File System & Digital Forensics Case Visualizer

A self-contained teaching document that shows how an operating system sees a disk, how a file system stores metadata and data blocks, how hashes change, and how an examiner compares a normal disk with a suspect disk.

Selected case study
Case 1 — Normal vs Deleted File
Evidence method
Bit-for-bit image + hash comparison
Comparison status
Differences detected

What is happening in this case?

How an examiner knows something changed

  • The original disk is not examined directly. A forensic image is created.
  • The image gets a cryptographic hash. If one bit changes, the hash changes.
  • The examiner compares file-system metadata, directory entries, timestamps, and raw blocks.
  • If a file is deleted, the directory or metadata entry changes, but the data blocks may remain until overwritten.
  • If a file is modified, both the content hash and often the modified timestamp change.

Disk A — Known Good / Earlier State

Click a block to inspect the simplified raw data and the file-system meaning.

Boot Metadata Journal Active data Deleted / flagged Free

Disk B — Suspect / Later State

Use this side-by-side view to see what changed at the block level.

Boot Metadata Journal Active data Deleted / flagged Free

Inspector — Disk A block

Inspector — Disk B block

File-system metadata table — Disk A

This is a simplified NTFS-style idea similar to a Master File Table entry list. The hash shown here is a simulated file-content hash so you can see what changes.

File-system metadata table — Disk B

If a file is deleted or altered, the status, timestamps, hashes, or block allocation may differ here.

Forensic comparison — what changed?

From operating system to stored file

  1. The computer powers on and the operating system loads from the internal storage device.
  2. The OS uses a storage driver to talk to the disk controller.
  3. The OS reads the partition table such as MBR or GPT.
  4. It finds the partition and recognizes the file system type such as NTFS or FAT32.
  5. It reads file-system structures such as directory indexes or metadata tables.
  6. When you create a file, the system creates a metadata entry, writes the content to free blocks, and records which blocks belong to the file.
  7. When you open a file later, the OS does not search randomly. It consults the metadata entry and follows the block pointers.

Why this matters in digital forensics

  • Deletion often removes the logical reference before it destroys the underlying content.
  • Tampering changes content bytes and therefore changes the hash.
  • Timeline analysis relies on created, modified, and accessed timestamps.
  • Block allocation analysis shows where data lived and whether it was overwritten.
  • Hashing confirms whether two files, partitions, or forensic images are identical.