ntfs file system - villanova universitydprice/fall2014/slides/10_ntfs.pdf · ntfs file system a...

Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014

NTFS File System A Forensic Perspective

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

• NTFS – Proprietary file system developed by Microsoft – Designed for reliability, security and large storage

devices. – Encryption – File / Folder Permissions – Every file and folder in the volume is treated as a file. – Date and time stamps are recorded in UTC. – Date and time resolution is from 12:00 A.M. January 1,

1601

New Technologies File System


New Technologies File System

• File Size • 16 EB (Technically) • 16 TB (Real World)

• Volume Size: • 16 EB (Technically) • 16 TB (Real World)*

• Files Per Volume: • 4,294,967,295


• $MFT – contains a record for each file and folder on the NTFS volume.

• $MFTMirr – backup of the 1st four $Mft records. • $LogFile – journal log used by the file system to recover from a

failure. • $Volume – contains the volume label and volume version. • $AttrDef – contains attribute names, numbers and descriptions. • . – root directory. • $Bitmap – keeps track of the allocation status for each cluster on the

volume. • $Boot – contains information needed to mount the volume.

NTFS System Files


• $BadClus – keeps track of all clusters identified as bad and not longer usable.

• $Secure – contains unique security descriptors for all files within the volume.

• $Upcase – converts lowercase characters to matching unicode uppercase characters

• $Extend – reserved for optional extensions (i.e. quotas, reparse, point data and object identifiers.

NTFS System Files


NTFS Organization

NTFS Boot Sector

Master File Table ($MFT)

File System Data

Master File Table Copy ($MFTMirr)


NTFS Boot Record


Range Description Example

00 - 02 Jump Instruction (ëR)03 - 10 OEM ID (NTFS) NTFS

11 - 12 Bytes / Sector 0x0200 = 512

13 - 13 Sectors / Cluster 0x08 = 8

40 - 47 Total Number of Sectors 0x1fe7ff = 2,091,007

48 - 55 $MFT starting logical cluster 0x015455 = 87,125

72 - 79 Volume Serial Number A1 05 13 06 25 13 06 56

84 - 509 Bootstrap Code

510 - 511 End of Sector Marker 55 AA

Parsing NTFS Boot Record


Master File Table

• MFT is the heart of the file system as it contains information about every file and folder on the volume.

• Microsoft reserves the first 16 MFT entries for file system files.

• Starts small and expands as needed. • Uses a “first-available” algorithm for new files / folders. • MFT entries are not deleted after they have been created. • MFT entries are 1,024 bytes in size. • Attributes can be resident or non-resident.


MFT Entry Structure

MFT Entry

Attribute Headers

Attribute ContentAttribute Content Attribute Content

MFT Entry Header


$MFT Basic MFT Entry



00-03 Signature “FILE”08-15 $LogFile Sequence Number (LSN) 0x40B05F (4239455)

16-17 Sequence Value 08

18-19 Link Count 02

20-21 Offset to 1 0x0038 (56)

22-23 Flags 01

$Parsing MFT Entry


$STANDARD_INFORMATION


00-03 Attribute Type Identifier 0x10 = $STANDARD_INFORMATION

04-07 Length of Attribute (bytes) 0x60 = 96

08-08 Non-Resident Flag 0x00 = Resident

16-19 Size of Content (bytes) 0x48 = 36

20-21 Offset to Content 0x18 = 24



00-07 Creation Time 0x186982A54BF9CE01

08-15 Modified Time 0x8EBAA37A4BF9CE01

16-23 MFT Record Modified 0x186982A54BF9CE01

24-31 Last Accessed Date 0x186982A54BF9CE01

32-35 Flags 0x20 = Archive

$STANDARD_INFORMATION


Date and Time


$FILE_NAME


00-03 Attribute Type Identifier 0x30 = $FILE_NAME

04-07 Length of Attribute (bytes) 0x78 = 120


16-19 Size of Content (bytes) 0x5A = 90



$FILE_NAME


00-07 Parent Directory Refers to the MFT Entry # of Parent08-15 Creation Time 0x186982A54BF9CE01

16-23 Modified Time 0x186982A54BF9CE01

24-31 MFT Record Modified 0x186982A54BF9CE01

32-39 Last Accessed Date 0x186982A54BF9CE01

56-59 Flags 0x20 = Archive


$FILE_NAME


64-64 Length of Name 0x0C = 1265-65 NameSpace 02 = DOS Name

66+ Name MFT_RE~1.txt


$FILE_NAME – (2nd)

• Notice this Namespace is 0x01 (Win32 Name Scheme) • File Name = MFT_Record_Entry_Test.txt


$DATA: Resident Example


00-03 Attribute Type Identifier 0x80 = $DATA

04-07 Length of Attribute 0x30 = 48


16-19 Size of Content 0x18 = 24



Example Text File


$DATA: Non-Resident Example




00 - 03 Attribute Type Identifier 0x80 = $DATA04 - 07 Length of Attribute 0x30 = 48

08 - 08 Non-Resident Flag 0x01 = Non-Resident

32 - 33 Offset of the Runlist 0x40 = 64

64 - 64 Size of Following Fields 0x31

65 – 65* Run Length (clusters) 0x2E = 46

66 – 68* Cluster Offset 0x014D30 = 85,296

So What Does This Mean?

* The range will vary as determined by the hex value in byte 64.


$DATA: Non-Resident Example• Examining the volume boot record (see slide 7)

– 8 sectors / cluster – 512 bytes / sector

• Examining the MFT entry – Filename = pf.jpg – Created on 12/16/2013 @ 22:50:45 EST – Modified on 03/26/2013 @ 20:51:58 EST – Data is non-resident – Starting cluster is 85,296 – Extends for 46 clusters

• Conversions: – Cluster 85,296 = Sector 682,358 – Sector 682,358 = Byte 349,372,416

ntfs file system - villanova universitydprice/fall2014/slides/10_ntfs.pdf · ntfs file system a...

Documents