QeeqBox

Operating System Filesystem

Written by

Giga Alqeeq

in

Windows File System

The Windows File System is basically how Windows organizes, stores, and manages all the data on a computer’s drives.

  • C:\ – Root of the main system drive
    • Top-level directory containing all files and folders on the drive. Everything on the system exists under this root.
    • Important: Compromise at this level can affect the entire system; attackers often target the root drive to plant malware or gain persistent access.
  • C:\Windows – Main OS folder
    • Stores core operating system components, including subfolders like System32, WinSxS, and Logs.
    • Important: High-value target for attackers; modification can lead to system instability, privilege escalation, or malware persistence.
  • C:\Windows\System32 – Core executables and system libraries
    • Contains DLLs, system utilities, and essential programs such as cmd.exe, taskmgr.exe, regedit.exe, ipconfig.exe.
    • Important: Frequent target for malware; replacing or tampering with files here can bypass security controls or allow rootkits to hide.
  • C:\Program Files – Default location for 64-bit applications
    • Each application has its own subfolder containing program files, libraries, and resources (e.g., C:\Program Files\Google\Chrome).
    • Important: Protected by the system; only administrators can modify. Malware often attempts to write here to persist.
  • C:\Program Files (x86) – Default location for 32-bit applications on 64-bit Windows
    • Separation prevents conflicts between 32-bit and 64-bit software (e.g., C:\Program Files (x86)\Mozilla Firefox).
    • Important: Same as above; attackers may target this folder for persistence or installing malicious apps.
  • C:\Users – Stores user profiles and personal data
    • Each user has a folder containing Desktop, Documents, Downloads, Pictures, and the hidden AppData folder.
      • Example structure:
        • C:\Users\Administrator
        • C:\Users\john\
    • Important: Primary target for credential theft, sensitive document access, and ransomware.
  • C:\Users<user>\AppData – Application-specific data
    • Local: machine-specific settings
    • Roaming: settings that move with the user profile
    • LocalLow: low-security application data
    • Important: Malware often hides here because it can run with user permissions and persists across sessions.
  • C:\ProgramData – Hidden folder for shared application data
    • Stores license info, databases, and configuration files used by all users.
    • Important: Attackers may place scripts or configs here to affect all users.
  • C:\Windows\Temp – Temporary OS files
    • Stores cached data, session files, and logs created by Windows and applications.
    • Important: Often scanned by malware to inject temporary scripts or payloads; can reveal forensic evidence.
  • C:\Users\<user>\AppData\Local\Temp – Temporary files for user applications
    • Often cleaned automatically.
    • Important: Common location for malicious downloads or scripts executed by users.
  • C:\Windows\System32\winevt\Logs – System logs
    • Contains Security, System, and Application logs.
    • Important: Critical for auditing, detecting intrusions, and forensic analysis. Attackers may attempt to clear or tamper with these logs.
  • C:\Windows\System32\drivers – Device drivers
    • Software that allows Windows to interact with hardware (network, disk, USB devices).
    • Important: Malicious drivers can run at the kernel level, bypassing security controls.
  • C:\Windows\Boot – Boot files
    • Stores Boot Configuration Data (BCD) and boot manager; EFI System Partition contains UEFI boot files.
    • Important: Targeted by bootkits or ransomware to prevent recovery or achieve early execution.
  • C:\Windows\inf – Driver installation information
    • Stores .inf files used for installing hardware drivers.
    • Important: Malware may attempt to modify or inject malicious drivers here.
  • C:\Windows\System32\spool – Print spooler files
    • Manages printing tasks and queued documents.
    • Important: Print spooler vulnerabilities (like PrintNightmare) can allow privilege escalation or remote code execution.
  • C:\Windows\System32\Config – Registry storage files
    • Stores system-wide configuration in files backing HKLM, HKCU, and other registry hives.
    • Important: Corrupting or exfiltrating these files can give full system access, credential theft, or malware persistence.

Linux-Based OS File System

The Linux-based OS File System is how Linux-based OS organizes, stores, and manages all the data on a computer’s drives.

  • / – Root of the filesystem
    • Contains all system files, user folders, and directories. Only the superuser (root) can modify critical system directories.
    • Important: Altering anything here can break the system or escalate privileges.
  • /bin – Essential binaries like ls, cp, mv
    • Important: malware might replace binaries here to hide activity.
  • /sbin – System binaries for administrative tasks
    • Only root can execute most files.
  • /usr – User programs and libraries
    • Contains /usr/bin, /usr/lib for installed applications.
  • /lib and /lib64 – Shared libraries for system programs
    • Important: corrupt libraries can compromise the system.
  • /etc – System configuration files
    • Examples: /etc/passwd (user accounts), /etc/ssh/sshd_config (SSH server config)
    • Important: target for attackers to gain unauthorized access.
  • /home/<user> – User personal directories
    • Stores documents, downloads, and hidden folders like .ssh/ or .config/
    • Important: private data, credentials, and application settings reside here.
  • /root – Superuser’s home
    • Important: stores root-specific configs; high-value target for attackers.
  • /var – Variable data like logs (/var/log), mail, print spools
    • Important: logs here can be analyzed for forensic investigation.
  • /tmp – Temporary files
    • Used by the system and applications. Permissions usually allow all users to write, but with the “sticky bit” set to prevent others from deleting their files.
  • /dev – Device files representing hardware
    • Important: Accessing device files improperly can compromise the system.
  • /proc and /sys – Virtual filesystems providing runtime system info
    • Important: Attackers can read the system state or try to manipulate kernel parameters.
  • /opt – Optional software installed manually
    • Important: Third-party software location; could be abused by malware.
  • /mnt and /media – Mount points for drives and removable media

Windows vs Linux-Based OS

  • Root of the System
    • Windows: C:\ – The top-level directory where everything resides. Protecting this ensures system integrity.
    • Linux: / – Top of the filesystem hierarchy, containing all system and user files.
  • System Core / Executables
    • Windows: C:\Windows\Temp, C:\Users\<user>\AppData\Local\Temp – Stores transient files, session data, and caches. It can be exploited by malware, but it is safe to clear periodically.
    • Linux: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /lib64 – Core system commands, admin binaries, and libraries. Integrity is critical to prevent system compromise.
  • User Profiles / Personal Data
    • Windows: C:\Users\<user> – Stores Documents, Downloads, Desktop, and AppData (hidden). Sensitive files, credentials, and configs are here, often targeted by malware.
    • Linux: /home/<user> – Contains user files, hidden configs (.ssh/, .config/), and personal data.
  • Administrator / Root Account
    • Windows: C:\Users\Administrator – Superuser account folder, high-value target for privilege escalation.
    • Linux: /root – Root user’s home directory. Access is restricted to prevent misuse.
  • Temporary Files
    • Windows: C:\Windows\Temp, C:\Users\<user>\AppData\Local\Temp – Stores transient files, session data, and caches. Can be exploited by malware but is safe to clear periodically.
    • Linux: /tmp, /var/tmp – Temporary files and session data, often writable by all users; malware sometimes hides here.
  • Application Data / Configuration
    • Windows: C:\Users\<user>\AppData (Local, Roaming, LocalLow), C:\ProgramData – Stores per-user and shared app settings, caches, and configuration data. Critical for persistence mechanisms.
    • Linux: /home/<user>/.config, /home/<user>/.local, /etc, /opt, /usr/local – User and system application configurations, system-wide app settings, and third-party software locations.
  • Installed Applications
    • Windows: C:\Program Files (64-bit), C:\Program Files (x86) (32-bit) – Applications installed for all users. Permissions prevent standard users from modifying files.
    • Linux: /usr/bin, /usr/sbin, /opt, /usr/local/bin – Installed software and user-executable programs. Security depends on file permissions and ownership.
  • Boot / Startup Files
    • Windows: C:\Windows\Boot, EFI System Partition – Bootloader files, Boot Configuration Data (BCD). Tampering here can prevent boot or install rootkits.
    • Linux: /boot, /boot/efi – Kernel, GRUB, initramfs. Protecting these prevents kernel-level attacks.
  • Device Drivers / Hardware Interfaces
    • Windows: C:\Windows\System32\drivers, sometimes C:\Windows\inf – Drivers for hardware. Compromised drivers can be used for privilege escalation.
    • Linux: /dev, /lib/modules – Device files and kernel modules. Malicious modifications can lead to root-level compromise.
  • System Logs
    • Windows: C:\Windows\System32\winevt\Logs – Event logs for Security, System, and Application. Useful for forensic analysis.
    • Linux: /var/log – Logs for system, authentication, services, and applications. Key for monitoring and intrusion detection.
  • Registry / Configuration Storage
    • Windows: HKLM, HKCU, HKCR, HKU, HKCC – Stores system and user settings; backed by files in C:\Windows\System32\config. Target for malware persistence.
    • Linux: /etc, /home/<user>/.config – Stores system-wide and user-specific configuration. Equivalent to registry for many purposes.
  • File System Security
    • Windows: NTFS permissions, Access Control Lists (ACLs), User Account Control (UAC), BitLocker. Protects system and user files from unauthorized access.
    • Linux: File permissions, ownership, SUID/SGID bits, SELinux/AppArmor policies. Protects critical system and user files.

More posts