One Partition N File Systems
Let’s start by establishing some ground rules. A file system is just a data structure. It is not software. It only defines how files should be saved. Kernel/User level drivers are written to implement file systems. Just as one would use, say linked lists to keep track of items in the to-do lists.
For the most part, we are used to looking at a 1-1 relationship between partitions and file systems. Most of the file system forensic software seem to make a similar assumption. However, it is possible to have multiple file systems in a single partition.
How do we do it? Let us see an example: For this example, let us take a look at NTFS & FAT32 file systems due to their flexible nature.
How?
The main idea is to use one file system as the host while the other one as the guest file system. Additionally, we used the options to mark specific blocks as “allocated” or “damaged” to protect areas in the partition that could potentially cause conflicts if they were written.
In this scenario, NTFS is the host file system, while FAT32 is the guest file system.
- Boot sectors of both NTFS & FAT32 are compared manually using Hex Editor.
- Important data bytes are identified.
- Boot sector of FAT32 is super-imposed on the boot sector of NTFS.
Following images will show what this combined boot sector looks like:
Why?
To confuse forensic examiners and digital forensics software. While a computer may interpret these file systems normally, it will be difficult for the file systems to parse the file systems since they will not understand which parser should be run. Assuming one file system per partition will make things difficult.
For more information on this topic, please read the linked research paper below ^.^