| Name | Partition size (min/max) | Cluster size (min/max) | File Max Size | fstab code |
|---|---|---|---|---|
| FAT16 | 16Mb/2Gb | 2Kb/32Kb | ||
| FAT32 | 32 KB (officially), 512 bytes (unofficially)- 2Tb 🔍 | 512b - 32Kb/64Kb (for large volumes) | ||
| NTFS 1.1 | 500Mb/8Gb 🔍 | 512B/8Kb | ||
| NTFS 3.0 | 500Mb/16EB | 512B/64Kb | ||
| HFS | ||||
| HFS+ | ||||
| APFS | ||||
| ext2 | 16Tb | 2Tb | ext2 |
|
| ext3 | 16Tb | 2Tb | ext3 |
|
| ext4 | 1Eb | 16Tb | ext4 |
|
| ReiserFS | 16Tb | 8Tb | resiserfs |
|
| JFS | 32Pb | 4Tb | jfs |
|
| XFS | 16Eb | 8Eb | xfs |
|
| Btrfs | 16Eb | 16Eb | ||
| HPFS | 4Mb-2Tb | 512b - 64Kb | 2Gb | n/a |
| CDFS | up to 700Mb | n/a | 700Mb | iso9660 |
| LFS | depends on the implementation | depends on the implementation | depends on the implementation | depends on the implementation |
| NSS | up to 8Tb | up to 64Kb | 8Tb | n/a |
Other file systems to consider for the exam:
B. High Performance File System (HPFS) C. Log-structured file system (LFS) (can be used to install OS) D. Compact Disc File System (CDFS) (can be used to install OS) E. Novell Storage Services (NSS)
ZFS is a file system that was originally developed by Sun Microsystems for the Solaris operating system. It is now available on various platforms including Linux, FreeBSD, and macOS. ZFS is designed to be a highly scalable and robust file system, with support for large storage volumes and advanced features such as data compression, snapshots, and data integrity checking.
Two entries marked with a🔍 are from M. Graves’ book “Digital Archeaology” book. I have not found any other information about max partition size on NTFS 1.1 and FAT32 max partition size is claimed to be 2,048 Gb, which doesn’t correlate with other resources.
There are: file name, file metadata and the contents of the file itself. They are not in the same place. File metadata contains filename and also a ptr to the sector, where the file’s contents starts and size of data. Theoretically, we could change the file metadata to make it point to another cluster… 🤔
| Name | Cluster | size | last accessed |
|---|---|---|---|
| malware.txt | 654 | 80 | October 13, 2020 |
Essential data - can be trusted and non-essential cannot. But if ptr to cluster is called essential data, how we can trust it? Well, it’s much harder to tamper with.
https://apple.stackexchange.com/questions/321406/extract-hfs-hfsx-volume-from-dmg-file
open [path/to/dmg]
dd if="/dev/disk[number]" of="/extract/path/file.img"
fdisk -l file.img
dd if="path/to/file.img" bs=sector_size skip=sectors count=sectors >> output.hfs
Data structures and Flags
First, there must be some data structure identifier so that the CPU could know, how to read the subsequent data. For example, if we have the following:
1001 1000 1001 1110 1010 1100 1000 101
For example, the first 4 bits 0101 tell the CPU that the next bits should be interpreted as an image. Then, for example, there are other 4 bits 0011 that are 4 flags. Flag is a 1-bit value, indicating either true or false, or either exists or doesn't. This are flags, for example, that indicate: wether it’s black-and-white (0) or colored (1); wether the image is editable 1 or 0 etc. And then the file contents.
Consider the above binary sequence. To make it more compressed, convert it to hex: 4c 4f 56 45. What is this? That depends. If you tell CPU that it’s machine instructions, then it’s see this:
dec esp
dec edi
push esi
inc ebp
But what if you tell that it’s text? Then CPU sees… check out here.
Bootcode and Booting Process
POSIX
There is a standard that’s called POSIX and those FS that compliant are called POSIX-compliant. This standard demands certain fucntionality and properties from a FS: for example, for a file to have several names or hard links (❓), case sensitive file naming. FAT or HPFS are not POSIX compliant.