted and non-essential cannot. But if ptr to cluster is called essential data, how we can trust it? Well, it’s much harder to tamper with.


open [path/to/dmg]
dd if="/dev/disk[number]" of="/extract/path/file.img"
fdisk -l file.img
dd if="path/to/file.img" bs=sector_size skip=sectors count=sectors >> output.hfs

Data structures and Flags

First, there must be some data structure identifier so that the CPU could know, how to read the subsequent data. For example, if we have the following:

1001 1000 1001 1110 1010 1100 1000 101

For example, the first 4 bits 0101 tell the CPU that the next bits should be interpreted as an image. Then, for example, there are other 4 bits 0011 that are 4 flags. Flag is a 1-bit value, indicating either true or false, or either exists or doesn't. This are flags, for example, that indicate: wether it’s black-and-white (0) or colored (1); wether the image is editable 1 or 0 etc. And then the file contents.

Consider the above binary sequence. To make it more compressed, convert it to hex: 4c 4f 56 45. What is this? That depends. If you tell CPU that it’s machine instructions, then it’s see this:

dec esp
dec edi
push esi
inc ebp

But what if you tell that it’s text? Then CPU sees… check out here.

Bootcode and Booting Process


There is a standard that’s called POSIX and those FS that compliant are called POSIX-compliant. This standard demands certain fucntionality and properties from a FS: for example, for a file to have several names or hard links (❓), case sensitive file naming. FAT or HPFS are not POSIX compliant.