The most recent file actions, such as creation, access, and change dates, are recorded in file system metadata. To find objects of considerable forensic value, a digital investigation looks for information on the system, metadata, and chronology analysis.
Hard discs and filesystems are the primary sources of data storage, therefore understanding them is critical when investigating a computer-based crime. When investigating a computer-based crime, retrieving deleted files from hard discs and studying filesystems is critical.
Identification of prospective evidence, acquisition of that evidence, analysis of that evidence, and finally the preparation of a report are the general phases of the forensic process.
A File system is a real world physical representation of information. What makes it more interesting is that the file system can be manipulated and changed in various ways to make it an attack vector. Such attacks are increasingly becoming a reality.
The most popular file system is the one that is located on the virtual hard disk (HDD) - called NTFS. However, there are a growing number of users who are using other file systems like ext3 and ext4. This has led to a growing concern among users that they may be at risk of security issues if they store important files on these file systems.