FileSystemForensics

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFSOverview

NTFSOverview

NTFS PartitionsNew Technology File System

$MFT

$MFTMirr

$Logfile$Volume

$AttrDef

Root

$Boot

$BadClus

$Secure$UpCase

$Extend

$Reparse

$ObjId

$UsrJrnl

$STANDARD_INFORMATION

$ATTRIBUTE_LIST

$FILE_NAME

$SECURITY_DESCRIPTOR

$DATA

Data Runs

B-Trees

$OBJECT_ID

$LOGGED_UTILITY_STREAM

$REPARSE_POINT

$INDEX_ROOT

$INDEX_ALLOCATION

$BITMAP

$VOLUME_NAME

$VOLUME_INFORMATION

$EA_INFORMATION

$EA

$Bitmap

Master File Table

Boot Sector

Record Attributes

Logical Cluster Number

Volume Cluster Number

File Cluster Number

Resident Attribute

Non-Resident Attribute

Multiple Data Streams

$EFSEncryption

Compressed

$INDX Records Everything is a file . . . .

Everything is a file . . . .

NTFS PartitionsNew Technology File System- “Everything is a file.”- NTFS stores information about itself and files in files.- Entire partition is available for data (files)

- Cluster 0 begins at start of partition

- Special files describing the NTFS File System - have file names beginning with $- are not visible in Windows Explorer- referred to as metafiles

Data

NTFS

Par

titi

on

Cluster 0

NTFS OverviewMaster File Table $MFT- Location and attributes for all files on partition

Master File Table Mirror $MFTMirr- Backup of first four MFT records

Boot Sector $BOOT- BIOS Parameter Block (BPB) - Always at Logical Volume Sector 0

- Location of Master File Table (MFT) and MFT Mirror- Size of file entries in the MFT- Size of sectors and clusters

Data

$BOOT

$MFT

$MFTMirr

NTFS

Par

titi

on

Boot Sector$BOOT

Data

$BOOT

$MFT

00031113141619212224262832364048566465686972727280

510

If positive:number of clusters in each MFT record

If negativenumber of bytes in each MFT record (210)

$MFTMirr

NTFS

Par

titi

on

Boot Sector Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Can grow in size as new entries added- Reserved zone set aside for growth- 50%, 25%, 12.5% of disk- Zone is halved if rest of disk is filled- MFT can become fragmented

Data

$BOOT

MFT Zone

$MFT$MFT

$MFTMirr

$MFT cont’d

NTFS

Par

titi

on

Master File Table

Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes

- Attributes - remaining bytes*- Each attribute has

- a header (16 bytes)

- location and size of content (8 or 56 bytes)

- and content (size varies) - details of attributeData

$BOOT

MFT Zone

$MFT$MFT

$MFTMirr

$MFT cont’d

NTFS

Par

titi

on

*Can also contain “fix-up” data.

Content is stored in this FILE record.

“Resident”

Content is stored at another location in

partition. “Non-Resident”

Content

Content

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

Virtual Cluster Number (VCN)

Cluster offset from file startLogical File Cluster (LFC)

Logical Cluster Number (LCN)

Logical File System Address LCN 90 LCN 91 LCN 92

LCN 62 LCN 63 LCN 64

LCN 48 LCN 49 LCN 50

LCN 93

Storing ContentData Runs (storing non-resident content)- File content cannot always be stored in

continuous blocks of clusters- $DATA attribute header contains starting and ending VCN

- Data runs are stored as attribute content using LCN’s

MyFile

VCN 0 VCN 1 VCN 2 VCN 3 VCN 4 VCN 5 VCN 7 VCN 8 VCN 9

Run Start Length1 48 3

2 +42 4

3 -28 3VCN 6

LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57

Storing ContentSparse File Content- NTFS saves disk space by not saving clusters that are all zeros

MyFile

VCN 0 VCN 1 VCN 2 VCN 3 VCN 400000

VCN 500000

VCN 600000 VCN 7 VCN 8 VCN 9

Run Start Length1 48 4

2 0 3

3 +4 3

These clusters contain all

zeros.LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57

Storing ContentCompressed File Content- Cluster grouped into compression units

- Sparse clusters are removed after compression

MyFile

VCN 0 VCN 1 VCN 2 VCN 3 VCN 40000

VCN 50000

VCN 60000 VCN 7 VCN 8 VCN 9

Run Start Length1 48 2

2 0 2

3 +2 1

4 0 3

5 +1 2

This example uses a compression unit of

4

Default for NTFS is 16

NTFS OverviewFile System Metafiles- $BOOT, $MFT, $MFTMirr- Additional metafiles describe other

parts of file system

Master File Table Record Layout- FILE Header information

- Attributes- Resident - stored in MFT record- Non-Resident - stored as a file

- Additional Record Types - INDX, BAAD

Non-Resident Data Content- Data Runs- Run start is offset from start LCN of

previous run

- Sparse Data- Has starting offset of zero

- Compressed Data- Stored similar to sparse data

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFS OverviewNTFS Overview