NTFS FAT HFS+: Drowning in Acronyms
December 9, 2012 1:11 PM
Where can I learn about file systems?
I'm looking for a resource that can teach me about how file systems are structured and how they store data at a reasonably in-depth level.
I've been teaching myself how to use the Sleuth Kit/Autopsy combination, but I occasionally bump into the limits of what I know about, say, the differences between how a FAT-formatted disk is structured compared with a NTFS disk.
I feel like I'm familiar enough with this stuff to get by, but if I'm presented with a list of information about a disk image there'll be too much that I don't know. Any good resources would be greatly appreciated. Bonus points if they're free, but I'll certainly consider books as well. I've got access to Windows, OS X and Linux, just in case that makes any difference.
I'm looking for a resource that can teach me about how file systems are structured and how they store data at a reasonably in-depth level.
I've been teaching myself how to use the Sleuth Kit/Autopsy combination, but I occasionally bump into the limits of what I know about, say, the differences between how a FAT-formatted disk is structured compared with a NTFS disk.
I feel like I'm familiar enough with this stuff to get by, but if I'm presented with a list of information about a disk image there'll be too much that I don't know. Any good resources would be greatly appreciated. Bonus points if they're free, but I'll certainly consider books as well. I've got access to Windows, OS X and Linux, just in case that makes any difference.
This episode of Hypercritical is a nice introduction.
posted by Apropos of Something at 1:30 PM on December 9, 2012
posted by Apropos of Something at 1:30 PM on December 9, 2012
They're all pretty different. FAT is insanely simple; it was designed for machines whose total memory was measured in tens of kilobytes. There have been many extensions over the years, of course, some of them horribly kludgy, but that probably makes them forensically interesting.
The Berkeley Fast File System is nearly 30 years old, but I remember the paper describing it to have a reasonable discussion of the issues a filesystem designer works with. Also, many later file system designs in the Unix traditions are described in terms of how they differ from something like FFS.
HFS+ is an interesting beast as file systems go.
I know nothing about NTFS.
More modern file systems are often log-structured, which both improves crash resilience and (depending on how it's done) write speed in many cases. This page of articles shows a nice timeline of the evolution of the standard Linux filesystem from its basically FFS-like roots.
posted by hattifattener at 1:38 PM on December 9, 2012
The Berkeley Fast File System is nearly 30 years old, but I remember the paper describing it to have a reasonable discussion of the issues a filesystem designer works with. Also, many later file system designs in the Unix traditions are described in terms of how they differ from something like FFS.
HFS+ is an interesting beast as file systems go.
I know nothing about NTFS.
More modern file systems are often log-structured, which both improves crash resilience and (depending on how it's done) write speed in many cases. This page of articles shows a nice timeline of the evolution of the standard Linux filesystem from its basically FFS-like roots.
posted by hattifattener at 1:38 PM on December 9, 2012
If you want to learn about filesystems you're really, really going to want a copy of VMWare Workstation, VMWare Fusion, and/or Virtualbox so that you can install sacrificial guest OSes to experiment with things like mdadm RAID, full disk encryption on different Linux filesystems, and things like converting ext2 to journaled ext4fs...
posted by thewalrus at 2:34 PM on December 9, 2012
posted by thewalrus at 2:34 PM on December 9, 2012
Are you able to read C code? The bootloader Grub 2 includes minimal, read-only drivers for a gazillion different file systems.
It's not really well-commented, so you'll need to start out with at least some understanding of the FS. But it's much simpler code than most drivers, since it's read-only. Plus, you can even run it in userland, which means you can easily attach a debugger and see exactly what's going on.
posted by vasi at 6:54 PM on December 9, 2012
It's not really well-commented, so you'll need to start out with at least some understanding of the FS. But it's much simpler code than most drivers, since it's read-only. Plus, you can even run it in userland, which means you can easily attach a debugger and see exactly what's going on.
posted by vasi at 6:54 PM on December 9, 2012
Thanks for the advice! thewalrus, I've got Virtualbox and VMware Fusion running with a few guest OSes already, some of which I don't care about messing with.
I've tracked down a copy of Carrier's book as well, which looks like it has more than enough information for me to get by on for now.
posted by anaximander at 4:42 AM on December 10, 2012
I've tracked down a copy of Carrier's book as well, which looks like it has more than enough information for me to get by on for now.
posted by anaximander at 4:42 AM on December 10, 2012
This thread is closed to new comments.
posted by bfranklin at 1:27 PM on December 9, 2012