This chapter is probably one of the most interesting chapters in the book, because it answers some of the most common questions asked during incident investigation procedures:

• Who deleted the file?
• Who created the file?
• How was this file accessed—using which tool or application?
• When was this file deleted?
• Who changed this file?
• and so on

Some of these questions are easy to answer, but some of them are not. In this chapter you will find information about monitoring recommendations for most common scenarios related to the local drive and removable storage filesystem objects.

Windows Filesystem

Currently the most common Windows filesystem is the New Technology File System (NTFS). You can still find the File Allocation Table 32 (FAT32) filesystem, most likely on some USB drives or legacy operating systems, like Windows 98, for example.

The FAT32 filesystem was developed as an extension and replacement of the older FAT16 filesystem to overcome some FAT16 filesystem limitations, such as maximum file size limitations, and to improve other characteristics.

FAT16 was first introduced in November 1987, with FAT32 coming in 1996. Table 13-1 compares some of the characteristics of these two filesystems.