Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Systems Forensics

File Systems

  • FAT16: File Allocation Table, uses a table to mark the position of the files; used by DOS and Windows 3.X; files can be lost of the FAT is lost/damaged

  • FAT32: FAT16 but with larger partitions for long filenames; uses 32 bits of data for identifying data clusters

    • FAT32 is compatable with many devices and is cross compatible with all modern operating systems since 1995

    • FAT32 disadvantages:

      • Only >4GB files

      • 8TB max capacity

      • No data protection from power loss

      • No built in compression

      • No built in encryption

  • NTFS: Microsoft file system since Windows NT 3.1

    • Improved performance, reliability, security (ACLs) and disk space from FAT

  • Linux architecture for EXT3 and EXT4

    • User space: user space -> sends to system call -> requeast sent to kernel

    • Kernel space: operating system core -> provides requested resources to user space, manages io/memory/file management

    • Disk space: kernal space device driver io request -> hard disk

  • EXT3/EXT4

    • EXT3: default file system for many popular Linux distributions; uses journaling for resiliency

    • EXT4: maximum volume size of data supported by ext4 is 1exbibyte and file size is up to 16 tebibytes; uses extents which is a data storage area that reduces file fragmentation and file scattering

  • FTK Imager can be used to show file types of disk images

PreviousFile HashingNextforensics-workstation

Last updated 2 years ago