FILE SYSTEMS & METADATA

What does MACB stand for in timestamps?

Modified, Accessed, Changed, Born

Define Modified timestamp

Content changes (file edited and saved)

Define Accessed timestamp

File opened or viewed

Define Changed timestamp

Metadata changes (file renamed, permissions changed)

Define Born timestamp

File creation (original creation time)

If you rename a file, which timestamp changes?

Changed (C) - NOT Modified

If you edit a file in Word and save it, which timestamp changes?

Modified (M)

What is the key difference between Modified and Changed timestamps?

Modified = content inside file changed

List the 3 steps of file deletion in order

1. Directory entry marked deleted (0xE5 or MFT flag), 2. Cluster marked free (0x00), 3. Content remains until overwritten

Is data actually erased when you delete a file?

No - data stays on disk until overwritten

In FAT file systems, how is a deleted file marked?

First character changed to 0xE5

In NTFS file systems, how is a deleted file marked?

Entry marked deleted in MFT (Master File Table)

What happens to the cluster after file deletion?

Marked as 0x00 (free/available for reuse)

What does FAT entry 0xE5 indicate?

Deleted file marker

What does FAT entry 0x00 indicate?

Free cluster (may contain residual deleted data)

What does FAT entry 0xFF7 indicate?

Bad cluster (damaged sector)

What does FAT entry 0xFFF indicate?

End of file marker

Can you recover a file immediately after deletion (before any new writes)?

Yes - 95-100% recovery probability if no overwriting occurred

What three factors affect deleted file recovery probability?

1. Time since deletion, 2. Disk activity level, 3. Amount of new data written

What is slack space?

Unused portion of an allocated cluster

Calculate slack space: 4KB cluster with 3.5KB file

0.5KB (512 bytes) slack space

Calculate slack space: 4KB cluster with 2.8KB file

1.2KB (1,228 bytes) slack space

What are the two types of slack space?

RAM slack and Drive slack

What does RAM slack contain?

RAM contents (can include passwords, encryption keys, sensitive data)

What does Drive slack contain?

Remnants of previous deleted files

What is unallocated space?

Clusters completely free (not allocated to any file)

Can unallocated space contain recoverable deleted data?

Yes - if freed after deletion and not yet overwritten

What is the difference between slack space and unallocated space?

Slack = allocated but unused portion

What is metadata?

Data about data - information ABOUT a file, not the content itself

Is file content considered metadata?

No - content is data

Name 5 metadata properties

1. Name, 2. Size, 3. Path, 4. Timestamps, 5. Permissions

What is EXIF data?

Exchangeable Image File Format - metadata embedded in photos

What does EXIF data contain?

Camera make/model, GPS location, date/time taken, camera settings (ISO, aperture, shutter speed)

What does MFT stand for?

Master File Table

What file system uses the MFT?

NTFS

Why is the MFT called "the heart of NTFS"?

Contains ALL metadata for every file and directory - central to entire file system

What is FAT32's maximum file size?

4 GB

What is NTFS's maximum file size?

16 TB

Which file system is best for forensics and why?

NTFS - most comprehensive metadata, journaling, MFT with detailed timestamps

What is journaling in file systems?

Logging file system transactions BEFORE changes are made to disk (enables recovery after crashes)