NTFS File System - Villanova University · Villanova University – Department of Computing...
Transcript of NTFS File System - Villanova University · Villanova University – Department of Computing...
Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014
NTFS File System A Forensic Perspective
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• NTFS – Proprietary file system developed by Microsoft – Designed for reliability, security and large storage
devices. – Encryption – File / Folder Permissions – Every file and folder in the volume is treated as a file. – Date and time stamps are recorded in UTC. – Date and time resolution is from 12:00 A.M. January 1,
1601
New Technologies File System
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
New Technologies File System
• File Size • 16 EB (Technically) • 16 TB (Real World)
• Volume Size: • 16 EB (Technically) • 16 TB (Real World)*
• Files Per Volume: • 4,294,967,295
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• $MFT – contains a record for each file and folder on the NTFS volume.
• $MFTMirr – backup of the 1st four $Mft records. • $LogFile – journal log used by the file system to recover from a
failure. • $Volume – contains the volume label and volume version. • $AttrDef – contains attribute names, numbers and descriptions. • . – root directory. • $Bitmap – keeps track of the allocation status for each cluster on the
volume. • $Boot – contains information needed to mount the volume.
NTFS System Files
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• $BadClus – keeps track of all clusters identified as bad and not longer usable.
• $Secure – contains unique security descriptors for all files within the volume.
• $Upcase – converts lowercase characters to matching unicode uppercase characters
• $Extend – reserved for optional extensions (i.e. quotas, reparse, point data and object identifiers.
NTFS System Files
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
NTFS Organization
NTFS Boot Sector
Master File Table ($MFT)
File System Data
Master File Table Copy ($MFTMirr)
• NTFS Boot Sector contains the boot code needed to load Windows. This sector also contains the geometry and structure of the volume.
• Master File Table ($MFT) contains the information needed to store and retrieve files and folders stored on the volume. This system file also contains the attributes associated with each file and folder on the volume.
• File System Data contains the data on the volume that is not stored within the MFT.
• Master File Table Copy ($MFTMirr) is a backup of the critical entries within the $MFT.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
NTFS Boot Record
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Range Description Example
00 - 02 Jump Instruction (ëR)03 - 10 OEM ID (NTFS) NTFS
11 - 12 Bytes / Sector 0x0200 = 512
13 - 13 Sectors / Cluster 0x08 = 8
40 - 47 Total Number of Sectors 0x1fe7ff = 2,091,007
48 - 55 $MFT starting logical cluster 0x015455 = 87,125
72 - 79 Volume Serial Number A1 05 13 06 25 13 06 56
84 - 509 Bootstrap Code
510 - 511 End of Sector Marker 55 AA
Parsing NTFS Boot Record
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Master File Table
• MFT is the heart of the file system as it contains information about every file and folder on the volume.
• Microsoft reserves the first 16 MFT entries for file system files.
• Starts small and expands as needed. • Uses a “first-available” algorithm for new files / folders. • MFT entries are not deleted after they have been created. • MFT entries are 1,024 bytes in size. • Attributes can be resident or non-resident.
Reference: Carrier, Brian. File System Forensic Analysis. Pearson Education, 2005.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
MFT Entry Structure
MFT Entry
Attribute Headers
Attribute ContentAttribute Content Attribute Content
MFT Entry Header
NTFS Attributes1:
• 0x10 = $STANDARD_INFORMATION (File Attributes, date/time stamps and hard link count. • 0x20 = $ATTRIBUTE_LIST (A list of attributes that make up the file and the file reference of the MFT file record in which each attribute is located) • 0x30 = $FILE_NAME (The name of the file, in Unicode … additional date/time attributes that can have important forensic implications.) • 0x60 = $VOLUME_NAME (The volume label. Present in the $Volume file.) • 0x70 = $VOLUME_INFORMATION (The volume information. Present in the $Volume file.) • 0x80 = $DATA (The contents of the file) !1
http://msdn.microsoft.com/en-us/library/bb470038(v=vs.85).aspx
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$MFT Basic MFT Entry
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Range Description Example
00-03 Signature “FILE”08-15 $LogFile Sequence Number (LSN) 0x40B05F (4239455)
16-17 Sequence Value 08
18-19 Link Count 02
20-21 Offset to 1 0x0038 (56)
22-23 Flags 01
$Parsing MFT Entry
• “FILE” is the standard signature value. An entry would have “BADD” signature if CHKDSK found an error.
• The file system log (journal) uses the LSN so that a corrupt file system can be repaired.
• Sequence Value is incremented when the entry is either allocated or unallocated. Therefore this value represents the number of times this entry has been used.
• Link Count = number of directories referencing this record.
• Offset to 1st Attribute. Each additional attribute is identified by advancing ahead using the size field in the preceding attribute header.
• Flags:
• 00 = File Deleted
• 01 = File Allocated
• 10 = Dir Deleted
• 11 = Dir Allocated !
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$STANDARD_INFORMATION
Range Description Example
00-03 Attribute Type Identifier 0x10 = $STANDARD_INFORMATION
04-07 Length of Attribute (bytes) 0x60 = 96
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content (bytes) 0x48 = 36
20-21 Offset to Content 0x18 = 24
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Range Description Example
00-07 Creation Time 0x186982A54BF9CE01
08-15 Modified Time 0x8EBAA37A4BF9CE01
16-23 MFT Record Modified 0x186982A54BF9CE01
24-31 Last Accessed Date 0x186982A54BF9CE01
32-35 Flags 0x20 = Archive
$STANDARD_INFORMATION
• Date and time stamps (converted to decimal) are 100-‐nanoseconds from January 01, 1601. • Last Accessed Date is no longer updated on Vista / 7 8.
• HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate • Windows and Forensic Tools only report the date & time artifacts extracted from $Standard_Information. !
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Date and Time
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$FILE_NAME
Range Description Example
00-03 Attribute Type Identifier 0x30 = $FILE_NAME
04-07 Length of Attribute (bytes) 0x78 = 120
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content (bytes) 0x5A = 90
20-21 Offset to Content 0x18 = 24
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$FILE_NAME
Range Description Example
00-07 Parent Directory Refers to the MFT Entry # of Parent08-15 Creation Time 0x186982A54BF9CE01
16-23 Modified Time 0x186982A54BF9CE01
24-31 MFT Record Modified 0x186982A54BF9CE01
32-39 Last Accessed Date 0x186982A54BF9CE01
56-59 Flags 0x20 = Archive
MFT Entry #5 = root directory
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$FILE_NAME
Range Description Example
64-64 Length of Name 0x0C = 1265-65 NameSpace 02 = DOS Name
66+ Name MFT_RE~1.txt
• Namespace • 00 = POSIX • 01 = Win32 • 02 = DOS • 03 = Win32/DOS (when the filename already meets the 8.3 requirement)
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$FILE_NAME – (2nd)
• Notice this Namespace is 0x01 (Win32 Name Scheme) • File Name = MFT_Record_Entry_Test.txt
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$DATA: Resident Example
Range Description Example
00-03 Attribute Type Identifier 0x80 = $DATA
04-07 Length of Attribute 0x30 = 48
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content 0x18 = 24
20-21 Offset to Content 0x18 = 24
End of Attributes = 0xFFFF
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Example Text File
0x10 = $STANDARD_INFORMATION 0x30 = $FILE_NAME 0x80 = $DATA
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$DATA: Non-Resident Example
• The screen capture above is an MFT entry for a file named “pf.jpg”. • The “pf.jpg” graphic file is too large to be stored in the $DATA attribute. • As a result, the $DATA attribute contains the necessary information to find the data associated with this file on the hard drive.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$DATA: Non-Resident Example
Range Description Example
00 - 03 Attribute Type Identifier 0x80 = $DATA04 - 07 Length of Attribute 0x30 = 48
08 - 08 Non-Resident Flag 0x01 = Non-Resident
32 - 33 Offset of the Runlist 0x40 = 64
64 - 64 Size of Following Fields 0x31
65 – 65* Run Length (clusters) 0x2E = 46
66 – 68* Cluster Offset 0x014D30 = 85,296
So What Does This Mean?
* The range will vary as determined by the hex value in byte 64.
• Byte offset 64 is organized into the upper and lower 4 bits (nibble). • The lower 4 bits show the number of bytes for the run length (i.e. how many clusters are in the run). • The upper 4 bits show the number of bytes in the offset field (i.e. starting cluster for the file’s data).
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$DATA: Non-Resident Example• Examining the volume boot record (see slide 7)
– 8 sectors / cluster – 512 bytes / sector
• Examining the MFT entry – Filename = pf.jpg – Created on 12/16/2013 @ 22:50:45 EST – Modified on 03/26/2013 @ 20:51:58 EST – Data is non-resident – Starting cluster is 85,296 – Extends for 46 clusters
• Conversions: – Cluster 85,296 = Sector 682,358 – Sector 682,358 = Byte 349,372,416
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
$DATA: Non-Resident Example