Forensics: Using FAT32 disks?

Quite a few of those in IT forensics use FAT32 formatted  disks, for several reasons:

Many USB drives come preformatted with FAT32, and more than a few computer forensics indivduals are fans of Linux (and rightly so), so FAT32 is a popular choice for file systems, as it can move between Linux and Windows easily.

But is this a good idea?

When files are moved/copied , e.g. RoboCopy, between NTFS and FAT 32, information is lost, due to the way FAT32 and NTFS store information. FAT32 rounds times to the nearest 2 seconds, NTFS to the nearest 100 nano second i.e. FAT32 is less accurate.

If an image is stored on FAT32 file system, this does not present a problem; but if lose files are copied – e.g. files are copied from an NTFS volume onto a FAT32 formatted hard drive, via RoboCopy or the like, there is will be an error.

With server collections often being conducted via RoboCopy, or similar collection methods, due to the huge data sizes involved, this is likely to happen. But does it matter?

In an industry where people are concerned about attacks on hash values, then yes. But, its only a 2 second error, and its a known error..then again its easily avoided.

In short, if its happened previously, it can be explained away and is unlikley to cause problems in the courts and if no image is required its unlikely that an accuracy of greater than 2 seconds is required.  But, in the future, its probably best to RoboCopy out to NTFS rather FAT32 (from NTFS), just to be on the safe side.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: