Forensic review of Windows 7 - Part II - File system

Windows 7 supports the same file systems that Windows Vista supports, i.e. FAT, NTFS & exFAT. Internally, Windows 7 uses the same underlying file system as Windows Vista, NTFS version 3.1. Windows 7 continues to utilize the transactional filesystem database, located in the \$Extend\$RmMetadata folder.

Windows 7 continues to not update the last accessed timestamp unless other timestamps (written) are triggered. This is a registry setting that has been available since Windows 2000, but not enabled by default until Vista.

The exFAT filesystem used in Windows 7 is the same as the version used in Windows Vista and is designed for removable drives. The latest version of EnCase supports the exFAT file system and will display the exFAT volume contents similiar to this example:

When formatting external drives and flash devices, Windows 7 will completely WIPE the contents of the volume UNLESS the "QUICK FORMAT" option is selected, regardless of whether NTFS, FAT or exFAT is used. When the "QUICK FORMAT" option is selected, the prior data remains in unallocated space of the newly created volume and can be carved.