Forensic Examination of Windows-Supported File Systems
暫譯: Windows 支援檔案系統的取證檢查

Understanding the underlying system of how files are stored, what happens when they are deleted, and how to potentially recover them is essential to the digital forensic examiner. Today’s computer forensic tools automate the process of file recovery, but understanding what those tools are accomplishing and knowing whether they are providing accurate results requires an understanding of the information provided in this text. The FAT and NTFS file systems are the most commonly utilized information storage methods and while there are many other methods available, concentrating on these two lays the foundation for learning the others in the future. A brief introduction of ExFAT is included, as it is a relatively new file system used with larger flash drives. Forensic Examination of Windows-Supported File Systems will provide the basis for this knowledge and the practical expertise to begin the journey of becoming a digital forensic scientist.