Doing reverse engineering requires the analyst to understand where the software being reversed is being run. The major parts that software requires in order to work in an operating system are the memory and the filesystem. In Windows operating systems, besides the memory and the filesystem, Microsoft introduced the registry system, which is actually stored in protected files called registry hives.
The filesystem is where data is stored directly to the physical disk drive. These filesystems manage how files and directories are stored in the disk. Various disk filesystems have their own variation of efficiently reading and writing data.
There are different disk filesystems such as FAT
, NTFS
, ex2
, ex3
, XFS
, and APFS
. Common filesystems used by Windows are FAT32
and NTFS
. Stored in the filesystem is information about the directory paths and files. It includes the filename, size of the file, date stamps, and permissions.
The following screenshot shows...