Master File Table File NTFS $MFT System Master File Table...

Click here to load reader

  • date post

    23-May-2020
  • Category

    Documents

  • view

    13
  • download

    2

Embed Size (px)

Transcript of Master File Table File NTFS $MFT System Master File Table...

  • File System Forensics

    THINK BIG WE DO

    U R I http://www.forensics.cs.uri.edu

    Digital Forensics Center Department of Computer Science and Statics

    NTFS Master File Table

    Layout

    NTFS Master File Table

    Layout

    Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles

    Data

    $BOOT

    $MFT

    $MFTMirr

    NT FS

    P ar

    ti ti

    on

    NTFS Metafiles

    Data

    $BOOT

    $MFT

    Record MetaFile Name Description 0 $MFT Self Reference to Master File Table

    1 $MFTMirr Backup of first four MFT FILE Records

    2 $LogFile Helps to preserve file system consistency if system error

    3 $Volume Volume Information (name, number, etc.)

    4 $AttrDef Definitions of supported file attributes

    5 . (dot) Root Directory of Volume

    6 $Bitmap Bit representation of used/free clusters on volume

    7 $Boot Boot sector of volume (not encrypted on BitLocker volume)

    8 $BadClus List of Bad Clusters on the volume

    9 $Secure Security descriptors for all files

    10 $UpCase Table of UNICODE uppercase characters for sorting

    11 $Extend For optional extensions

    12-14 Reserved for future use (not used or empty)

    15-23 Extension records for MFT if it is heavily fragmented

    24 + Records for regular files

    $Volume

    $AttrDef

    $Bitmap

    $BadClus

    $LogFile

    $UpCase

    $Secure

    . (dot)

    $Extend

    $Quota Disk space allocated and used by each user

    $UsrJrnl Changes made to files

    $Reparse Shortcuts, mount points and junctions

    $ObjId Alternate way to reference a file

    $MFTMirr

    NTFS Metafiles Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles - Each FILE record is usually 1024 bytes - MFT Header - first 42 bytes - Attributes - remaining bytes

    Data

    $BOOT

    $MFT

    $MFTMirr

    NT FS

    P ar

    ti ti

    on

    MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused Space

    MFT Record Header

    NT FS

    P ar

    ti ti

    on

    MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused Space

    Hex Dec Bytes Description 0x00 0 4 Signature [46 49 4C 45] “FILE”

    0x04 4 2 Offset to Fix-up Array

    0x06 6 2 Number of Entires in Fix-up Array

    0x08 8 8 Logfile Sequence Number (LSN)

    0x10 16 2 Incremental Sequence Value

    0x12 18 2 Hard Link Count

    0x14 20 2 Offset to Start of Attributes

    0x16 22 2 Flags (in-use and directory)

    0x18 24 4 Used Size of MFT Entry

    0x1C 28 4 Allocated Size of MFT Entry

    0x20 32 8 File reference to Base Record

    0x28 40 2 Next Attribute ID

    0x2A 42 2 Fix-Up Codes and Attributes

    0x2C 44 4 $MFT File Record Number

    Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

    MFT Record Header

    Other Possible Signatures:

    INDX BAAD

    Data

    $BOOT

    $MFT

    $MFTMirr

    MFT Record Header

    46 49 4C 45 FILE 49 4E 44 58 INDX 42 41 41 44 BAAD

    Fix-Up Data

    Timothy Henry 00:00

    Timothy Henry 00:16

    Timothy Henry 00:32

    Timothy Henry 05:05

    Timothy Henry 06:50

    Timothy Henry 05:27

  • MFT Record Header

    NT FS

    P ar

    ti ti

    on

    MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused Space

    Hex Dec Bytes Description 0x00 0 4 Signature [46 49 4C 45] “FILE”

    0x04 4 2 Offset to Fix-up Array

    0x06 6 2 Number of Entires in Fix-up Array

    0x08 8 8 Logfile Sequence Number (LSN)

    0x10 16 2 Incremental Sequence Value

    0x12 18 2 Hard Link Count

    0x14 20 2 Offset to Start of Attributes

    0x16 22 2 Flags (in-use and directory)

    0x18 24 4 Used Size of MFT Entry

    0x1C 28 4 Allocated Size of MFT Entry

    0x20 32 8 File reference to Base Record

    0x28 40 2 Next Attribute ID

    0x2A 42 2 Fix-Up Codes and Attributes

    0x2C 44 4 $MFT File Record Number

    Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

    MFT Record Header

    Data

    $BOOT

    $MFT

    $MFTMirr

    MFT Record Header Logfile Sequence NumberIncremental Sequence

    Value (Use Count) Hard Link CountOffset to First

    Attribute 00 00 Deleted File 01 00 Exiting (in-use) File 02 00 Deleted Directory 03 00 Exisiting (in-use) Directory

    Number of bytes used in this

    record Number of bytes allocated for this record

    Reference to base MFT Record Only used if file attributes could

    not fit into a single record

    Next Attribute IDMFT Record ID

    This is the only MFT record file this file.

    There should be four attributes.

    MFT Record Header

    NT FS

    P ar

    ti ti

    on

    MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused Space

    Hex Dec Bytes Description 0x00 0 4 Signature [46 49 4C 45] “FILE”

    0x04 4 2 Offset to Fix-up Array

    0x06 6 2 Number of Entires in Fix-up Array

    0x08 8 8 Logfile Sequence Number (LSN)

    0x10 16 2 Incremental Sequence Value

    0x12 18 2 Hard Link Count

    0x14 20 2 Offset to Start of Attributes

    0x16 22 2 Flags (in-use and directory)

    0x18 24 4 Used Size of MFT Entry

    0x1C 28 4 Allocated Size of MFT Entry

    0x20 32 8 File reference to Base Record

    0x28 40 2 Next Attribute ID

    0x2A 42 2 Fix-Up Codes and Attributes

    0x2C 44 4 $MFT File Record Number

    Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

    MFT Record Header

    Data

    $BOOT

    $MFT

    $MFTMirr

    Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles - Each FILE record is usually 1024 bytes - MFT Header - first 42 bytes - Attributes - remaining bytes - Each attribute has - a header (16 bytes) - location and size of content (8 or 56 bytes) - and content (size varies) - details of attribute

    Data

    $BOOT

    $MFT

    $MFTMirr

    NT FS

    P ar

    ti ti

    on

    Content is stored in this FILE record.

    “Resident”

    Content is stored at another location in

    partition. “Non-Resident”

    Content

    Content

    MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused SpaceContentContent

    Attr Header

    Attr Header

    Lo c/

    Si z

    Lo c/

    Si z

    Attr Header

    Attr HeaderLo

    c/ Si

    z

    Lo c/

    Si z

    A file may need more than one MFT record to

    hold its attributes.

    THINK BIG WE DO

    U R I http://www.forensics.cs.uri.edu

    Digital Forensics Center Department of Computer Science and Statics

    NTFS Master File Table

    Layout

    NTFS Master File Table

    Layout

    Timothy Henry 10:11

    Timothy Henry 13:50

    Timothy Henry 17:12

    Timothy Henry 17:27

    Timothy Henry 18:32