WEBVTT 0:00:09.560000 --> 0:00:14.040000 So let's talk a bit about the definition and history of file systems. 0:00:14.040000 --> 0:00:18.160000 Starting with what is a file system? 0:00:18.160000 --> 0:00:23.200000 Essentially, a file system provides a framework for organizing data. 0:00:23.200000 --> 0:00:26.420000 Much like a card catalog system helps us find what we're looking for in 0:00:26.420000 --> 0:00:31.660000 a library, the file system tells us or our applications in operating systems 0:00:31.660000 --> 0:00:35.260000 where to find specific data. 0:00:35.260000 --> 0:00:39.520000 And just like indexes can be built quickly using any number of categories 0:00:39.520000 --> 0:00:44.940000 and criteria, different file systems perform the same functions in different 0:00:44.940000 --> 0:00:51.880000 ways. Quite simply put, a file system looks like what we see on the left 0:00:51.880000 --> 0:00:56.900000 all of the hexadecimal data that is a representation of binary and it 0:00:56.900000 --> 0:01:01.800000 organizes it and makes it look like what you see on the right, which is 0:01:01.800000 --> 0:01:04.840000 a navigatable file system. 0:01:04.840000 --> 0:01:10.640000 Why analyze the file system? 0:01:10.640000 --> 0:01:15.740000 Take a moment and think to yourself, why would you want to perform a forensic 0:01:15.740000 --> 0:01:19.360000 analysis on a file system? 0:01:19.360000 --> 0:01:26.220000 When you perform an analysis on a file system, whether manual or by using 0:01:26.220000 --> 0:01:32.380000 forensic tools, it gives us the ability to access the active files, yes, 0:01:32.380000 --> 0:01:39.420000 but it also enables us to detect and analyze the deleted files. 0:01:39.420000 --> 0:01:42.860000 And yeah, the rumors are definitely true. 0:01:42.860000 --> 0:01:47.260000 We can recover deleted data, sometimes at least. 0:01:47.260000 --> 0:01:51.200000 If none of the relevant sectors have been overwritten, file system analysis 0:01:51.200000 --> 0:01:57.220000 can allow us to find and reassemble those files that were deleted. 0:01:57.220000 --> 0:02:03.780000 And what I mean by that is that if a file has not been overwritten by 0:02:03.780000 --> 0:02:10.460000 another file, then we have a high chance of recovering that data. 0:02:10.460000 --> 0:02:12.180000 How do we do it? 0:02:12.180000 --> 0:02:17.900000 Well, we have to think about the three -step process of file deletion. 0:02:17.900000 --> 0:02:24.200000 When you delete a file, we have to think about the three-step process 0:02:24.200000 --> 0:02:26.860000 of file deletion. 0:02:26.860000 --> 0:02:31.900000 When we delete a file, the file is moved to the trash. 0:02:31.900000 --> 0:02:38.000000 What that simply is is a marker or a record that says, hey, I'm not using 0:02:38.000000 --> 0:02:39.300000 this file anymore. 0:02:39.300000 --> 0:02:43.820000 However, the file is not yet empty. 0:02:43.820000 --> 0:02:50.400000 When you empty the trash, forensically, all of the sectors in the file 0:02:50.400000 --> 0:02:53.640000 are marked with a hexadecimal E5. 0:02:53.640000 --> 0:03:00.540000 And that means that the data represented by the file system there, if 0:03:00.540000 --> 0:03:06.380000 it has the E5 header to it, then the data is available to be overwritten. 0:03:06.380000 --> 0:03:09.660000 However, you see it's available to be overwritten. 0:03:09.660000 --> 0:03:12.880000 It has not quite been overwritten yet. 0:03:12.880000 --> 0:03:16.060000 If none of the sectors have been overwritten, the file is going to be 0:03:16.060000 --> 0:03:18.380000 generally recoverable. 0:03:18.380000 --> 0:03:21.000000 Now, what is going to happen eventually? 0:03:21.000000 --> 0:03:27.380000 Eventually, some of or all of the sectors are going to get overwritten. 0:03:27.380000 --> 0:03:32.620000 And at this point, the file is generally not recoverable, but pieces of 0:03:32.620000 --> 0:03:37.480000 it may be through a process called file carving. 0:03:37.480000 --> 0:03:43.680000 Much like URLs can be mapped to IP addresses, file names are mapped to 0:03:43.680000 --> 0:03:45.760000 file locations on a disk. 0:03:45.760000 --> 0:03:49.700000 What that means is that they have an almost visual map that is maintained 0:03:49.700000 --> 0:03:55.220000 by the file system, and every time you add a new entry, that map is updated, 0:03:55.220000 --> 0:03:58.820000 and the file system looks at the map, and it knows where to put a new 0:03:58.820000 --> 0:04:03.760000 file, or it knows where to go through some of its trim or file cleanup 0:04:03.760000 --> 0:04:09.840000 activities. And then when files are ready to be deleted and removed, the 0:04:09.840000 --> 0:04:12.420000 file system can do it. 0:04:12.420000 --> 0:04:17.320000 So, a few common file systems, we have the file allocation system. 0:04:17.320000 --> 0:04:24.200000 We have the file allocation table, file system, and that includes FAT32. 0:04:24.200000 --> 0:04:29.640000 We have the extended file allocation table system. 0:04:29.640000 --> 0:04:35.880000 The new technology, file system, or in TFS, and then the hierarchical 0:04:35.880000 --> 0:04:43.420000 file system, HFS plus, and then also the older one, HFS. 0:04:43.420000 --> 0:04:47.600000 And then of course, we have the Apple file system, or APFS. 0:04:47.600000 --> 0:04:52.080000 If we think about some of the history involved in that, FAT file system 0:04:52.080000 --> 0:04:57.320000 was first developed in 1997. 0:04:57.320000 --> 0:05:03.460000 It wasn't until 1985 that Apple deployed a file system for their computers 0:05:03.460000 --> 0:05:10.420000 called the hierarchical file system, and then in 1993, Microsoft released 0:05:10.420000 --> 0:05:15.060000 their first business class journaling style file system called the new 0:05:15.060000 --> 0:05:16.420000 technology file system. 0:05:16.420000 --> 0:05:19.740000 That file system is still with us today. 0:05:19.740000 --> 0:05:27.900000 In 1998, Apple had their own journaling file system called HFS plus, and 0:05:27.900000 --> 0:05:31.840000 then Microsoft brought in the XFAT file system to handle file systems 0:05:31.840000 --> 0:05:35.920000 bigger than what FAT32 could handle. 0:05:35.920000 --> 0:05:41.840000 And then finally in 2017, Apple rewrote their file system from scratch, 0:05:41.840000 --> 0:05:46.520000 and they called it the Apple file system, or APFS. 0:05:46.520000 --> 0:05:52.480000 Some thoughts about FAT is that it is limited to 32 bits. 0:05:52.480000 --> 0:05:58.420000 When what that means is, if we think back to a previous lesson, we are 0:05:58.420000 --> 0:06:02.280000 limited to two terabytes with FAT32. 0:06:02.280000 --> 0:06:07.620000 However, it is the most common file system out there. 0:06:07.620000 --> 0:06:10.940000 XFAT was introduced in 2006. 0:06:10.940000 --> 0:06:16.020000 What that does is that overcame a four gigabyte file size limitation, 0:06:16.020000 --> 0:06:21.020000 not partition size limitation, file size limitation. 0:06:21.020000 --> 0:06:26.580000 And then, however, and now XFAT has transitioned to becoming the standard 0:06:26.580000 --> 0:06:32.520000 file system for SD cards and flash drives that are larger than 32 gigabytes.