NTFS FAT HFS+: Drowning in Acronyms
December 9, 2012 1:11 PM   Subscribe

Where can I learn about file systems?

I'm looking for a resource that can teach me about how file systems are structured and how they store data at a reasonably in-depth level.

I've been teaching myself how to use the Sleuth Kit/Autopsy combination, but I occasionally bump into the limits of what I know about, say, the differences between how a FAT-formatted disk is structured compared with a NTFS disk.

I feel like I'm familiar enough with this stuff to get by, but if I'm presented with a list of information about a disk image there'll be too much that I don't know. Any good resources would be greatly appreciated. Bonus points if they're free, but I'll certainly consider books as well. I've got access to Windows, OS X and Linux, just in case that makes any difference.
posted by anaximander to Computers & Internet (6 answers total) 17 users marked this as a favorite
Best answer: Carrier's book is _the_ book.
posted by bfranklin at 1:27 PM on December 9, 2012 [3 favorites]

Best answer: This episode of Hypercritical is a nice introduction.
posted by Apropos of Something at 1:30 PM on December 9, 2012

They're all pretty different. FAT is insanely simple; it was designed for machines whose total memory was measured in tens of kilobytes. There have been many extensions over the years, of course, some of them horribly kludgy, but that probably makes them forensically interesting.

The Berkeley Fast File System is nearly 30 years old, but I remember the paper describing it to have a reasonable discussion of the issues a filesystem designer works with. Also, many later file system designs in the Unix traditions are described in terms of how they differ from something like FFS.

HFS+ is an interesting beast as file systems go.

I know nothing about NTFS.

More modern file systems are often log-structured, which both improves crash resilience and (depending on how it's done) write speed in many cases. This page of articles shows a nice timeline of the evolution of the standard Linux filesystem from its basically FFS-like roots.
posted by hattifattener at 1:38 PM on December 9, 2012 [1 favorite]

Best answer: If you want to learn about filesystems you're really, really going to want a copy of VMWare Workstation, VMWare Fusion, and/or Virtualbox so that you can install sacrificial guest OSes to experiment with things like mdadm RAID, full disk encryption on different Linux filesystems, and things like converting ext2 to journaled ext4fs...
posted by thewalrus at 2:34 PM on December 9, 2012 [1 favorite]

Are you able to read C code? The bootloader Grub 2 includes minimal, read-only drivers for a gazillion different file systems.

It's not really well-commented, so you'll need to start out with at least some understanding of the FS. But it's much simpler code than most drivers, since it's read-only. Plus, you can even run it in userland, which means you can easily attach a debugger and see exactly what's going on.
posted by vasi at 6:54 PM on December 9, 2012 [2 favorites]

Response by poster: Thanks for the advice! thewalrus, I've got Virtualbox and VMware Fusion running with a few guest OSes already, some of which I don't care about messing with.

I've tracked down a copy of Carrier's book as well, which looks like it has more than enough information for me to get by on for now.
posted by anaximander at 4:42 AM on December 10, 2012

« Older Are country and Western two separate genres or one...   |   Picture of a school of tuna Newer »
This thread is closed to new comments.