ntfs partitions - homepage.cs.uri.eduthenry/csc487/video/60_ntfs.pdf · ntfs partitions new...
Post on 15-Feb-2019
227 Views
Preview:
TRANSCRIPT
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFSOverview
NTFSOverview
NTFS PartitionsNew Technology File System
$MFT
$MFTMirr
$Logfile$Volume
$AttrDef
Root
$Boot
$BadClus
$Secure$UpCase
$Extend
$Reparse
$ObjId
$UsrJrnl
$STANDARD_INFORMATION
$ATTRIBUTE_LIST
$FILE_NAME
$SECURITY_DESCRIPTOR
$DATA
Data Runs
B-Trees
$OBJECT_ID
$LOGGED_UTILITY_STREAM
$REPARSE_POINT
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP
$VOLUME_NAME
$VOLUME_INFORMATION
$EA_INFORMATION
$EA
$Bitmap
Master File Table
Boot Sector
Record Attributes
Logical Cluster Number
Volume Cluster Number
File Cluster Number
Resident Attribute
Non-Resident Attribute
Multiple Data Streams
$EFSEncryption
Compressed
$INDX Records Everything is a file . . . .
Everything is a file . . . .
NTFS PartitionsNew Technology File System- “Everything is a file.”- NTFS stores information about itself and files in files.- Entire partition is available for data (files)
- Cluster 0 begins at start of partition
- Special files describing the NTFS File System - have file names beginning with $- are not visible in Windows Explorer- referred to as metafiles
Data
NTFS
Par
titi
on
Cluster 0
NTFS OverviewMaster File Table $MFT- Location and attributes for all files on partition
Master File Table Mirror $MFTMirr- Backup of first four MFT records
Boot Sector $BOOT- BIOS Parameter Block (BPB) - Always at Logical Volume Sector 0
- Location of Master File Table (MFT) and MFT Mirror- Size of file entries in the MFT- Size of sectors and clusters
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
Boot Sector$BOOT
Data
$BOOT
$MFT
00031113141619212224262832364048566465686972727280
510
If positive:number of clusters in each MFT record
If negativenumber of bytes in each MFT record (210)
$MFTMirr
NTFS
Par
titi
on
Boot Sector Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Can grow in size as new entries added- Reserved zone set aside for growth- 50%, 25%, 12.5% of disk- Zone is halved if rest of disk is filled- MFT can become fragmented
Data
$BOOT
MFT Zone
$MFT$MFT
$MFTMirr
$MFT cont’d
NTFS
Par
titi
on
Master File Table
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes
- Attributes - remaining bytes*- Each attribute has
- a header (16 bytes)
- location and size of content (8 or 56 bytes)
- and content (size varies) - details of attributeData
$BOOT
MFT Zone
$MFT$MFT
$MFTMirr
$MFT cont’d
NTFS
Par
titi
on
*Can also contain “fix-up” data.
Content is stored in this FILE record.
“Resident”
Content is stored at another location in
partition. “Non-Resident”
Content
Content
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
Virtual Cluster Number (VCN)
Cluster offset from file startLogical File Cluster (LFC)
Logical Cluster Number (LCN)
Logical File System Address LCN 90 LCN 91 LCN 92
LCN 62 LCN 63 LCN 64
LCN 48 LCN 49 LCN 50
LCN 93
Storing ContentData Runs (storing non-resident content)- File content cannot always be stored in
continuous blocks of clusters- $DATA attribute header contains starting and ending VCN
- Data runs are stored as attribute content using LCN’s
MyFile
VCN 0 VCN 1 VCN 2 VCN 3 VCN 4 VCN 5 VCN 7 VCN 8 VCN 9
Run Start Length1 48 3
2 +42 4
3 -28 3VCN 6
LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57
Storing ContentSparse File Content- NTFS saves disk space by not saving clusters that are all zeros
MyFile
VCN 0 VCN 1 VCN 2 VCN 3 VCN 400000
VCN 500000
VCN 600000 VCN 7 VCN 8 VCN 9
Run Start Length1 48 4
2 0 3
3 +4 3
These clusters contain all
zeros.LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57
Storing ContentCompressed File Content- Cluster grouped into compression units
- Sparse clusters are removed after compression
MyFile
VCN 0 VCN 1 VCN 2 VCN 3 VCN 40000
VCN 50000
VCN 60000 VCN 7 VCN 8 VCN 9
Run Start Length1 48 2
2 0 2
3 +2 1
4 0 3
5 +1 2
This example uses a compression unit of
4
Default for NTFS is 16
NTFS OverviewFile System Metafiles- $BOOT, $MFT, $MFTMirr- Additional metafiles describe other
parts of file system
Master File Table Record Layout- FILE Header information
- Attributes- Resident - stored in MFT record- Non-Resident - stored as a file
- Additional Record Types - INDX, BAAD
Non-Resident Data Content- Data Runs- Run start is offset from start LCN of
previous run
- Sparse Data- Has starting offset of zero
- Compressed Data- Stored similar to sparse data
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFS OverviewNTFS Overview
top related