1

CSCD 496Computer Forensics

Lecture 7File Systems – Windows

Winter 2010

2

Introduction

• “File systems are the road map to the disk”– Determines how data is stored on disk

– Differs according to OS • One reason advice to Digital Forensics experts

• Learn all you can about many OS's, file systems

• Today look at Windows OS in terms of file systems

3

Topics

• Windows File Systems– FAT, NTFS

– Drive slack explained • With example

– Deleting files

4

Disk Drive Technology

• Brief review Disk Drive technology– Read on your own

– Wikipedia has some good refs• Hard drives

http://en.wikipedia.org/wiki/Hard_drive

• Floppy disks

http://en.wikipedia.org/wiki/Floppy_disk

• CD ROM

http://en.wikipedia.org/wiki/CD_ROM

5

Hard Disk Drive

• Modern hard disk, modern OS has:– Bunch of sectors, formed into a circle

– Circle of predefined sectors defined as a single track

– A group of concentric circles (tracks) define a single surface of a disk platter

– Early hard disks had single one-sided platter, while today's hard disks are comprised of several platters with tracks on both sides

– Many heads to read/write platters

6

Hard Disk Drive

7

File Systems

Operating system keeps track of data (documents, pictures, etc.) by placing it into a file.

To store and retrieve files: Disk has to be ________________.

What's the process of putting this structure on a disk?

8

Purpose of Formatting When you format a disk OS creates concentric recording bands, called

tracks, around the circumference of the disk Formatting program (think ... Windows XP) Subdivides each track into equal parts, called

sectors Simple Example: 3.5 floppy disk 80 concentric tracks on a 3 ½ inch high density

diskette and each track is divided into 18 sectors Each sector = 512 bytes

So 80 tracks X 18 sectors X 2 sides X 512 bytes = 1,474,560 bytes = 1.4 MB

9

A hard disk has extremely smooth metal or glass plates called “platters”

Each platter is divided into tracks and sectors by the format operation

Number of tracks on a hard disk depends on the disk size and the manufacturer.

Hard Disk Details

10

Question

• Discussed, – Tracks, Sectors, Platters, Heads

– What's a Cluster?

11

A cluster, also known as an allocation unit, consists of one or more sectors of storage space, represents minimum amount of space that an operating system allocates when saving file to diskNumber of sectors per cluster is dependent on

Type of disk (floppy disk, hard disk) Version of operating systems Size of disk

Every sector contains 512 bytes. (NTFS does allow you to change this number)The number of clusters per disk is determined by the file system (FAT 16, FAT 32 or NTFS)

Clusters

12

Comparing File Systems

64 KB (128 sectors)32 KB (64 sectors)Not Supported>32 GB (up to 2 TB)

32 KB ( 64 sectors)16 KB (32 sectors)Not Supported16 to 32 GB

16 KB (32 sectors)8 KB (16 sectors)Not Supported8 to 16 GB

8 KB (16 sectors)4 KB (8 sectors)Not Supported4 to 8 GB

4 KB (8 sectors)4 KB (8 sectors)64 KB (128 sectors)2 to 4 GB

2 KB (4 sectors)4 KB (8 sectors)32 KB (64 sectors)1024 MB to 2 GB

1KB (2 sectors)4 KB (8 sectors)16 KB (32 sectors)512 to 1023 MB

512 bytes (1 sector)Not Supported8 KB (16 sectors)260 to 511 MB

NTFSCluster Size

FAT 32Cluster Size

FAT 16Cluster Size

DRIVE SIZE

13

Sector~Cluster~File layout

14

Example - File size = 2KB Hard drive = 2GB

FAT 16 – the file will use 1 cluster which is 64 sectors, so 64 X 512 bytes per sector = 32KB – 2KB = 30KB slack

space FAT 32 – the file will use 1 clusters which is 8 sectors, so

8 X 512 bytes per sector = 4KB – 2KB = 2KB slack space

NTFS – the file will use 1 cluster which is 4 sectors, so 4 X 512 bytes per sector = 2KB – 2KB = 0 slack space

15

Partitions

• Disks are broken into one or more partitions.

• Each partition can have its own file system (UFS, FAT, NTFS, …)

• Addresses in Partitions are logical– Function of Operating System

• Mapped to actual physical addresses of disk

16

FAT File Systems

• FAT– Stands for file allocation table– File system designed to keep track of

allocation status of clusters on a hard drive– Developed in 1977 by Microsoft Corporation– Originally the file system on floppy disks

• Prior to Win NT, 2000, Win XP

17

FAT File Systems

• Layout of the FAT16 File System

Boot Sector More reserved FAT #1 FAT #2 Root directory Data sectors (opt) (FAT12/16 only) (rest of disk)• MBR always there, contains information about how the storage device is logically partitioned.

• File Allocation Tables keep track of allocation status of clusters, or logical groupings of sectors, on the disk drive• Provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system• FAT2 is a typically a duplicate of FAT1

18

Root Directory and Data Area

• Root Directory, or Root Folder, contains an entry for each file and directory in file system

• Includes file name, starting cluster number, and file size– Information is changed whenever file is

created or subsequently modified• Root directory has fixed size of 512 entries on

hard disk, size on floppy disk depends

• Remaining space on logical drive is Data Area, where files are actually stored

19

Clusters• Cluster size has impact on performance

and disk utilization– Larger cluster sizes result in more wasted

space because files are less likely to fill up an even number of clusters

– Cluster size specified in Boot Record • Range from single sector (512 bytes) to 64 sectors

(32 KB)

• Sectors in cluster, continuous, each cluster is continuous block of space on disk – Optimal condition

20

Clusters and File Storage

• If contiguous clusters not available

• Second two clusters may be written elsewhere on the same disk or within same cylinder or on a different cylinder– Wherever file system finds two sectors

available.

– File stored in this non-contiguous manner is considered to be fragmented

21

FAT File Organization

• The file allocation table contains the following types of information about each cluster on the volume (see example below for FAT16):

* Unused (0x0000)

* Cluster in use by a file

* Bad cluster (0xFFF7)

* Last cluster in a file (0xFFF8-0xFFFF)

• There is no organization to the FAT folder structure, and files are given the first available location on the volume

22

Example of File Allocation Table

– File1.txt a file that is large enough to use three clusters. File2.txt, is a fragmented file that also requires three clusters. File3.txt, fits completely in one cluster

– In each case, the folder structure points to the first cluster of the file.

23

FAT Versions

• FAT16– Supports disk partitions of maximum capacity up

to 2 GB of data– It is called FAT16 because all entries are 16 bit– FAT16 can hold max of 65,536 addressable units – Used for small and moderate sized hard disk

volumes– Actual capacity is 65,525 due to some reserved

values

24

FAT File Systems

• FAT 32– Used in Win 95, 98, ME, 2000, XP– Access up to 2 Terabytes of storage– Since FAT32 uses smaller clusters (of 4 KB

each), uses hard drive space more efficiently – This is a 10 to 15 % improvement over FAT16– In FAT32, root folder is an ordinary cluster

chain, and can be located anywhere on the drive

25

FAT File Systems

• Originally developed for Floppy drives

• Is the FAT file system still in use today?

26

FAT File System Uses• Due to its low cost, mobility, and non-volatile

nature, flash memory has quickly become choice medium for storing and transferring data in consumer electronic devices

– Majority of flash memory storage is formatted using FAT file system

– IAT also frequently used in electronic devices with miniature hard drives

• USB thumb drives • Digital cameras • Digital camcorders • Portable audio and video players • Multifunction printers • Electronic photo frames • PDAs

27

File System Slack

• RAM Slack and File Slack– DOS, Windows and Windows NT-based

computers store files in fixed length blocks of data called clusters

– Rarely do file sizes exactly match size of one or multiple clusters perfectly

– Storage space that exists from end of file to the end of the last cluster assigned to file is called File slack

28

File System Slack

• File Slack• File slack is contained in unused sectors at the

end of a cluster

• Since a cluster is simply a group of contiguous sectors, a file that doesn’t fill an entire cluster will leave file slack space in unused sectors

29

File System Slack

• File slack potentially contains randomly selected bytes of data from computer memory

• Happens because Windows normally writes in 512 byte sectors

• If not enough data in file to fill last sector in a file – DOS/Windows makes up difference by padding

remaining space with data from memory buffers of operating system

– This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer

30

RAM Slack

• Definition– RAM slack is latent data used by the

operating system to ‘pad’ the end of a file to completely fill its last sector

– Hard drives write one complete sector at a time

– They need the padding

31

RAM Slack

• RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted

• Thus, if the computer has not been shut down for several days – Data stored in file slack can come from work

sessions that occurred in the past

32

Slack Space Example

On this hard drive,• There are 4096 bytes per cluster

– How many Sectors?

• There are 512 bytes per sector.

• Thus, there are 8 sectors per cluster. (4,096 ÷ 512 = 8)

33

Slack Space Example

In this file,• The file is 2304 bytes

• Each of the first four sectors contain 512 bytes, but the file cannot fill a fifth

(512 x 4 = 2048) and (2304-2048 = 256)

34

Slack Space Example

In this file,• The remaining 256 bytes are filled with

data from the system memory: RAM– In this illustration, the file is green; the RAM

slack is blue

35

Slack Space Example

In this file,• The remaining space in the cluster is

called file slack

• In this illustration, file slack is red

36

FAT File Systems

• Deleting FAT Files

• What happens when a file is deleted?– Windows Explorer or with Delete ...

– Deletion by OS results in a HEX E5 in first letter position of file name in FAT DB

– Instructs OS that file is no longer available and a new file can be written to same cluster location

37

FAT File Systems

• Deleting FAT Files• Modification to directory entry: Marked as

deleted

• FAT cluster chain for file set to zero

• Data remains on disk drive

• Area on disk becomes unallocated disk space – free space

• Most Forensic tools recover any data still there

38

Data Recovery

• Recovering directory entries from FAT file systems

– Looking for entries that begin with sigma 0xe5

– The remainder of directory entry information remains intact

39

Data Recovery

• Recovery tools look at FAT to find entry for file

• Location of starting cluster will still be in directory –Not deleted or modified–Tool goes straight to cluster, tries to

recover file using file size to determine number of clusters to recover

• What do you think happens if a lot of time between file deletion and file recovery?

40

NTFS File System

• New Technology File System (NTFS)– Created when Microsoft created Win NT

– NTFS primary file system in Windows XP• Improvement over FAT FS

• Store more information about files– Owner, date, time, plus other file attributes

– First data on disk is Partition boot Sector (PBR)– Starts at Sector [0] – Format an NTFS volume, format program allocates

the first 16 sectors for boot sector and bootstrap code

41

NTFS File System

• Whats in a Boot Sector Record?– Disk information

• Sectors per cluster

• Bytes per sector

• Number of heads

• Total Sectors, Volume Serial Number, Checksum

– Master File Table Information (MFT)• Logical Cluster Number for the file $MFT and Mirror

• Clusters Per File Record Segment

• Clusters Per Index Block

42

NTFS File System

• After Partition Boot Record– Master File Table (MFT) is first file on disk

– MFT created at same time disk partition is created, It can, however be moved

• Consumes about 12.5% of disk when created

– MFT expands to 50% of disk as data is added

– One significant benefit of NTFS over FAT is that ... less file slack space

43

NTFS Sizes

44

NTFS File System

• NTFS System Files

– In MFT, first 15 records are reserved for system files

– First record of this table describes the master file table itself, followed by a MFT mirror record

– If first MFT record is corrupted, NTFS reads second record to find the MFT mirror file

– Locations of data segments for both MFT and MFT mirror file are recorded in the boot sector

45

NTFS MTF Structure

46

NTFS MTF Structure

• Third record of MFT is log file, used for file recovery

– Seventeenth and following records of the master file table are for each file and directory on the volume

47

NTFS File System• NTFS Files

– Master file table allocates a certain amount of space for each file record, min = 1024, max = 4096

– Attributes of a file written to record in MFT

– Small files and directories (typically 1500 bytes or smaller) can entirely be contained within the master file table record

– Each file (or folder) as a set of file attributes

• File's name, its security information, data, are all file attributes

– Each attribute is identified by an attribute type code and, optionally, an attribute name

48

NTFS File System

• File Attributes– Each file (or folder) is a set of file attributes

– Elements: file's name, its security information, data, are all file attributes

– Each attribute is identified by an attribute type code and, optionally, an attribute name

– Bellow is structure of record for small file

• All data for file fits within MFT record

49

File Attributes

• Standard Information– Includes information such as timestamp and

link count

• Attribute List– Lists the location of all attribute records that do

not fit in the MFT record

• File Name

• Security Descriptor– Describes who owns the file and who can

access it

50

File Attributes

• Data– Contains file data

– NTFS allows multiple data attributes per file

• Other attributes– Related to directories, bitmaps and some

logging activities, some historic attributes for HPFS file systems

51

NTFS File Systems

• Deleting Files– File is deleted with Windows Explorer– OS, renames deleted file and moves it to

recycle bin– Can also use delete command in a DOS

window• This deletes the file the same as in a FAT file

system– Windows Explorer – can restore deleted file

from recycle bin

52

NTFS File Systems

• Restore a file– 1. When moved to recycle bin

• Changes file name, moves it to subdirectory with unique identity

– 2. Stores information about original path and file name in the info2 file control file for Recycle Bin

Path is C:\Recycler

53

References

– Nelson, Bill et al. “Guide to Computer Forensics Investigations”

• Chapter 7

– Wikipedia – NTFS• http://en.wikipedia.org/wiki/NTFS

– NTFS.com• http://www.ntfs.com/ntfs_basics.htm

– Data Recovery e-Book• http://www.easeus.com/data-recovery-ebook/

index.htm

54

Finish

– Next time • More on Windows

– Reading: Still Chapter 7

– New Assignment – Number Two!!!!