O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 7

Windows Filesystems

Windows has many versions of its operating system in use. Those operating systems use either a FAT filesystem, the NTFS filesystem, or the exFAT filesystem for file storage. To conduct any forensic analysis of Windows systems, you need to have a working knowledge of filesystems in general but especially of those filesystems used on Windows platforms.

In this chapter, you will learn to

  • Interpret the data found in a 32-byte FAT directory record
  • Determine a file’s cluster run in a FAT table, given its starting cluster number and file size
  • Interpret the data found in an NTFS MFT record
  • Locate alternate data streams on an NTFS filesystem
  • Understand the basics of the exFAT filesystem

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required