Computer Systems Forensic Analysis

File System

File system analysis

Collection of data structures that allow an application to create, read, and write files.

Analyse file system to:

  • find files.

  • recover deleted files.

  • find hidden data.

The result can be:

  • file content.

  • data fragments.

  • metadata associated with files.

Organizes data inside a volume

Associate file names to file content.

  • essential data: file names and content location.

    • trustful data – however content may be invalid, e. g. deleted files

  • non essential data: last access time – even if it is wrong the file content still is valid

    • we may not be able to trust non essential data, e. g. system time may be inaccurate, the user may have changed the time, etc

    • we should try to find additional data sources to support an incident hypothesis.

PreviousData OrganizationNextFile Content

Last updated