What to Do If You Become a Victim of ‘Sextortion’
July 26, 2023
Social Media and the Hiring Process: The New Frontier in Employee Vetting
August 22, 2023
Show all

A Comparative Analysis of FAT, NTFS, EXT, and APFS File Systems in Forensic Examinations

FAT File System:

Originating from the early days of floppy disks, the File Allocation Table (FAT) system later evolved to serve hard drives and a plethora of other devices. Distinguished into variants like FAT12, FAT16, and FAT32, the variations are marked by the disparity in allocation unit dimensions and maximal volume capacity. Though FAT’s universality allows it to interact seamlessly with Windows, Linux, and Mac OS, it has significant drawbacks such as the absence of vital capabilities like security layers, journaling, encryption, compression, and intricate metadata. Forensically speaking, FAT’s straightforward structure facilitates relatively uncomplicated examinations. While it catalogues the file name, dimension, characteristics, and cluster digit within directory inputs, it falls short by not documenting the file’s inception date—only noting modification and access instances. Furthermore, residues from file slack and names of discarded files are not retained.


NTFS File System:

The New Technology File System (NTFS), integral to Windows since the Windows NT phase, is markedly sophisticated in comparison to FAT. It incorporates enhanced attributes like in-built security, journaling, metadata, compression, encryption, and the ability to support expansive files and volumes. Structurally, NTFS comprises the Master File Table (MFT) that chronicles details about files, directories, and their associated attributes. Forensic studies of NTFS demand a nuanced approach due to data storage across varied regions and formats such as MFT, USN Journal, $LogFile, $BitMap, and $Secure. The system meticulously documents timelines, including file origination, modifications, access, and MFT entry alterations, safeguarding even remnants of file slack and names of deleted files.


EXT File System:

The Extended File System (EXT), Linux’s go-to file system, has evolved through its iterations—EXT2, EXT3, and EXT4—with each bringing distinct advancements in efficiency, features, and stability. It endorses functionalities like journaling, detailed metadata, capacious file/volume handling, and a spectrum of file characteristics. At its core, EXT employs structures such as the Superblock, Group Descriptors, and Inode Tables. From a forensic lens, EXT’s intricacies align with those of NTFS, archiving data across a range of domains like the Superblock, Journal, and Inode Table. Notably, it logs timelines encompassing file creation, modification, access, and deletion, while also retaining file slacks and previously discarded file names.



Apple’s contemporary flagship, the Apple File System (APFS), is pivotal to its latest ecosystems—macOS, iOS, watchOS, and tvOS. Superseding HFS+, APFS is meticulously tailored for SSDs and is enriched with innovations like data cloning, periodic snapshots, robust encryption, and enhanced resilience against system crashes. In forensic contexts, APFS unveils both challenges and potentials. Its ability to capture system snapshots at diverse intervals stands out, granting investigators a time-lapse perspective. APFS’s native encryption safeguards data without external utilities, while its unique copy-on-write protocol can reveal insights into a file’s past versions. Nevertheless, this mechanism also implies that once a file’s storage segments are repurposed, data recovery becomes formidable. Consequently, forensic experts navigating APFS need specialized methodologies to glean substantial evidential data.