Computer Forensics Investigation
Computer Forensics Investigation
Question One
| File System | NTFS | FAT32 | exFAT | UDF |
| Functionality | Time stamps (Yes)
Previous access time stamps (No) Previous change time (Yes) Previous archive time stamps (No) Case-identifying (Yes) Case-saving (Yes) Hard links (Yes) Soft links (Yes) Sparse files (Yes) Named streams (Yes) Oplocks (Yes) Expanded features (Yes) Additional data streams (Yes) Mount areas (Yes) |
Time stamps (Yes)
Previous access time stamps (Only date) Previous change time (Yes) Previous archive time stamps (No) Case-identifying (Yes) Case-saving (Yes) Hard links (No) Soft links (No) Sparse files (No) Named streams (No) Oplocks (Yes) Expanded features (No) Additional data streams (No) Mount areas (No) |
Time stamps (Yes)
Previous access time stamps (Only date) Previous change time (Yes) Previous archive time stamps (No) Case-identifying (No) Case-saving (Yes) Hard links (No) Soft links (No) Sparse files (No) Named streams (No) Oplocks (Yes) Expanded features (No) Additional data streams (No) Mount areas (No) |
Time stamps (Yes)
Previous access time stamps (Only date) Previous change time (Yes) Previous archive time stamps (No) Case-identifying (Yes) Case-saving (Yes) Hard links (Yes) Soft links (No) Sparse files (Yes) Named streams (Yes) Oplocks (Yes) Expanded features (Onlydisk) Additional data streams (Yes) Mount areas (No) |
| Limits | Optimum file name length in characters (255 Unicode)
Optimum path name length in characters (37,760 Unicode) Optimum file size (2^64 1 bytes) Optimum volume size (16TB/256TB) |
Optimum file name length in characters (255 Unicode)
Optimum path name length in characters (37,760 Unicode) Optimum file size (4 GB) Optimum volume size (2^32 blocks) |
Optimum file name length in characters (255 Unicode)
Optimum path name length in characters (37,760 Unicode) Optimum file size (2^64 1 bytes) Optimum volume size (2^32 clusters) |
Optimum file name length in characters (127 Unicode)
Optimum path name length in characters (37,760 Unicode) Optimum file size (2^64 1 bytes) Optimum volume size (2^32 blocks) |
| Block Allocation Properties | Tail packing (Yes)
Different block size (No) Extents (Yes) |
Tail packing (No)
Different block size (No) Extents (No) |
Tail packing (No)
Different block size (No) Extents (No) |
Tail packing (No)
Different block size (No) Extents (Yes) |
| Security | Access to control list (Yes)
Monitoring of file ownership (Yes) File-based encryption (Yes) Checksum (No) POSIX file access rights (No)
|
Access to control list (No)
Monitoring of file ownership (No) File-based encryption (No) Checksum (No) POSIX file access rights (No)
|
Access to control list (No)
Monitoring of file ownership (No) File-based encryption (No) Checksum (Metadata) POSIX file access rights (No)
|
Access to control list (No)
Monitoring of file ownership (No) File-based encryption (No) Checksum (Metadata) POSIX file access rights (Yes)
|
| Compression | In-built compression (Yes) | In-built compression (No) | In-built compression (No) | In-built compression (No) |
| Quotas | User-oriented disk space (Yes)
Directory-oriented disk space (Yes) |
User-oriented disk space (No)
Directory-oriented disk space (No) |
User-oriented disk space (No)
Directory-oriented disk space (No) |
User-oriented disk space (No)
Directory-oriented disk space (No) |
| Single-instance storage (SIS) | File level (No) | File level (No) | File level (No) | File level (No) |
| Journaling | Metadata-oriented journaling (Yes)
File change log (Yes) |
Metadata-oriented journaling (No)
File change log (No) |
Metadata-oriented journaling (No)
File change log (No) |
Metadata-oriented journaling (No)
File change log (No) |
Question Two
According to Hayes (18), in general, NTFS (New Technology File System) offers better security and provides superior compression features compared to FAT (File Allocation Table), which relies on shared rights to secure data and has no allowance for compression. Hayes (20) adds that while it is possible to switch from FAT(32) to NTFS, the reverse is impossible as NTFS is bound by a secure mechanism. Lastly, NTFS has a lower threshold for errors than FAT.
Question Three
According to Hayes (25), in Windows devices, the file format is usually designated in the system properties. To identify it,the user should launch Computer, right-click on the disk they want to analyze, and chooseProperties from the options. The file format – system – is listed in the General pane.
Question Four
Hayes (29) argues that a normal format not only deletes files from the disk that is being formatted but also checks it for bad sectors. For this reason, its duration is twofold that of the quick format. The quick form, on the other hand,deletes files from the disk but does not check it for bad sectors. In summary, a standard format erases all files from the disk, reorganize its entire file structure, and check it to confirm its integrity while a quick format deletes the directory table and file system and overlooks scanning for bad sectors (Hayes 30).
Question Five
Ideally, NTFS should be used for Windows system disks as well as various internal volumes that are only compatible with Windows. This is because while NTFS is compatible with all Windows releases, Mac and Linux systems generally limit it to read-only by default (Hayes 35). On the flip side, FAT should be employed in removable disks when optimum compatibility is required with the largest variety of devices if the file sizes do not exceed 4 GB. The reason is that it has optimum file and partition size caps of 4 GB and 8 TB respectively (Hayes 35). Also, its compatibility also cuts across all game console, Mac, Windows, and Linux; primarily, it works with any system that has a USB port.
Work Cited
Hayes, Darren R. A Practical Guide to Computer Forensics Investigation.New York, NY:Pearson, 2014.Print.
Do you need high quality Custom Essay Writing Services?
