NTFS File System and Data Security -...

NTFS File System and Data Security

Yanhui TuKingSoft

Index

1 File System kernel analysis2 Stream and Data security3 Data recover4 Date overwrite

NTFS File System Analysis• File• There are 2 different kinds• Metafiles: user can’t access• User files: User data

NTFS File System Analysis• NTFS meta file

Metadata Function$MFT MFT itself

Part image of MFT $MFTMirr$LogFile Log file$Volume Volume file$AttrDef Attribute definition list$Root root directory$Bitmap Bitmap file $Boot Boot file

$BadClus Bad cluster file$Quota（NTFS4） Quota file

$Secure Secure file$UpCase Capitalized file$Extend Metadata directory

Extended Metadata directory

$Extend\$Reparse Reparse Points file$Extend\$UsnJrnl Log changing file$Extend\$Quota Quota management file $Extend\$ObjId Object ID file

NTFS File System Analysis

• $MFT（Master File Table ）• Includes all information about files, and these

information called attributes

• The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself

Normal file MFTMFT header10H $STANDARD_INFORMATION

30H $FILE_NAME

80H $DATA and $BITMAP

MFT End


Resident attribute and non-resident attributeResident attribute save data in file data areaNon-resident attributes saved in MFT


Directory’s MFTMFT header10H（STANDARD INFORMATION）

30H（File Name）90H（Index Root ）

A0H（ Index Allocation）B0H（BitMapMFT END


NTFS File System AnalysisStructure of file

index• Index header

（every 4KB index block has a file index header.）

• Index item（every item record a file’s filename，MFT number, parent directory MFT number etc. ）

NTFS File System Analysis• $LogFile’s

MFTlog file’s structure is very complicated and it’s structures details are still unknown

NTFS File System Analysis• $LogFile log

filelog file’s

structure is very complicated and it’s structures details are still unknown, we only know it’s separated into many 4k blocks and each block start with RCRD

NTFS File System Analysis• $LogFile log

file recorded a example of file rename

NTFS File System Analysis• Volume

file• Label in

offset 60H

NTFS File System Analysis• $AttrDef

file• List of record all

attributes


• Content of $AttrDef

• Records all attributes definition

NTFS File System Analysis• “.” file（root）

• Root of directory tree

NTFS File System Analysis• 90H

attribute of root directory


• $Bitmapfile


• Content of $Bitmapfile


• $Boot file MFT

NTFS File System Analysis• Content of

$Boot


• $UpCasefile MFT

NTFS File System Analysis• Content of

$UpCasefile


• $BadClusfile MFT

• It maintains a list of bad clusters on the drive.

Stream and Data Security• Put file in

stream

Stream and Data Security

• 29A released a stream based virus at 2000

• Currently no Anti-virus support stream scaning in China

Stream and Data Security

• Stream in disk

and Data Security Stream

• Stream can put in directory

Stream and Data Security• API designed for stream

programing• 1、Travel ：

– FindFirstStreamW and FindNextStreamW（Win2003server）

– BackupRead 和BackupSeek（Win2000）

• 2、Delete：– DeleteFile

• And if you can access stream without above APIs with knowledge of NTFS data structure

Data Recover• Normally, user access

files by using file system, these files store on user’s hard disk and organized by file system and supply files to users.

• What users see are only files, users don’t care about how these file stored in disk, they can use commands supplied by OS to read and write files, but if one of data or file system is corrupted user can’t access files anymore.

Data Recover• When file system is corrupt, we have 2

methods to recover data.• First method: Rebuild this file

system ,fix corrupt part, and system can access this file system normally and recover the lost data. For example: When hard disk’s partition table is corrupt, we can rebuild partition table to recovery data; If some partitions can’t access normally, we can rebuild BPB to fix that. This method is suitable for repairing some of key data, only need very small data of rebuild.

• Second method: Rebuild lost data to files from source devices. When try to rebuild some extremely unstable file system, like file data unsure before corrupted, or need large mount of data writing. This method is suitable for recovering deleted files, partition format scenarios.

File Recover

• Scenario：When files deleted or format but not destroyed file data just deleted some file information on file system and release file spaces.

File Deleting Processing

• Deleting file in FAT• 1、Replace first byte of directory’s

filename area to E5H• 2、Mark this directory to unused

File Deleting Processing• Deleting file in NTFS• When deleting a file in NTFS need 3

changes:– 1. There is a byte at offset 16H of this

file’s MFT header. If 0 means this file is deleted, 1 means this file is using, 2 means this is a directory, 3 means this directory is deleted;

– 2. Parent directory attribute INDEX_ROOT（90H）or attribute INDEX_ALLOCATION（A0H）；

– 3. Set 0 to file’s corresponding bits in $Bitmap.

Recover Demo

• FAT recover demo• 1、Locate file directory items• 2、Analysis directory items• 3、Locate data area• 4、Save recovered file

Recover Demo

• NTFS label recover• 1、locate file MFT• 2、MFT attribute analysis• 3、locate date erea• 4、Save recovered file

Data Overwrite• （DoD ）5220.22-M• a. Degauss with a Type I degausser• b. Degauss with a Type II degausser.• c. Overwrite all addressable locations with a single character.• d. Overwrite all addressable locations with a character, its

complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

• e. Overwrite all addressable locations with a character, its complement, then a random character.

• f. Each overwrite must reside in memory for a period longer thanthe classified data resided.

• g. Remove all power to include battery power.• h. Overwrite all locations with a random pattern, all locations with

binary zeros, all locations with binary ones.• i. Perform a full chip erase as per manufacturer's data sheets.• j. Perform i above, then c above, a total of three times.• k. Perform an ultraviolet erase according to manufacturer's

recommendation.• l. Perform k above, but increase time by a factor of three.• m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt.• n. Destruction required only if classified information is contained.

Data Overwrite

m, nWrite Once, Read Many (Worm)

m, nRead Only

mcRead Many, Write Many

Optical Disk

a, b, d , or ma, b, or cRemovabel Rigid Disk

a, b, d , or mcNon-Removable Rigid Disk

ma, b, or cFloppies

ma, b, or cBernoullis

Magnetic Disk

ma or bType III

b or ma or bType II

a, b, or ma or bType I

Magnetic Tape1

SanitizeClearMedia

Data Overwrite

c and f, g, or mc or gStatic Random Access Memory (SRAM)

mRead Only Memory ROM

c, g, or mc or gNonvolatile RAM (NOVRAM)

mcMagnetic Resistive Memory

c and f, or mcMagnetic Plated Wire

a, b, e, or mcMagnetic Core Memory

a, b, c, or mcMagnetic Bubble Memory

mcProgrammable ROM (PROM)

c then i, or miFlash EPROM (FEPROM)

l, then c, or mkErasable Programmable (ROM (EPROM)

h or miElectronically Erasabel PROM (EEPROM)

j or miElectronically Alterable PROM (EAPROM)

c, g, or mc or gDynamic Random Access memory (DRAM)

Memory

SanitizeClearMedia

• http://www.zdelete.com/dod.htm

D or E level of Overwrite

• Method 1：• 1、Open file• 2、Write file• 3、Close file• Features：Simple but not safe

D or E level of Overwrite• Method 2：• 1、Locate file’s MFT or Index in file

system • 2、Locate file’s physical address in

disk3、Write disk• Features：Complex（need very deep

knowledge in file system and disk structure）、Safe（can make sure overwrite on same place of file）

References

• 涂彦晖戴士剑. 《数据安全与编程技术》.北京：清华大学出版社，2005

• 戴士剑涂彦晖. 《数据恢复技术》（第2版）.北京：电子工业出版社，2005

Thank YOU!

NTFS File System and Data Security -...

Documents

Transcript of NTFS File System and Data Security -...