File Systems - AboutDFIR - The Definitive Compendium Project

File Systems Artifacts

File System	Artifact	Resource Link
FAT32	File Carving	FAT32 File Carving
HFS+		MacOS File Movements
HFS+		HFS+ Overview
NTFS	$I30 Files	13Cubed - Windows NTFS Index Attributes ($I30 Files)
NTFS	$I30 Files	$I30 Parsers Output False Entries. Here's Why - RAT in Mi Kitchen
NTFS	$J	USN Journal: Where have you been all my life
NTFS	$J	The Windows USN Journal
NTFS	$J	Carving $USN journal entries
NTFS	$J	13Cubed - NTFS Journal Forensics
NTFS	$J	Investigating USN Journal - Forensafe
NTFS	$MFT	Parsing the $MFT NTFS metadata file
NTFS	$MFT	Resolving File Paths Using The MFT - RAT in Mi Kitchen
NTFS	$MFT	Bring Out The Body File - TrustedSec
NTFS	$Security	Exploring Windows Artifacts : $Security Artifact
NTFS	Alternate Data Streams	[CQURElabs] Alternate Data Streams
NTFS	Alternate Data Streams	Alternate Data Streams (ADS)
NTFS	MACB Timestamps	13Cubed - Windows MACB Timestamps (NTFS Forensics)
NTFS	NTFS Attributes	$STANDARD_INFORMATION vs. $FILE_NAME
NTFS	NTFS Attributes	What I wish someone had told me when I started learning about File System Forensics
NTFS	Short File Names	Deceptive NTFS short file names
NTFS		The “\$Extend\$Deleted” directory
NTFS/FAT32/exFAT	Timestamps	Filesystem Timestamps: What Makes Them Tick?
Various	Master Boot Record	Beginning File System Forensics - learning about the disk and the Master Boot Record (MBR)

File Systems Tools

Tool	Description
Active Disk Editor	BtrFS SuperBlock, exFAT, Ext2/Ext3 Superblock, NTFS, ReFS, XFS
X-Ways
MFTECmd
INDXParse
KAPE
ISO Buster	CD, DVD, Blu Ray, UDF, ISO9660, Joilet, IFO, BUP, VOB file systems