Introduction

Every digital device stores data in a file system — the structure that organizes files and folders on a disk. When cybercrime investigators examine a suspect’s computer or mobile device, file system forensics plays a key role. By studying file systems like NTFS (Windows), EXT4 (Linux), and APFS (macOS), experts can uncover hidden evidence, deleted files, and traces of criminal activity.

📂 What is File System Forensics?

File system forensics involves analyzing how files are created, modified, accessed, and deleted. Even when a file is “deleted,” remnants often remain in the file system until overwritten. Investigators recover and interpret these remnants to reconstruct events.

🖥️ Major File Systems in Digital Forensics

1. NTFS (New Technology File System – Windows)

• Used in most modern Windows systems.

• Stores MFT (Master File Table) entries for every file.

• Investigators analyze:

  • Timestamps (MAC times) → Created, Modified, Accessed, Changed.

  • Alternate Data Streams (ADS) → Hidden data attached to files.

  • Slack Space → Unused clusters that may still hold remnants of old data.

2. EXT4 (Fourth Extended File System – Linux)

• Common in Linux distributions.

• Features journaling to record file system changes.

• Investigators focus on:

  • Journals → Evidence of file creation/deletion.

  • Inodes → Metadata like permissions and ownership.

  • Unallocated space → Fragments of deleted files.

3. APFS (Apple File System – macOS, iOS)

• Default file system for Apple devices since macOS High Sierra.

• Uses copy-on-write → Keeps snapshots of old data when files are modified.

• Forensic interest areas:

  • Snapshots → Reveal past versions of files.

  • Encryption keys → Each volume may use different keys.

  • Metadata → Tracks file access history.

🔎 What Investigators Look For

• Deleted files: Can often be recovered from slack space or unallocated clusters.

• Timestamps: Help reconstruct timelines of user activity.

• Hidden storage: Malware or criminals may hide data in ADS or unused partitions.

• Encryption evidence: Detect whether whole-disk encryption (BitLocker, FileVault) was used.

• File signatures: Compare file headers to extensions to detect tampering.

🧪 Real-World Example

In a fraud investigation, forensic experts recovered crucial evidence from an NTFS volume where the suspect had deleted spreadsheets. Using MFT records and slack space analysis, investigators restored parts of the deleted files and built a timeline proving financial manipulation.

✅ Conclusion

File system forensics is a cornerstone of digital investigations. Whether it’s NTFS, EXT4, or APFS, each file system leaves unique traces that can expose hidden activities. For investigators, understanding these differences can mean the difference between a dead end and a breakthrough in a case.