Which file systems are commonly encountered in forensics, and how do they affect evidence collection?

Different file systems organize data and metadata in distinct ways, and that directly shapes how evidence is found and interpreted. In forensics you’ll commonly deal with NTFS, FAT32, ext4, and APFS, each with its own structure: NTFS uses the Master File Table with rich metadata (permissions, timestamps, and features like the USN Journal for change history); ext4 relies on inodes, extents, and a journaling mechanism; APFS uses modern copy-on-write metadata with containers, snapshots, and optional strong encryption; FAT32 is simpler, with a basic file allocation table and less built-in metadata. These designs determine where artifacts live, how timestamps are recorded, and what can be recovered after events like deletion. Journaling records changes but can also affect artifact timelines; encryption at the filesystem level can block access to content without keys; and features such as APFS snapshots can preserve earlier states of files, influencing historical reconstruction. Because each filesystem handles free space, unallocated space, and deleted data differently, investigators must use tools that understand the specific structure to extract accurate artifacts. That variability is why this set of file systems is commonly encountered and why the approach to evidence collection must adapt to the filesystem in use.