Summary

This chapter explained the file systems used on Windows operating systems. Because the FAT file system is the most prevalent and has a long history, I covered its structure and function in great detail. The FAT file system works primarily with the directory entries and the FAT to read and write data on its partition. The FAT tracks cluster allocation and cluster runs in use by a file. The directory entries track the names of files and directories, along with their starting clusters and lengths. Using these basic features, files are read, written, and deleted. By reversing the deletion process, you learned how to recover deleted files.

I also covered the NTFS file system. At the heart of the NTFS file system are the master file table (MFT) ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Summary

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly