FileSystemForensics

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFS Master File Table

Attributes

NTFS Master File Table

Attributes

Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles

- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes- Each attribute has - a header (16 bytes)

- location and size of content (8 or 56 bytes)- and content (size varies) - details of attribute

Data

$BOOT

$MFT

$MFTMirr

NTFS

Par

titi

on

Content

Content

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

MFT File AttributesHex Dec Attribute Description

0x10 16 $STANDARD_INFORMATION Timestamps, link counts, file type flags, owner

0x20 32 $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in this MFT record

0x30 48 $FILE_NAME File name (repeatable)

0x40 60 $OBJECT_ID Unique Identifier for the file (not common)

0x50 80 $SECURITY_DESCRIPTOR Who owns the file and who can access it

0x80 128 $DATA Contains file data (repeatable)

MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused

SpaceContentContentAttrHeader

AttrHeader

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

MFT File Attributes MFT File AttributesHex Dec Attribute Description0x60 96 $VOLUME_NAME Used in $VOLUME metafile. Volume label

0x70 112 $VOLUME_INFORMATION Used in $VOLUME metafile. NTFS version & dirty flag

0x90 144 $INDEX_ROOT INDX Record - used to implement folders and indexes

0xA0 160 $INDEX_ALLOCATION INDX Record - used to implement folders and indexes

0xB0 176 $BITMAP Directory content mapping

0xC0 192 $REPARSE_POINT Used for volume mount points and shortcuts

0xD0 208 $EA_INFORMATION OS/2 compatibility extended attributes

0xE0 224 $EA OS/2 compatibility extended attributes

0x100 256 $EFS Logged utility data stream (used for EFS/encryption)

MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused

SpaceContentContentAttrHeader

AttrHeader

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContent

Loc/

Siz

Loc/

Siz

Loc/

Siz

Loc/

SizAttr

HeaderAttr

HeaderAttr

HeaderAttr

Header

NTFS Attribute Header

Hex Dec Bytes Description0x00 0 4 Attribute Type Identifier

0x04 4 4 Length of Attribute (includes header)

0x08 8 1 Non-Resident Flag

0x09 9 1 Length of Name (only for ADS)

0x0A 10 2 Offset to Name (only for ADS)

0x0C 12 2 Flags(Compressed, Encrypted, Sparse)

0x1E 14 2 Attribute Identifier

NTFS Attribute Header00 Content is Resident01 Content is Non-Resident

$STANDARD_INFORMATIONAlternate Data Stream Name

Size Length and OffsetAttribute Flags 0x0001 Compressed0x4000 Encrypted0x8000 Sparse

Attribute ID(Counter)

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContent

Loc/

Siz

Loc/

Siz

Loc/

Siz

Loc/

SizAttr

HeaderAttr

HeaderAttr

HeaderAttr

Header

NTFS Attribute Header

Hex Dec Bytes Description0x00 0 4 Attribute Type Identifier

0x04 4 4 Length of Attribute (includes header)

0x08 8 1 Non-Resident Flag

0x09 9 1 Length of Name (only for ADS)

0x0A 10 2 Offset to Name (only for ADS)

0x0C 12 2 Flags(Compressed, Encrypted, Sparse)

0x1E 14 2 Attribute Identifier

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

HeaderAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

Loc/

Siz

Loc/

Siz

Attribute Location & SizeResident AttributeResident AttributeResident AttributeResident Attribute

Hex Dec Bytes Description0x10 16 4 Length of Attribute Content

0x14 20 2 Offset to Attribute Content

0x16 22 1 Indexed

0x17 23 1 Padding

Attribute Location & Size $STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number

Hex Description0x0001 Read Only

0x0002 Hidden

0x0004 System File

0x0020 Archive

0x0040 Device File

0x0100 Temporary File

0x0200 Sparse

0x0400 Reparse Point

0x0800 Compressed

0x1000 Offline

0x2000 Not Indexed

0x4000 Encrypted

0x8000 Virtual

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

Hex Description0x0001 Read Only

0x0002 Hidden

0x0004 System File

0x0020 Archive

0x0040 Device File

0x0100 Temporary File

0x0200 Sparse

0x0400 Reparse Point

0x0800 Compressed

0x1000 Offline

0x2000 Not Indexed

0x4000 Encrypted

0x8000 Virtual

$STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number

Hex Description0x0001 Read Only

0x0002 Hidden

0x0004 System File

0x0020 Archive

0x0040 Device File

0x0100 Temporary File

0x0200 Sparse

0x0400 Reparse Point

0x0800 Compressed

0x1000 Offline

0x2000 Not Indexed

0x4000 Encrypted

0x8000 Virtual

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace (0=POSIX 1=Win32 2=DOS)

Hex Description0x0001 Read Only

0x0002 Hidden

0x0004 System File

0x0020 Archive

0x0040 Device File

0x0100 Temporary File

0x0200 Sparse

0x0400 Reparse Point

0x0800 Compressed

0x1000 Offline

0x2000 Not Indexed

0x4000 Encrypted

0x8000 Virtual

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

MAINQU~2.QUEMainQueueOnline1.que

$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace

Hex Description0x0001 Read Only

0x0002 Hidden

0x0004 System File

0x0020 Archive

0x0040 Device File

0x0100 Temporary File

0x0200 Sparse

0x0400 Reparse Point

0x0800 Compressed

0x1000 Offline

0x2000 Not Indexed

0x4000 Encrypted

0x8000 Virtual

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFSMaster File Table

Attributes

NTFSMaster File Table

Attributes