-
-
File-Systems-P1
-
Know Your File System Lessons from the Trenches By Janet Smith, Computer Forensics Examiner I cut my teeth in digital forensics crawling through the guts of Windows XP machines in a dusty tent in Iraq, then a palace, then a modified shipping container with ac. Supporting a special operations unit gave me a crash course in finding the truth buried deep in hard drives—where the bad-guy’s missteps could all leave a bread crumb to my team’s next target, cell leader or weapons cache. Fast forward to today, with Windows 11 humming along on sleek ultrabooks, I can tell you with absolute certainty: you can’t be good at computer forensics without understanding basic file structures. It’s like clearing a room—you need to know where people hide before you kick in the door. Let me break it down the way I learned it—with dirt under my fingernails, a laptop running Encase, Maresware, and FTK, and how I developed a firm grasp of Windows file systems across the versions we see the most: XP, 7, 10, and 11. Windows XP: The Wild West When I first started, Windows XP was king. It was sloppy but predictable. XP was built on NTFS, but the way system folders were structured was more… primitive. System Drive (C:) — Everything lived under here. The big folders to know were: C:\Documents and Settings\ — Every user had a profile here. That’s where I lived when I needed to pull browser histories, desktop files, and user-specific data. C:\Windows\System32\ — Malware loved hiding here. I always ran a known hash file comparison on everything in his folder and many subfolders. But that is a little beyond this article, which David asked me to write. C:\Program Files\ — Installed applications. It was common to see poor access controls. Admin accounts galore. People saved sensitive stuff on their desktops without a second thought. Windows XP was forgiving for an investigator—most of the time, if you knew where to look, you’d find what you needed fast. |