Part 5: File Systems aur Metadata | Module 2

Parichay

File systems data ko organize aur store karne ka tarika define karte hain. Ek forensic investigator ke liye different file systems ko samajhna critical hai kyunki ye determine karta hai ki deleted files kaise recover hongi, timestamps kaise interpret honge, aur hidden data kahan mil sakta hai.

📚 Seekhne ke Uddeshy

Is part ke ant tak, aap major file systems (FAT, NTFS, EXT4, APFS) ko samjhenge, metadata analysis kar sakenge, aur timestamp examination techniques sikhenge.

File Systems Overview

File system ek method hai jisse operating system files ko storage device par organize karta hai. Har file system ki apni structure, features, aur forensic implications hain.

FAT (File Allocation Table)

💾 FAT File System

Oldest aur simplest file system. USB drives, memory cards, aur legacy systems mein common. FAT12, FAT16, FAT32 variants hain.

Structure: Boot sector, FAT tables (2 copies), Root directory, Data area
Max File Size: FAT32 - 4GB limit
Forensic Value: Simple structure, easy to analyze, deleted file recovery often successful
Timestamps: Created, Modified, Accessed (limited precision - 2 second resolution)
Limitations: No journaling, no permissions, fragmentation prone

NTFS (New Technology File System)

💾 NTFS File System

Windows ka primary file system. Advanced features jaise journaling, permissions, encryption support karta hai.

Structure: MFT (Master File Table), $LogFile, $Bitmap, Data areas
Max File Size: 16 EB (theoretical)
Key Features:
- Journaling - changes logged before execution
- Alternate Data Streams (ADS) - hidden data storage
- File system encryption (EFS)
- Compression support
Timestamps: Created, Modified, Accessed, MFT Entry Modified (MACE)
Forensic Value: $MFT contains extensive file metadata, $UsnJrnl tracks changes

EXT4 (Fourth Extended File System)

💾 EXT4 File System

Linux systems ka default file system. Journaling support, large file handling, aur reliability ke liye designed.

Structure: Superblock, Block groups, Inodes, Data blocks
Key Features:
- Journaling (journal, ordered, writeback modes)
- Extents - contiguous block allocation
- Large file support (up to 16 TB)
- Nanosecond timestamps
Timestamps: Created, Modified, Accessed, Changed (ctime - metadata change)
Forensic Value: Inode analysis, journal recovery, deleted file carving

APFS (Apple File System)

💾 APFS File System

Apple devices (Mac, iPhone, iPad) ka modern file system. SSD optimization, encryption, aur snapshot support.

Structure: Container, Volumes, Objects, B-trees
Key Features:
- Native encryption
- Snapshots - point-in-time copies
- Space sharing between volumes
- Copy-on-write
Timestamps: Created, Modified, Accessed, Changed (nanosecond precision)
Forensic Challenges: Encryption by default, complex structure, specialized tools needed

File System Comparison

Feature	FAT32	NTFS	EXT4	APFS
Journaling	No	Yes	Yes	Yes (CoW)
Max File Size	4 GB	16 EB	16 TB	8 EB
Encryption	No	EFS	External	Native
Timestamps	3 (low res)	4 (MACE)	4 (nano)	4 (nano)
OS Support	Universal	Windows	Linux	Apple
Recovery Ease	Easy	Moderate	Moderate	Difficult

Metadata Analysis

Metadata "data about data" hai - file ke content ke alawa uski properties jaise size, timestamps, permissions, author etc. Forensic investigation mein metadata crucial evidence provide karta hai.

File System Metadata

📅

Timestamps

Created, Modified, Accessed times - user activity timeline establish karte hain

🔒

Permissions

File access rights - kaun access kar sakta hai, modify kar sakta hai

👤

Ownership

File owner aur group information - attribution ke liye important

📈

Size Information

Logical size vs Physical size - hidden data indicate kar sakta hai

Application Metadata

Files ke andar embedded metadata jo application ne create kiya:

Documents (Office files): Author, company, revision history, edit time
Images (EXIF): Camera model, GPS coordinates, date/time, settings
PDFs: Creator, producer, creation/modification dates
Audio/Video: Codec info, duration, creation software

Metadata Extraction Tools

Tool	Purpose	Platform
ExifTool	Image/document metadata extraction	Cross-platform
Autopsy	Comprehensive forensic metadata analysis	Cross-platform
FTK	Commercial forensic metadata analysis	Windows
FOCA	Document metadata extraction	Windows
mat2	Metadata removal/analysis	Linux

💡 Practical Example - EXIF Data

Ek threatening photo received hui. ExifTool se EXIF data extract kiya to mila: Camera Model (iPhone 13), GPS Coordinates (suspect ke ghar ke paas), Date/Time (crime window mein). Is metadata ne suspect ki involvement prove karne mein help ki.

# ExifTool command example
$ exiftool -a -u -g1 suspicious_image.jpg

---- ExifTool ----
ExifTool Version Number         : 12.50
---- System ----
File Name                       : suspicious_image.jpg
File Size                       : 2.5 MB
---- EXIF ----
Camera Model Name              : iPhone 13 Pro
Date/Time Original             : 2024:01:15 14:32:45
GPS Latitude                   : 19 deg 4' 32.10" N
GPS Longitude                  : 72 deg 52' 12.50" E
---- Author ----
Creator                        : John Doe

Timestamp Analysis

Timestamps investigation mein timeline reconstruction ke liye critical hain. Different file systems different timestamps maintain karte hain.

MACE Timestamps (NTFS)

Timestamp	Full Name	Updates When
M	Modified	File content change hota hai
A	Accessed	File read/execute hota hai
C	Changed (MFT)	MFT entry change hoti hai
E	Entry Created	File create hoti hai

Timestamp Anomalies

Timestamps mein inconsistencies tampering indicate kar sakti hain:

Modified before Created: File copy ya manipulation
Future timestamps: System clock manipulation
Identical timestamps: Mass file operation ya tool use
Missing timestamps: Anti-forensics ya corruption

Timestomping

Timestomping ek anti-forensic technique hai jismein file timestamps deliberately change kiye jaate hain detection avoid karne ke liye.

⚠ Detection Tips

$MFT mein $STANDARD_INFORMATION aur $FILE_NAME dono mein timestamps hote hain. Timestomping tools usually sirf $SI change karte hain, $FN nahi. Dono compare karke tampering detect ki ja sakti hai.

Time Zone Considerations

NTFS timestamps UTC mein store hote hain
FAT timestamps local time mein store hote hain
Investigation mein time zone conversion carefully karein
Multiple devices ke timestamps correlate karte waqt time zone dhyan rakhein

💡 Timeline Analysis Example

Ek data theft case mein, employee ne 10 PM IST par office chhoda claim kiya. Log analysis mein files 11:30 PM UTC (5 AM IST next day) par copy hui dikhain. Time zone conversion ke baad clear hua ki employee ke claim ke baad 7 ghante baad copy hui - suspicious activity confirmed.

Important Forensic Artifacts

NTFS Artifacts

$MFT: Master File Table - all file metadata
$LogFile: Transaction journal
$UsnJrnl: Change journal - file system changes track karta hai
$Bitmap: Cluster allocation status
Alternate Data Streams: Hidden data storage - malware often use karta hai

EXT4 Artifacts

Superblock: File system configuration
Inode Table: File metadata storage
Journal: Transaction log
Deleted Inode Recovery: Inodes se deleted files recover

APFS Artifacts

Snapshots: Historical file system states
Transaction History: Copy-on-write changes
Keybag: Encryption key storage

📚 Mukhya Points

Different file systems (FAT, NTFS, EXT4, APFS) ki different structures aur forensic implications hain
NTFS mein MFT, journaling, aur ADS forensically important artifacts hain
Metadata "data about data" hai - timestamps, permissions, ownership include karta hai
Application metadata (EXIF, document properties) valuable evidence provide karta hai
MACE timestamps (Modified, Accessed, Changed, Entry Created) NTFS mein available hain
Timestamp anomalies tampering indicate kar sakti hain - $SI vs $FN comparison important
Time zone considerations cross-device analysis mein critical hain
ExifTool, Autopsy jaise tools metadata extraction ke liye use hote hain