Understanding File Systems: NTFS vs FAT32 Forensics

Published: December 2025 12 min read

The file system is the roadmap of digital evidence. It dictates how data is stored, retrieved, and deleted. For a forensic investigator, understanding the nuances of different file systems is critical for recovering deleted data and interpreting timestamps. In this article, we compare two of the most common file systems: NTFS (New Technology File System) and FAT32 (File Allocation Table).

FAT32: The Legacy Standard

FAT32 is an older file system, but it remains ubiquitous due to its broad compatibility across Windows, macOS, and Linux. It is commonly found on USB flash drives and SD cards.

Key Forensic Characteristics

  • File Allocation Table (FAT): The core structure. It acts as a linked list mapping clusters to files. If the FAT is corrupted, data recovery becomes significantly harder.
  • Directory Entries: Store file metadata like name, starting cluster, and timestamps.
  • Timestamps: FAT32 stores:
    • Creation Time (10ms resolution)
    • Modification Time (2-second resolution)
    • Last Access Date (Date only, no time)
    Note: The low resolution of modification time can hide subtle timeline anomalies.
  • Deletion: When a file is deleted, the first character of the filename is replaced with 0xE5, and the FAT entries are zeroed out. The data remains in the clusters until overwritten.

NTFS: The Windows Powerhouse

NTFS is the default file system for modern Windows operating systems. It is robust, supports large files, and includes advanced features like permissions and journaling.

Key Forensic Characteristics

  • Master File Table (MFT): The heart of NTFS. Every file on the volume has an entry (record) in the MFT. Small files (resident files) are stored entirely within the MFT record itself, making them very fast to access and easy to recover.
  • Timestamps ($STANDARD_INFORMATION & $FILE_NAME): NTFS stores two sets of timestamps:
    • Creation (C)
    • Modification (M)
    • MFT Entry Modification (M)
    • Access (A)
    These are often referred to as MAC times. The redundancy allows investigators to detect "timestomping" (anti-forensic manipulation of timestamps).
  • Alternate Data Streams (ADS): A feature allowing data to be hidden "behind" a file. Malware often uses ADS to hide its payload.
  • Journaling ($LogFile): NTFS logs metadata changes, which can be invaluable for reconstructing events leading up to a crash or malicious deletion.

Forensic Comparison

Feature FAT32 NTFS
Max File Size 4 GB 16 EB
Timestamp Precision Low (2s for Mod) High (100ns)
Deleted Data Recovery Fair (linked list lost) Good (MFT entry marked)
Metadata Storage Directory Entries MFT Records

Conclusion

While NTFS offers superior features and richer forensic artifacts (like the MFT and high-precision timestamps), FAT32 is still encountered frequently in portable media. A competent digital investigator must be fluent in the structures of both to effectively locate and interpret evidence.

Master File Systems with Project Revelare

Our advanced guides cover file system analysis in depth, with hands-on exercises to practice MFT parsing and FAT traversal.

View Forensics Guides

Related Articles

Best Practices for Handling Digital Evidence

Understanding file systems is key to preserving evidence integrity.

Getting Started with Digital Forensics

Return to the basics of forensic investigation.