File System Analysis and Computers Forensics - Research Paper Example

? File System Analysis and Computers Forensics Introduction As the main storing constituent of a computer,the file system is said to be the foundation of a big pact of forensic evidence. Again, it is very crucial to underastand that forensic data has to be taken at the appropriate level of concept. For instance, the normal file system border will just access the files that are present. To imprison some information about the idle space that is there amid files, you have to make use of tools that are of little levels that can actually avoid the file system. Such kind of little level tools having an added advantage of removing false information that may be maliciously adapted by the file system code. This paper discusses the the employment of file system analysis in computer forensics, using file system analysis in different fields, as in Linux and others as well as the tools used in the file system analysis. Employing File System Analysis in Computers Forensics Computer forensics is part of numerical forensic science relating to legal indication that is found in the computers as well as digital storing means. Its main objective is to inspect digital means in a forensically way of sound with the purpose of improving, conserving, recognizing and giving facts as well as opinions around a certain info. Nelson, Phillips & Steuart, (2010) assert that even though it is mostly related with the study of corruption in computers, it may as well be used in civil records. They add that it involves alike methods and even the values of recovery of data. The indication from computer forensics inquiries is normally exposed to the similar rules and practices of other numerical indication and has been used in several cases. They argue that it is almost becoming accepted within the U.S as well as court system in Europea (Nelson, Phillips & Steuart, 2010). Nelson, Phillips & Steuart, (2010) add that there are a number of techniques used in computer forensics investigations. First, there is cross-drive analysis that relates info found on a number of drives. It can be used to classify social network and then perform anomaly discovery. Nelson, Phillips & Steuart, (2010) say that another common technique is the recorvery of deleted files. The newly used forensic software have got their individual gears for recovering data that is deleted. The inspection of PCs from the operating system with the use of sysadmin gears to get out evidence. The process is very important when you are mostly dealing with encrypting file system (Nelson, Phillips & Steuart, 2010). Using File System Analysis: Files are actually made up of two substances that are dissimilar where each and every file has got an inode linked to it that has metadata over that file. What the file contains are stored in form of datablocks. There are only 15 block pointers in the inode in Unix. If there are data blocks of 4K, then the likelihood of the file that is going to be addressed is about 60K. Linux supports a lot of dissimilar file systems, but mutual choices for these system disk on a block devices comprise ext* family (for instance the ext2, the ext3 as well as ext4), the btrfs, ReiserFS, XFS and JFS. There is also the UBIFS, JFFS2 and YAFFS between others, that can be used for raw flash that are without a Memory Technology Device (MTD) or even Flash Translation Layer (FTL). The usually compressed read only file system is the SquashFS. The SRM Windows File System collects statistics on the disk and file system properties that is connected to the machine. The data collected here is abridged through a lot of reports that may be to some extent modified with charts in the bang manager. FAT, FAT16, FAT32 as well as NTFS are some types of sytems files that can be maintained by the SRM Windows File System Agent for Windows and also supports discovery as well as discovery and analysis types of gathering data. HFS+ are said to be the most leading file systems that are found on any Macintosh. To identify the file system, someone may be left looking at a apparently data that is raw in a particular drive that is not assigned. Encase from Guidance Software as well as BBT Forensic Suite coming from BlackBagTechnologies is an example of a tool that can very well interpret the file system then give or eve display what the file contains in a maner that is user friendly. We find that the Macintosh itself knows better how to display the own file. Ubuntu can actually read as well as write disks and divider that uses the common NTFS and FAT32 formats but uses Ext4 by evasion since it is very hard for data to be lost incase of computer crash. At the same time, it can support big disks and files. Again, there is how files are arranged in Ubuntu. Here, there is only one root directory for the whole system. The root directory is known as “/” (the common slash, it is ot the same as the backslash as it is used in Windows) and all the disks as well as devices come out within this pecking order. This can simply be done practically by accessing the Ubuntu File System so that you can see the root directory. Tools used in File System Analysis The file system tools helps in investigating the file system of a machine, computer in this case, in a manner that is not invasive. Since the tools do not actually depend on the operating system so that the file system can be administered, deleted as well as the content that is secreted is exposed. It runs on Windows as well as Unix podiums. Zanero, (2010) states that there are a lot of tools that can be used in File System Analysis. AnalyzeMFT that examines an NTFS file system to MFT file and then give out the outcome accurately that will then give other tools room for more analysis. Autopsy Forensic Browser that will facilitate the line tools in the Sleuth Kit thereby letting one to see the owed files as well as erased ones, the codes of boot and divider tables and then creates a timelines of file action (Zanero, 2010). There is also the disktype that notices the gratified format of the disk. It has knowledge about the file system, boot codes as well as partition tables. There is also Explore2fs that makes it easy from inside Windows to see the contents of an Ext2FS. Other tools that can be used according to Zanero, (2010) are like the e2salvage that will tries to handle recorvery of data from ext2 file system that has been spoiled. It can take care of the spoiled files simply because it does not search data from specific places as well as not trusting the found data. Again, the Enhanced Linux Loopbackmodifies the loopback driver of the Linux core and can also add an extra purpose making the driver rival a disk drive in a certain manner. It however helps a lot in the automatic interpretation as well as partition mapping inside a hard drive. The File System Investigator also gives the user time to see what the targeted files contain in a safe way. It can also help in avoiding the normal operating system devices (Zanero, 2010). The last tool we may talk of is the SMART that takes benefit of the bigger volume of the file system that is supported by Linux. It also helps to note and filter the almanacs of a particular file, recuperate the files that are erased and also use hash databases in recognizing known files. Conclusion Generally, we find that File Sytem Analysis is very important in our lives when taken as a course. This is because it generally deals with the file system as well as the disk. At the same time, we find that is is also used to produce most of the indication in the present digital examination. We find that the file system of the computer is where a lot of the files are rather kept and at the same time, the place where a lot of indication can be established. Lastly, we also find that this is the most challenging part of the forensic analysis and therefore it needs a lot of care. Reference Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to computer forensics and investigations. CengageBrain. com. Zanero, S. (2010). Open source software for digital forensics. Springer. . Read More