Windows File System

The Windows File System is basically how Windows organizes, stores, and manages all the data on a computer’s drives.

• C:\ – Root of the main system drive
  • Top-level directory containing all files and folders on the drive. Everything on the system exists under this root.
  • Important: Compromise at this level can affect the entire system; attackers often target the root drive to plant malware or gain persistent access.
• C:\Windows – Main OS folder
  • Stores core operating system components, including subfolders like System32, WinSxS, and Logs.
  • Important: High-value target for attackers; modification can lead to system instability, privilege escalation, or malware persistence.
• C:\Windows\System32 – Core executables and system libraries
  • Contains DLLs, system utilities, and essential programs such as cmd.exe, taskmgr.exe, regedit.exe, ipconfig.exe.
  • Important: Frequent target for malware; replacing or tampering with files here can bypass security controls or allow rootkits to hide.
• C:\Program Files – Default location for 64-bit applications
  • Each application has its own subfolder containing program files, libraries, and resources (e.g., C:\Program Files\Google\Chrome).
  • Important: Protected by the system; only administrators can modify. Malware often attempts to write here to persist.
• C:\Program Files (x86) – Default location for 32-bit applications on 64-bit Windows
  • Separation prevents conflicts between 32-bit and 64-bit software (e.g., C:\Program Files (x86)\Mozilla Firefox).
  • Important: Same as above; attackers may target this folder for persistence or installing malicious apps.
• C:\Users – Stores user profiles and personal data
  • Each user has a folder containing Desktop, Documents, Downloads, Pictures, and the hidden AppData folder.
    
    • Example structure:
      • C:\Users\Administrator
      • C:\Users\john\
  • Important: Primary target for credential theft, sensitive document access, and ransomware.
• C:\Users<user>\AppData – Application-specific data
  • Local: machine-specific settings
  • Roaming: settings that move with the user profile
  • LocalLow: low-security application data
  • Important: Malware often hides here because it can run with user permissions and persists across sessions.
• C:\ProgramData – Hidden folder for shared application data
  • Stores license info, databases, and configuration files used by all users.
  • Important: Attackers may place scripts or configs here to affect all users.
• C:\Windows\Temp – Temporary OS files
  • Stores cached data, session files, and logs created by Windows and applications.
  • Important: Often scanned by malware to inject temporary scripts or payloads; can reveal forensic evidence.
• C:\Users\<user>\AppData\Local\Temp – Temporary files for user applications
  • Often cleaned automatically.
  • Important: Common location for malicious downloads or scripts executed by users.
• C:\Windows\System32\winevt\Logs – System logs
  • Contains Security, System, and Application logs.
  • Important: Critical for auditing, detecting intrusions, and forensic analysis. Attackers may attempt to clear or tamper with these logs.
• C:\Windows\System32\drivers – Device drivers
  • Software that allows Windows to interact with hardware (network, disk, USB devices).
  • Important: Malicious drivers can run at the kernel level, bypassing security controls.
• C:\Windows\Boot – Boot files
  • Stores Boot Configuration Data (BCD) and boot manager; EFI System Partition contains UEFI boot files.
  • Important: Targeted by bootkits or ransomware to prevent recovery or achieve early execution.
• C:\Windows\inf – Driver installation information
  • Stores .inf files used for installing hardware drivers.
  • Important: Malware may attempt to modify or inject malicious drivers here.
• C:\Windows\System32\spool – Print spooler files
  • Manages printing tasks and queued documents.
  • Important: Print spooler vulnerabilities (like PrintNightmare) can allow privilege escalation or remote code execution.
• C:\Windows\System32\Config – Registry storage files
  • Stores system-wide configuration in files backing HKLM, HKCU, and other registry hives.
  • Important: Corrupting or exfiltrating these files can give full system access, credential theft, or malware persistence.

---

Linux-Based OS File System

The Linux-based OS File System is how Linux-based OS organizes, stores, and manages all the data on a computer’s drives.

• / – Root of the filesystem
  • Contains all system files, user folders, and directories. Only the superuser (root) can modify critical system directories.
  • Important: Altering anything here can break the system or escalate privileges.
• /bin – Essential binaries like ls, cp, mv
  • Important: malware might replace binaries here to hide activity.
• /sbin – System binaries for administrative tasks
  • Only root can execute most files.
• /usr – User programs and libraries
  • Contains /usr/bin, /usr/lib for installed applications.
• /lib and /lib64 – Shared libraries for system programs
  • Important: corrupt libraries can compromise the system.
• /etc – System configuration files
  • Examples: /etc/passwd (user accounts), /etc/ssh/sshd_config (SSH server config)
  • Important: target for attackers to gain unauthorized access.
• /home/<user> – User personal directories
  • Stores documents, downloads, and hidden folders like .ssh/ or .config/
  • Important: private data, credentials, and application settings reside here.
• /root – Superuser’s home
  • Important: stores root-specific configs; high-value target for attackers.
• /var – Variable data like logs (/var/log), mail, print spools
  • Important: logs here can be analyzed for forensic investigation.
• /tmp – Temporary files
  • Used by the system and applications. Permissions usually allow all users to write, but with the “sticky bit” set to prevent others from deleting their files.
• /dev – Device files representing hardware
  • Important: Accessing device files improperly can compromise the system.
• /proc and /sys – Virtual filesystems providing runtime system info
  • Important: Attackers can read the system state or try to manipulate kernel parameters.
• /opt – Optional software installed manually
  • Important: Third-party software location; could be abused by malware.
• /mnt and /media – Mount points for drives and removable media

---

Windows vs Linux-Based OS

• Root of the System
  • Windows: C:\ – The top-level directory where everything resides. Protecting this ensures system integrity.
  • Linux: / – Top of the filesystem hierarchy, containing all system and user files.
• System Core / Executables
  • Windows: C:\Windows\Temp, C:\Users\<user>\AppData\Local\Temp – Stores transient files, session data, and caches. It can be exploited by malware, but it is safe to clear periodically.
  • Linux: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /lib64 – Core system commands, admin binaries, and libraries. Integrity is critical to prevent system compromise.
• User Profiles / Personal Data
  • Windows: C:\Users\<user> – Stores Documents, Downloads, Desktop, and AppData (hidden). Sensitive files, credentials, and configs are here, often targeted by malware.
  • Linux: /home/<user> – Contains user files, hidden configs (.ssh/, .config/), and personal data.
• Administrator / Root Account
  • Windows: C:\Users\Administrator – Superuser account folder, high-value target for privilege escalation.
  • Linux: /root – Root user’s home directory. Access is restricted to prevent misuse.
• Temporary Files
  • Windows: C:\Windows\Temp, C:\Users\<user>\AppData\Local\Temp – Stores transient files, session data, and caches. Can be exploited by malware but is safe to clear periodically.
  • Linux: /tmp, /var/tmp – Temporary files and session data, often writable by all users; malware sometimes hides here.
• Application Data / Configuration
  • Windows: C:\Users\<user>\AppData (Local, Roaming, LocalLow), C:\ProgramData – Stores per-user and shared app settings, caches, and configuration data. Critical for persistence mechanisms.
  • Linux: /home/<user>/.config, /home/<user>/.local, /etc, /opt, /usr/local – User and system application configurations, system-wide app settings, and third-party software locations.
• Installed Applications
  • Windows: C:\Program Files (64-bit), C:\Program Files (x86) (32-bit) – Applications installed for all users. Permissions prevent standard users from modifying files.
  • Linux: /usr/bin, /usr/sbin, /opt, /usr/local/bin – Installed software and user-executable programs. Security depends on file permissions and ownership.
• Boot / Startup Files
  • Windows: C:\Windows\Boot, EFI System Partition – Bootloader files, Boot Configuration Data (BCD). Tampering here can prevent boot or install rootkits.
  • Linux: /boot, /boot/efi – Kernel, GRUB, initramfs. Protecting these prevents kernel-level attacks.
• Device Drivers / Hardware Interfaces
  • Windows: C:\Windows\System32\drivers, sometimes C:\Windows\inf – Drivers for hardware. Compromised drivers can be used for privilege escalation.
  • Linux: /dev, /lib/modules – Device files and kernel modules. Malicious modifications can lead to root-level compromise.
• System Logs
  • Windows: C:\Windows\System32\winevt\Logs – Event logs for Security, System, and Application. Useful for forensic analysis.
  • Linux: /var/log – Logs for system, authentication, services, and applications. Key for monitoring and intrusion detection.
• Registry / Configuration Storage
  • Windows: HKLM, HKCU, HKCR, HKU, HKCC – Stores system and user settings; backed by files in C:\Windows\System32\config. Target for malware persistence.
  • Linux: /etc, /home/<user>/.config – Stores system-wide and user-specific configuration. Equivalent to registry for many purposes.
• File System Security
  • Windows: NTFS permissions, Access Control Lists (ACLs), User Account Control (UAC), BitLocker. Protects system and user files from unauthorized access.
  • Linux: File permissions, ownership, SUID/SGID bits, SELinux/AppArmor policies. Protects critical system and user files.