File System (Definition, Types: NTFS, FAT32, etc.)

At its most basic level, a file system is the organizational structure that an operating system uses to manage how data is stored, accessed, and retrieved on storage media like Hard Disk Drives (HDDs), Solid State Drives (SSDs), or USB flash drives. It defines the rules for naming files and directories (folders), managing permissions, storing metadata (information about the files), and maintaining the overall hierarchical structure (the familiar tree of folders and files). Different operating systems support various file systems, each offering distinct features, performance characteristics, and limitations.

While numerous file systems exist (like HFS+ or APFS for macOS, ext4 for Linux), screenshares conducted on player PCs almost invariably encounter Windows environments. Therefore, this guide primarily focuses on the file systems most relevant to Windows:

• NTFS (New Technology File System): This is the standard, modern file system used by default for internal drives on virtually all current versions of Windows (from XP/Vista onwards through Windows 10 and 11). Its prevalence makes understanding its specific features essential for screensharing. NTFS offers robust capabilities crucial for both system operation and forensic analysis, including:

  • Journaling: A mechanism to ensure data consistency and rapid recovery after crashes (discussed below).

  • Detailed File Permissions and Access Control Lists (ACLs).

  • Support for file encryption (EFS), compression, and large file/volume sizes.

  • Features like Alternate Data Streams (ADS) and hard links.

• FAT32 (File Allocation Table 32-bit): An older, simpler file system often used for compatibility, especially on removable media like USB drives or older SD cards. Key limitations relevant to screenshares include:

  • Lack of Journaling: FAT32 does not possess a journaling system comparable to NTFS's $UsnJrnl or $LogFile. This absence significantly hinders the ability to track file creation, deletion, and modification history directly through filesystem logs on FAT32 volumes.

  • Limited permission controls.

  • Restrictions on individual file size (max 4GB) and volume size.

• exFAT (Extended File Allocation Table): An evolution of FAT32, designed primarily for large-capacity flash drives and memory cards. It overcomes FAT32's file/volume size limits while maintaining broader cross-platform compatibility than NTFS (e.g., better support on macOS). However, like FAT32, exFAT generally lacks robust journaling features found in NTFS.

Understanding which file system is in use (especially when examining external drives) is critical because it dictates which artifacts (like the USN Journal) are available for analysis.