Operating Systems, Boot Process and File Systems

Your journey to becoming a forensic professional starts here.

Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.

Start Free Mock Test Create Your Account

Operating Systems, Boot Process and File Systems | ForensicSpot

An operating system is the layer that schedules processes, manages RAM and virtual memory, owns the file system, and brokers every I/O request from user-space to hardware. The forensic examiner sees the OS through its persistent artifacts: partition tables (MBR or GPT), file system structures (FAT, exFAT, NTFS, ext2/3/4, HFS+, APFS), the journal that records changes-in-flight, and the metadata each file carries (MAC timestamps, attributes, permissions). The boot process starts in firmware (BIOS or UEFI), is gated by Secure Boot and TPM 2.0 measurements on modern Windows and Linux installs, and hands off to a bootloader that loads the kernel into RAM. Every step writes evidence: UEFI variables, bootloader logs, kernel ring buffer, file-system journal entries. A trained examiner reads them in that order.

The point the working examiner sees, and the contrarian point most candidates miss, is that the file system is not just "where files live." It is a transactional ledger with its own journal, its own time model, and its own definition of "deleted." On NTFS, a deleted file's MFT entry typically still exists; on ext4, the inode is cleared but extents may remain in the journal; on APFS, the deletion may be reversible through a snapshot the OS still has. The hidden zones (slack space, page file, hibernation file, $Recycle.Bin, Volume Shadow Copy on Windows; swap and ~/.Trash on Linux and macOS) hold data the user thinks is gone. Hardware (covered in Computer Hardware Fundamentals) only sets the upper bound. The OS decides what is actually there.

Key terms

Kernel space vs user space: Kernel space is the privileged execution mode where the OS schedules processes, drives hardware and enforces memory protection. User space is the unprivileged mode where applications run. A user-space process must syscall into the kernel for every file or network operation.
MBR vs GPT: Master Boot Record is the legacy partition table at LBA 0, limited to 4 primary partitions and 2 TiB. GUID Partition Table is the UEFI-era replacement, supporting around 128 partitions, GUID identifiers, a backup at the end of the disk, and CRC checksums.
Journal (file-system): A circular log of file-system changes that allows recovery after a crash. NTFS keeps $LogFile, ext3/ext4 keep a dedicated journal block, APFS uses copy-on-write rather than a classical journal.
MAC timestamps: Modified, Accessed, and Changed or Created times. Different file systems use the letters differently: on POSIX it is mtime, atime, ctime (change time); on NTFS it is Modified, Accessed, Created, and MFT-Modified.
File slack: The unused space at the tail of the last cluster of a file. It can contain remnants of whatever previously occupied that cluster, including parts of older deleted files. Examined directly with Autopsy or EnCase.
Volume Shadow Copy: Windows' snapshot mechanism (VSS). Creates point-in-time copies of files and folders. A goldmine for examiners because users rarely know it exists and Windows often preserves data that the user thought was overwritten.

What the OS does, and the OS taxonomy an examiner is expected to know

Five jobs, five families, one set of artifacts.

The OS has five jobs an examiner is expected to name without hesitation: process scheduling, memory management (including virtual memory and paging), file-system management, I/O management, and security or access control. Each job produces forensic artifacts. Process scheduling writes prefetch entries and event-log records (covered later under Windows Forensic Artifacts). Memory management writes a page file or swap file that the examiner can image. File-system management writes the journal entries the lab will replay. I/O management writes device installation logs (USB sticks plugged in, printers attached). Security or access control writes login records.

The kernel-versus-user-space distinction matters because anti-forensic and rootkit techniques live or die on whether they can run kernel-mode code. A kernel rootkit can hide files from a user-mode tool like Windows Explorer; it cannot hide them from a raw disk image read offline. This is the central justification for the dead-disk imaging workflow in Indian forensic SOPs.

The five OS families a digital forensic examiner sees in Indian field practice:

Windows. Dominant on government and corporate desktops, the bulk of laptop fleet. Versions 10 and 11 are the working population in 2026; Windows 7 and XP still appear on legacy industrial control kit. NTFS is the default file system.
Linux. Server-room dominant; rising on developer laptops. Ubuntu and RHEL derivatives are common; ext4 is the default file system. Indian government cloud (MeghRaj) infrastructure is heavily Linux.
macOS. Workstation and creative-shop population, smaller in India than in the West but growing in tier-1 cities. APFS replaced HFS+ as default in 2017.
Android. The mobile bulk. Linux kernel, custom user space, ext4 or F2FS on the data partition. Covered in detail in Module 6.
iOS. Apple's mobile OS, BSD-derived kernel, APFS file system. Acquisition is its own specialty.

The boot process: POST to kernel

Six stages, each with its own forensic artifact.

The boot process is the sequence the machine runs from power-on to a usable OS. Every stage writes evidence. Knowing the stages in order is what lets an examiner pick the right artifact to support a particular timeline question.

POST and firmware init
Power-On Self Test inside BIOS or UEFI. Inventories DRAM, runs CPU microcode, enumerates PCIe and USB. UEFI writes a boot log to NVRAM that survives power-off; older BIOS does not.
Firmware boot device selection
UEFI reads its boot-order list from NVRAM and picks the first available device. With Secure Boot on, the firmware verifies the bootloader signature against keys in the UEFI key store before handover.
Partition table read
Firmware reads LBA 0. If the disk is MBR, the firmware executes the 446-byte boot code in the MBR. If the disk is GPT, the firmware reads the EFI System Partition directly and looks for a signed EFI binary listed in NVRAM. The partition table itself is forensic evidence.

MBR vs GPT, and what each tells the examiner

The partition table is the first thing the lab reads.

When an imaged disk lands on the examiner's bench, the first byte range read is the partition table. On an MBR disk, that is LBA 0: 446 bytes of boot code, then a 64-byte partition table (4 entries of 16 bytes each), then the 0x55AA signature. On a GPT disk, LBA 0 holds a protective MBR (a single dummy entry covering the disk) for backwards compatibility, then LBA 1 holds the GPT header, and a backup GPT sits at the end of the disk.

Property	MBR	GPT
Year established	1983 (IBM PC DOS 2.0)	2010 (UEFI 2.0)
Disk size limit	2 TiB	Around 9.4 ZB
Primary partitions	4 (more via extended)	Around 128 by default
Partition identifier	1-byte type code	16-byte GUID
Header integrity	No checksum	CRC32 on header and entries
Backup table	None	Mandatory backup at end of disk

File systems in depth: FAT, exFAT, NTFS, ext, APFS

Where each one keeps its records and what survives deletion.

The forensic examiner has to know each major file system at the structure level, not just the name. The differences decide what tools to use, what is recoverable, and what evidence the courtroom will see.

FAT12 / FAT16 / FAT32

The original DOS file system, still used on small USB sticks, SD cards, and the EFI System Partition on every UEFI Windows install. The structure is a Boot Sector, two copies of the File Allocation Table, the Root Directory (on FAT12 / FAT16) or a regular cluster chain (on FAT32), and the data area. Deleted files are marked by replacing the first character of the directory entry with 0xE5; the rest of the entry, including the starting cluster, is preserved. This is why FAT is the textbook "easy to recover" file system: the directory entry tells the examiner where the file was, and the data clusters are often intact until reused.

exFAT

Microsoft's extension of FAT for large flash media (SDXC cards, large USB drives). Same general structure as FAT32, no journaling, supports files over 4 GiB. exFAT is the default file system for SDXC cards. From a forensic recovery standpoint it behaves like FAT.

NTFS

The Windows production file system since Windows NT 3.1. Built around a single special file, the Master File Table ($MFT), which holds one record per file on the volume. Each MFT record is 1024 bytes by default, and contains a set of typed attributes: $STANDARD_INFORMATION (timestamps, attributes), $FILE_NAME (name, parent reference, a second copy of timestamps), $DATA (the file content, either resident in the MFT record for small files or as cluster runs), $INDEX_ROOT and $INDEX_ALLOCATION (for directories, organised as B-trees). The journal lives in $LogFile. The $MFT is also self-describing: record 0 of the MFT is itself, record 5 is the root directory, record 6 is the bitmap of which records are in use, record 8 is the bad-cluster file. An examiner can reconstruct most of an NTFS volume from $MFT alone if the data clusters are intact.

ext2 / ext3 / ext4

The Linux production file systems. ext2 was the original, ext3 added journaling, ext4 added extents, the htree directory index, larger files and volumes, and more accurate timestamps. The structure is built around inodes: every file is one inode, and the inode holds the file's metadata and a list of extents (in ext4) or block pointers (in ext2/3). The journal lives in a reserved inode (typically inode 8). On deletion, the inode is cleared, but the directory entry may still hold the inode number for a window, and the journal often preserves the inode contents long enough for , or the command to find it.

File allocation, slack, and metadata

Three slack spaces, three timestamps, and where the bytes hide.

File allocation on every modern OS happens in clusters (NTFS, FAT) or blocks (ext, APFS). A cluster is a fixed group of sectors. On a 4 KiB-cluster NTFS volume, a 100-byte file occupies one cluster of 4096 bytes, of which only the first 100 are the file's contents. The remaining 3996 bytes are slack, and they hold whatever was in that cluster the last time it was used.

Slack space has three named regions the examiner must distinguish:

File slack. The unused space from the end of the file to the end of the last cluster. On a 4 KiB cluster volume holding a 5000-byte file, the file uses two clusters (8192 bytes); the last 3192 bytes are file slack.
RAM slack. The portion of file slack from the end of the file to the end of the sector. The OS pads writes to the sector boundary with bytes from RAM (historically), which means RAM slack can hold data the kernel had recently touched. On modern Windows, RAM slack is typically zeroed, but legacy images still show meaningful content.
Drive slack. The portion of file slack from the end of the sector to the end of the cluster. Drive slack contains whatever was previously on those sectors and is the most common location for older deleted-file fragments.

The forensic implication: a file system that reports a 100-byte file is sitting on, in the case of a 4 KiB cluster, just under 4 KiB of potentially evidentiary slack. Multiplied across a 1 TB drive with millions of files, slack is a major recoverable surface, and Autopsy, FTK and EnCase all expose slack space as a first-class data source.

Metadata: timestamps, attributes, permissions

Every file carries metadata, and the metadata is what an examiner reasons about for timeline questions.

MAC timestamps. On POSIX (Linux, macOS, BSD) the standard set is mtime (last modify), atime (last access), ctime (last metadata change). On NTFS the set is Modified, Accessed, Created (also called "MFT-Modified" for the fourth, internal time). APFS adds a "first added" time on top of POSIX.
File attributes. System, Hidden, Read-Only, Archive on NTFS and FAT (the legacy DOS attribute set). On NTFS there is also Encrypted, Compressed, and reparse-point.
Permissions. POSIX permissions on ext and APFS (owner / group / other read / write / execute, plus setuid / setgid / sticky). NTFS uses Access Control Lists, where each ACL entry binds a SID to an allow-or-deny mask covering read, write, execute, modify, delete, take ownership and more.

Hidden data zones: slack, swap, hibernation, Recycle Bin, shadow copies

Six places to check before declaring data unrecoverable.

The hidden data zones on a typical Windows workstation, in the order an Indian examiner usually checks them:

$Recycle.Bin. Per-user directory at the volume root. Each deleted item is a paired $I file (metadata: original path, deletion timestamp, original size) and $R file (contents). Until the user empties the Recycle Bin, the file is fully intact under a renamed path.
Volume Shadow Copy Service (VSS). Windows' snapshot system. By default, Windows creates shadow copies before major updates and on a schedule. Mounting a shadow copy as a virtual volume often reveals files the current state has overwritten. vssadmin list shadows enumerates them on a live system; on a dead image, Autopsy and libvshadow expose them.
Page file (pagefile.sys). The on-disk overflow for RAM. Holds pages the OS swapped out. The page file can contain fragments of process memory, including decrypted document content, browser sessions and chat data, that never made it to a deliberately written file. Examined with bulk-extractor and grep across the raw image.
Hibernation file (hiberfil.sys). A compressed image of RAM written when the machine hibernates. Bigger than the page file and contains the kernel state at the moment of hibernation. Volatility can parse hiberfil.sys as if it were a RAM dump.
File and drive slack. As covered in Section 5.
Alternate Data Streams (ADS). NTFS feature that lets a file carry a named secondary data stream (file.txt:hidden.exe). Common anti-forensic location for malware. Autopsy and EnCase enumerate ADS by default.

On Linux, the equivalent set is the swap partition (raw block device, often /dev/sda2 or a swapfile, parseable with strings and bulk-extractor), /tmp and /var/tmp (often cleared at boot, but not always), ~/.Trash or ~/.local/share/Trash, journal blocks in ext4, and snapper or timeshift snapshots on btrfs systems.

On macOS, the relevant zones are the swap files in /private/var/vm/, the ~/.Trash, the APFS snapshots accessible via , and the Keychain (which is itself an SQLite database with a binary-format envelope).

Worked example

The Pune ransomware case: VSS as the prosecution's anchor

A composite that ties shadow copies, file system journal and timestamps together.

A small Pune IT firm reported a ransomware incident: files across a Windows Server 2019 file share encrypted with the .lockd extension, a ransom note in every folder. The local cyber cell took a forensic image of the server's NTFS volume. The defence later argued the encryption had been done by an insider, not by the alleged external actor.

The examiner reconstructed the timeline from three sources. First, the $MFT showed the creation timestamps of the .lockd files clustered in a thirty-minute window. Second, Volume Shadow Copy from two days before the incident still existed on the volume because Windows had not yet pruned it; the shadow copy contained the original, unencrypted files, and the file hashes of the originals matched the de-ransomed copies recovered from a clean backup. Third, the $UsnJrnl change journal recorded the file-rename operations (original to .lockd), each with a USN (Update Sequence Number) and a timestamp. The USNs were contiguous and the timestamps strictly increasing, which is the signature of an automated tool running, not a human renaming files by hand.

The combination, presented in a Section 63 (BSA 2023) certified report, supported the external-actor theory. The defence's insider theory required either tampered Volume Shadow Copies (no evidence of) or a coordinated USN sequence that aligned with the suspect's session times (which the Security event log did not show). Hardware was unremarkable. The case turned on what the OS and the file system had recorded on their own.

Practice

Question 1 of 5· 0 answered

On a Windows 11 NTFS volume, a 100-byte text file is created on an 8 KiB-cluster volume. What is the total amount of slack space associated with this file?

Frequently asked questions

What is the difference between MBR and GPT, and which one will an examiner see in 2026?

MBR is the legacy partition table at LBA 0, limited to four primary partitions and 2 TiB. GPT is the UEFI-era replacement, with around 128 partitions, GUID identifiers, CRC checksums on its headers, and a mandatory backup table at the end of the disk. In 2026, every new Indian-market Windows 11 OEM laptop ships GPT. MBR still appears on legacy government desktops, on small USB sticks, and on installer media in legacy BIOS mode.

What does the NTFS Master File Table actually contain?

The $MFT holds one 1024-byte record per file on the volume. Each record contains a set of typed attributes: $STANDARD_INFORMATION (timestamps, file attributes), $FILE_NAME (name and parent reference), $DATA (the file's content, either resident in the record for small files or as cluster runs), and $INDEX_ROOT / $INDEX_ALLOCATION for directories. The $MFT also describes itself: record 0 is the $MFT, record 5 is the root directory. An examiner can reconstruct most of an NTFS volume from $MFT alone.

What are the three kinds of slack space and why do they matter forensically?

File slack is the unused space from the end of the file to the end of its last cluster. RAM slack is the portion from the end of the file to the end of the sector, historically padded with RAM contents. Drive slack is the portion from the end of the sector to the end of the cluster, and holds whatever was previously stored there. All three are recoverable surfaces; Autopsy, FTK and EnCase expose them as first-class data sources, and they routinely yield deleted-file fragments that the user had no idea were still readable.

Why does APFS make some forensic tasks easier and others harder than HFS+?

Easier because APFS snapshots and Time Machine local snapshots preserve point-in-time copies of the file system, so a recently 'deleted' file is often readable from a snapshot. Harder because APFS is copy-on-write and uses a complex container model with multiple volumes sharing free space, which means traditional file-carving and inode-walking approaches need APFS-aware tools. Magnet AXIOM, Cellebrite Inspector and the open-source apfs-fuse are the working set in 2026.

ls

extundelete

ext4magic

debugfs

lsdel

File system	Default on	Journal / COW	Deletion artifact	Forensic recovery surface
FAT32 / exFAT	USB sticks, SD cards, EFI System Partition	None	Directory entry first byte 0xE5, rest preserved	Directory entry + data clusters until reuse
NTFS	Windows C:	$LogFile journal	MFT record marked unused, $FILE_NAME and $DATA usually intact	$MFT, $LogFile, $UsnJrnl, Volume Shadow Copy
ext4	Linux /	Dedicated journal inode 8	Inode cleared, dirent may persist briefly	Journal replay (extundelete, ext4magic), block scanning
APFS	macOS, iOS	Copy-on-write, no classical journal	Old extents survive until garbage collection; snapshots may hold prior state	APFS snapshots, Time Machine local snapshots, container metadata
HFS+	Pre-2017 macOS, legacy iPods	Optional journal	Catalog file entry marked unused	Catalog file + journal replay

tmutil listlocalsnapshots