CCNA CyberOps SECOPS – Objective 1.4

Define these items as they pertain to the Microsoft Windows file system: FAT32, NTFS, Alternative Data Streams, MACE, EFI, Freespace, Timestamps on a filesystem

Implementing Cisco Cybersecurity Operations (210-255)
  • FAT32: A file system that uses a file allocation table (FAT) to store pointers to the files in the file system. It is an evolved version of FAT and FAT16. It uses 32 bits to address the files.
  • NTFS: A journaling file system called New Technology File System that stores information about the files in the Master File Table (MFT) which itself is a file $MFT.
  • Alternative Data Streams (ADS): Originally developed to allow NTFS to store extra information related to Apple HFS, it can be exploited as a covert place to store files by attackers. A basic example can be found on the OWASP page here.
  • MACE: Modify, Access, Create and Entry Modified timestamps.
  • EFI: The Extensible Firmware Interface file system is used by UEFI to store files for booting the system.
  • Freespace: The unused sectors on a disk that are marked as free by the filesystem.
  • Timestamps: See MACE.