File System Mac Windows Compatible

broken image


If you have an external hard drive or USB flash drive that you'd like to use on both Macs and Windows PCs, choosing the right file system to format the drive can be confusing. Learn a few ways to make your drive Mac and PC friendly.

  • What is currently the best file system to use for drives that are regularly accessed (both reading and writing) from both Windows and OS X on a single machine using BootCamp. The most important points are stability and speed. I've been using NTFS so far, coming from a Windows background.
  • Two file systems compatible with Mac and Windows NTFS is the default file system for Windows operating system and HFS for Mac operating system. If you want to make your drive compatible with Mac and Windows, you need to format it with a common file system for Mac and Windows.
  • Requires third party software to allow for any access under Windows or Mac OS X. Third party software tends only to support ext2 resulting in extra file system checks (and these are slow). Advantages: Works natively and perfectly on Mac OS X. Works natively and perfectly on Linux (without journalling).

Need to access or transfer files between Mac and PC? As simple as this task sounds, it's not very straightforward for inexperienced users. Since Mac OS X and Windows use totally different file systems, the way a drive is formatted can determine what type of computer it will work with. In fact, there are four ways you can format an external or USB flash drive to achieve varying degrees of compatibility between Macs and PCs. How do i update photoshop on mac. Let's take a look at them:

HFS+

Mac OS X's native file system is HFS+ (also known as Mac OS Extended), and it's the only one that works with Time Machine. But while HFS+ is the best way to format drives for use on Macs, Windows does not support it. If you're only going to be using your external or USB flash drive with certain PCs – such as at home or the office – you might be interested in a program called MacDrive. When you install MacDrive on a Windows PC, it will be able to seamlessly read & write to HFS+ drives. This isn't a good solution if you need your drive to work on any PC without installing software, though.

NTFS

The native Windows file system is NTFS, which is only partially compatible with Mac OS X. Macs can read files on NTFS drives, but it cannot write to them. So if you need to get files from a PC to your Mac, NTFS is a decent option. However, you won't be able to move files in the other direction, from Mac to PC.

Windows' default NTFS is read-only on OS X, not read-and-write, and Windows computers can't even read Mac-formatted HFS+ drives. FAT32 works for both OSes, but has a 4GB size limit per file, so it.

FAT32

The most universally supported way to format your drive is with the FAT32 file system. It works with all versions of Mac OS X and Windows. Case closed, right? Well, not so fast. Unfortunately, FAT32 is a very old file system and has some technical limitations. For example, you cannot save files that are larger than 4GB on a FAT32-formatted drive. This is a deal-breaker if you work with huge files. The other limitation is the total size of the partition. If you format your FAT32 drive in Windows, the drive partition cannot be larger than 32GB. If you format it from a Mac running 10.7 Lion, the drive partition can be up to 2TB. Much better, except for that pesky 4GB limit.

exFAT

The exFAT file system eliminates the two major deficiencies of FAT32: the largest partition and file sizes it supports are virtually unlimited by today's standards. Awesome, it's perfect! Almost… since exFAT is fairly new, it isn't compatible with older Macs and PCs. Any Mac running 10.6.5 (Snow Leopard) or 10.7 (Lion) supports exFAT, while PCs running Windows XP SP3, Windows Vista SP1, and Windows 7 are compatible. If you know you'll be using computers running updated versions of these operating systems, exFAT is the clear best choice.

Format a drive using Disk Utility on a Mac

  1. Launch Disk Utility (Applications > Utilities).
  2. Select your external hard drive or USB flash drive from the list on the left.
  3. Click on the Erase tab. Select the format – Mac OS Extended (HFS+), MS-DOS (FAT32), or exFAT – then name the drive.
  4. Click the Erase button and the drive will start formatting. Be aware that formatting a drive deletes all of the files on it, so back up anything important before completing this step.

Format a drive using Windows

  1. Go to Computer (or My Computer in Windows XP).
  2. Select your drive from the list and right-click on it. Choose Format from the contextual menu.
  3. A window will pop up where you can choose the format – NTFS, FAT32, or exFAT. Make sure the allocation unit size is set to default and type in a volume label.
  4. Click Start to format the drive.

Essential information during timeline analysis

During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it's important to know and understand the concept of time resolution.

The MAC(b) times are derived from file system metadata and they stand for:

File System Mac Windows Compatible
  • Modified
  • Accessed
  • Changed ($MFT Modified)
  • Birth (file creation time)

The (b) is in parentheses because not all file systems record a birth time.

Where are they stored?

Into two attributes, $STANDARD_INFO and $FILE_NAME:

$STANDARD_INFO

$STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps.

$STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps.

$FILE_NAME

The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more.

Timestamps are only updated with the attribute is changed.

Files can have either one or two $File_Name attributes depending on how long the file name is:

  • Short file names ('file.txt') has only one $File_Name attribute.
  • Long file names ('extremelylongfilename.txt') will have two $File_Name attributes.
  • One for the long file name, and one for the DOS-compatible short name (EXTRE~1.TXT).

What are the differences?

System
  • Modified
  • Accessed
  • Changed ($MFT Modified)
  • Birth (file creation time)

The (b) is in parentheses because not all file systems record a birth time.

Where are they stored?

Into two attributes, $STANDARD_INFO and $FILE_NAME:

$STANDARD_INFO

$STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps.

$STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps.

$FILE_NAME

The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more.

Timestamps are only updated with the attribute is changed.

Files can have either one or two $File_Name attributes depending on how long the file name is:

  • Short file names ('file.txt') has only one $File_Name attribute.
  • Long file names ('extremelylongfilename.txt') will have two $File_Name attributes.
  • One for the long file name, and one for the DOS-compatible short name (EXTRE~1.TXT).

What are the differences?

Windows Mac Compatible File System

  • $STANDARD_INFO can be modified by user level processes like timestomp.
  • $FILE_NAME can only be modified by the system kernel. (There are no known anti-forensics utilities that can accomplish this.)

Time Rules

There are general rules when it comes to files being moved, copied, accessed or created.
Each operation alters different metadata, here a table of time rules related to $STANDARD_INFORMATION:

While examining the $FILE_NAME timestamps the rules are pretty different:

How to detect Anti-Forensics Timestamp Anomalies?

File System Mac Windows Compatible Free

Tool such as timestomp allow attackers to backdate a file to an arbitrary time in order to trying to hide it in system32 or other similar directories. Android usb driver for mac.

File System Mac Windows Compatible Games

So, during analysis you can use analyzeMFT.py in order to check if the $FILE_NAME time occurs after the $STANDARD_INFORMATION Creation Time.

If this anomaly occurs, it is likely that an attacker has been alterated timestamps in $STANDARD_INFO using timestomp.

File System Mac Windows Compatible Software

References





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save