Computer Forensics Investigation

Question One

File System NTFS FAT32 exFAT UDF
Functionality Time stamps (Yes)

Previous access time stamps (No)

Previous change time (Yes)

Previous archive time stamps (No)

Case-identifying (Yes)

Case-saving (Yes)

Hard links (Yes)

Soft links (Yes)

Sparse files (Yes)

Named streams (Yes)

Oplocks (Yes)

Expanded features (Yes)

Additional data streams (Yes)

Mount areas (Yes)

Time stamps (Yes)

Previous access time stamps (Only date)

Previous change time (Yes)

Previous archive time stamps (No)

Case-identifying (Yes)

Case-saving (Yes)

Hard links (No)

Soft links (No)

Sparse files (No)

Named streams (No)

Oplocks (Yes)

Expanded features (No)

Additional data streams (No)

Mount areas (No)

Time stamps (Yes)

Previous access time stamps (Only date)

Previous change time (Yes)

Previous archive time stamps (No)

Case-identifying (No)

Case-saving (Yes)

Hard links (No)

Soft links (No)

Sparse files (No)

Named streams (No)

Oplocks (Yes)

Expanded features (No)

Additional data streams (No)

Mount areas (No)

Time stamps (Yes)

Previous access time stamps (Only date)

Previous change time (Yes)

Previous archive time stamps (No)

Case-identifying (Yes)

Case-saving (Yes)

Hard links (Yes)

Soft links (No)

Sparse files (Yes)

Named streams (Yes)

Oplocks (Yes)

Expanded features (Onlydisk)

Additional data streams (Yes)

Mount areas (No)

Limits Optimum file name length in characters (255 Unicode)

Optimum path name length in characters (37,760 Unicode)

Optimum file size (2^64 1 bytes)

Optimum volume size (16TB/256TB)

Optimum file name length in characters (255 Unicode)

Optimum path name length in characters (37,760 Unicode)

Optimum file size (4 GB)

Optimum volume size (2^32 blocks)

Optimum file name length in characters (255 Unicode)

Optimum path name length in characters (37,760 Unicode)

Optimum file size (2^64 1 bytes)

Optimum volume size (2^32 clusters)

Optimum file name length in characters (127 Unicode)

Optimum path name length in characters (37,760 Unicode)

Optimum file size (2^64 1 bytes)

Optimum volume size (2^32 blocks)

Block Allocation Properties Tail packing (Yes)

Different block size (No)

Extents (Yes)

Tail packing (No)

Different block size (No)

Extents (No)

Tail packing (No)

Different block size (No)

Extents (No)

Tail packing (No)

Different block size (No)

Extents (Yes)

Security Access to control list (Yes)

Monitoring of file ownership (Yes)

File-based encryption (Yes)

Checksum (No)

POSIX file access rights (No)

 

Access to control list (No)

Monitoring of file ownership (No)

File-based encryption (No)

Checksum (No)

POSIX file access rights (No)

 

Access to control list (No)

Monitoring of file ownership (No)

File-based encryption (No)

Checksum (Metadata)

POSIX file access rights (No)

 

Access to control list (No)

Monitoring of file ownership (No)

File-based encryption (No)

Checksum (Metadata)

POSIX file access rights (Yes)

 

Compression In-built compression (Yes) In-built compression (No) In-built compression (No) In-built compression (No)
Quotas User-oriented disk space (Yes)

Directory-oriented disk space (Yes)

User-oriented disk space (No)

Directory-oriented disk space (No)

User-oriented disk space (No)

Directory-oriented disk space (No)

User-oriented disk space (No)

Directory-oriented disk space (No)

Single-instance storage (SIS) File level (No) File level (No) File level (No) File level (No)
Journaling Metadata-oriented journaling (Yes)

File change log (Yes)

Metadata-oriented journaling (No)

File change log (No)

Metadata-oriented journaling (No)

File change log (No)

Metadata-oriented journaling (No)

File change log (No)

 

Question Two

According to Hayes (18), in general, NTFS (New Technology File System) offers better security and provides superior compression features compared to FAT (File Allocation Table), which relies on shared rights to secure data and has no allowance for compression. Hayes (20) adds that while it is possible to switch from FAT(32) to NTFS, the reverse is impossible as NTFS is bound by a secure mechanism. Lastly, NTFS has a lower threshold for errors than FAT.

Question Three

According to Hayes (25), in Windows devices, the file format is usually designated in the system properties. To identify it,the user should launch Computer, right-click on the disk they want to analyze, and chooseProperties from the options. The file format – system – is listed in the General pane.

Question Four

Hayes (29) argues that a normal format not only deletes files from the disk that is being formatted but also checks it for bad sectors. For this reason, its duration is twofold that of the quick format. The quick form, on the other hand,deletes files from the disk but does not check it for bad sectors. In summary, a standard format erases all files from the disk, reorganize its entire file structure, and check it to confirm its integrity while a quick format deletes the directory table and file system and overlooks scanning for bad sectors (Hayes 30).

Question Five

Ideally, NTFS should be used for Windows system disks as well as various internal volumes that are only compatible with Windows. This is because while NTFS is compatible with all Windows releases, Mac and Linux systems generally limit it to read-only by default (Hayes 35). On the flip side, FAT should be employed in removable disks when optimum compatibility is required with the largest variety of devices if the file sizes do not exceed 4 GB. The reason is that it has optimum file and partition size caps of 4 GB and 8 TB respectively (Hayes 35). Also, its compatibility also cuts across all game console, Mac, Windows, and Linux; primarily, it works with any system that has a USB port.

Work Cited

Hayes, Darren R. A Practical Guide to Computer Forensics Investigation.New York, NY:Pearson, 2014.Print.

 

 

 

 

Do you need high quality Custom Essay Writing Services?

Custom Essay writing Service

Stuck with Your Assignment?

Save Time on Research and Writing

Get Help from Professional Academic Writers Now