Know Your File System

Lessons from the Trenches

By Janet Smith, Computer Forensics Examiner

I cut my teeth in digital forensics crawling through the guts of Windows XP machines in a dusty tent in Iraq, then a palace, then a modified shipping container with ac. Supporting a special operations unit gave me a crash course in finding the truth buried deep in hard drives—where the bad-guy’s missteps could all leave a bread crumb to my team’s next target, cell leader or weapons cache. Fast forward to today, with Windows 11 humming along on sleek ultrabooks, I can tell you with absolute certainty: you can’t be good at computer forensics without understanding basic file structures. It’s like clearing a room—you need to know where people hide before you kick in the door.

Let me break it down the way I learned it—with dirt under my fingernails, a laptop running Encase, Maresware, and FTK, and how I developed a firm grasp of Windows file systems across the versions we see the most: XP, 7, 10, and 11.

Windows XP: The Wild West

When I first started, Windows XP was king. It was sloppy but predictable. XP was built on NTFS, but the way system folders were structured was more… primitive.

System Drive (C:) — Everything lived under here. The big folders to know were:

 C:\Documents and Settings\ — Every user had a profile here. That’s where I lived when I needed to pull browser histories, desktop files, and user-specific data.

 C:\Windows\System32\ — Malware loved hiding here. I always ran a known hash file comparison on everything in his folder and many subfolders.  But that is a little beyond this article, which David asked me to write.

 C:\Program Files\ — Installed applications.

It was common to see poor access controls. Admin accounts galore. People saved sensitive stuff on their desktops without a second thought. Windows XP was forgiving for an investigator—most of the time, if you knew where to look, you’d find what you needed fast.

Read more about Windows 7, 10 and 11