NTFS File System - Villanova University · Villanova University – Department of Computing...

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

NTFS File System A Forensic Perspective

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• NTFS – Proprietary file system developed by Microsoft – Designed for reliability, security and large storage

devices. – Encryption – File / Folder Permissions – Every file and folder in the volume is treated as a file. – Date and time stamps are recorded in UTC. – Date and time resolution is from 12:00 A.M. January 1,

1601

New Technologies File System


New Technologies File System

• File Size • 16 EB (Technically) • 16 TB (Real World)

• Volume Size: • 16 EB (Technically) • 16 TB (Real World)*

• Files Per Volume: • 4,294,967,295


• $MFT – contains a record for each file and folder on the NTFS volume.

• $MFTMirr – backup of the 1st four $Mft records. • $LogFile – journal log used by the file system to recover from a

failure. • $Volume – contains the volume label and volume version. • $AttrDef – contains attribute names, numbers and descriptions. • . – root directory. • $Bitmap – keeps track of the allocation status for each cluster on the

volume. • $Boot – contains information needed to mount the volume.

NTFS System Files


• $BadClus – keeps track of all clusters identified as bad and not longer usable.

• $Secure – contains unique security descriptors for all files within the volume.

• $Upcase – converts lowercase characters to matching unicode uppercase characters

• $Extend – reserved for optional extensions (i.e. quotas, reparse, point data and object identifiers.

NTFS System Files


NTFS Organization

NTFS Boot Sector

Master File Table ($MFT)

File System Data

Master File Table Copy ($MFTMirr)

• NTFS Boot Sector contains the boot code needed to load Windows. This sector also contains the geometry and structure of the volume.

• Master File Table ($MFT) contains the information needed to store and retrieve files and folders stored on the volume. This system file also contains the attributes associated with each file and folder on the volume.

• File System Data contains the data on the volume that is not stored within the MFT.

• Master File Table Copy ($MFTMirr) is a backup of the critical entries within the $MFT.


NTFS Boot Record


Range Description Example

00 - 02 Jump Instruction (ëR)03 - 10 OEM ID (NTFS) NTFS

11 - 12 Bytes / Sector 0x0200 = 512

13 - 13 Sectors / Cluster 0x08 = 8

40 - 47 Total Number of Sectors 0x1fe7ff = 2,091,007

48 - 55 $MFT starting logical cluster 0x015455 = 87,125

72 - 79 Volume Serial Number A1 05 13 06 25 13 06 56

84 - 509 Bootstrap Code

510 - 511 End of Sector Marker 55 AA

Parsing NTFS Boot Record


Master File Table

• MFT is the heart of the file system as it contains information about every file and folder on the volume.

• Microsoft reserves the first 16 MFT entries for file system files.

• Starts small and expands as needed. • Uses a “first-available” algorithm for new files / folders. • MFT entries are not deleted after they have been created. • MFT entries are 1,024 bytes in size. • Attributes can be resident or non-resident.

Reference: Carrier, Brian. File System Forensic Analysis. Pearson Education, 2005.


MFT Entry Structure

MFT Entry

Attribute Headers

Attribute ContentAttribute Content Attribute Content

MFT Entry Header

NTFS Attributes1:

• 0x10 = $STANDARD_INFORMATION (File Attributes, date/time stamps and hard link count. • 0x20 = $ATTRIBUTE_LIST (A list of attributes that make up the file and the file reference of the MFT file record in which each attribute is located) • 0x30 = $FILE_NAME (The name of the file, in Unicode … additional date/time attributes that can have important forensic implications.) • 0x60 = $VOLUME_NAME (The volume label. Present in the $Volume file.) • 0x70 = $VOLUME_INFORMATION (The volume information. Present in the $Volume file.) • 0x80 = $DATA (The contents of the file) !1

http://msdn.microsoft.com/en-us/library/bb470038(v=vs.85).aspx


$MFT Basic MFT Entry



00-03 Signature “FILE”08-15 $LogFile Sequence Number (LSN) 0x40B05F (4239455)

16-17 Sequence Value 08

18-19 Link Count 02

20-21 Offset to 1 0x0038 (56)

22-23 Flags 01

$Parsing MFT Entry

• “FILE” is the standard signature value. An entry would have “BADD” signature if CHKDSK found an error.

• The file system log (journal) uses the LSN so that a corrupt file system can be repaired.

• Sequence Value is incremented when the entry is either allocated or unallocated. Therefore this value represents the number of times this entry has been used.

• Link Count = number of directories referencing this record.

• Offset to 1st Attribute. Each additional attribute is identified by advancing ahead using the size field in the preceding attribute header.

• Flags:

• 00 = File Deleted

• 01 = File Allocated

• 10 = Dir Deleted

• 11 = Dir Allocated !


$STANDARD_INFORMATION


00-03 Attribute Type Identifier 0x10 = $STANDARD_INFORMATION

04-07 Length of Attribute (bytes) 0x60 = 96

08-08 Non-Resident Flag 0x00 = Resident

16-19 Size of Content (bytes) 0x48 = 36

20-21 Offset to Content 0x18 = 24



00-07 Creation Time 0x186982A54BF9CE01

08-15 Modified Time 0x8EBAA37A4BF9CE01

16-23 MFT Record Modified 0x186982A54BF9CE01

24-31 Last Accessed Date 0x186982A54BF9CE01

32-35 Flags 0x20 = Archive

$STANDARD_INFORMATION

• Date and time stamps (converted to decimal) are 100-‐nanoseconds from January 01, 1601. • Last Accessed Date is no longer updated on Vista / 7 8.

• HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate • Windows and Forensic Tools only report the date & time artifacts extracted from $Standard_Information. !


Date and Time


$FILE_NAME


00-03 Attribute Type Identifier 0x30 = $FILE_NAME

04-07 Length of Attribute (bytes) 0x78 = 120


16-19 Size of Content (bytes) 0x5A = 90



$FILE_NAME


00-07 Parent Directory Refers to the MFT Entry # of Parent08-15 Creation Time 0x186982A54BF9CE01

16-23 Modified Time 0x186982A54BF9CE01

24-31 MFT Record Modified 0x186982A54BF9CE01

32-39 Last Accessed Date 0x186982A54BF9CE01

56-59 Flags 0x20 = Archive

MFT Entry #5 = root directory


$FILE_NAME


64-64 Length of Name 0x0C = 1265-65 NameSpace 02 = DOS Name

66+ Name MFT_RE~1.txt

• Namespace • 00 = POSIX • 01 = Win32 • 02 = DOS • 03 = Win32/DOS (when the filename already meets the 8.3 requirement)


$FILE_NAME – (2nd)

• Notice this Namespace is 0x01 (Win32 Name Scheme) • File Name = MFT_Record_Entry_Test.txt


$DATA: Resident Example


00-03 Attribute Type Identifier 0x80 = $DATA

04-07 Length of Attribute 0x30 = 48


16-19 Size of Content 0x18 = 24


End of Attributes = 0xFFFF


Example Text File

0x10 = $STANDARD_INFORMATION 0x30 = $FILE_NAME 0x80 = $DATA


$DATA: Non-Resident Example

• The screen capture above is an MFT entry for a file named “pf.jpg”. • The “pf.jpg” graphic file is too large to be stored in the $DATA attribute. • As a result, the $DATA attribute contains the necessary information to find the data associated with this file on the hard drive.




00 - 03 Attribute Type Identifier 0x80 = $DATA04 - 07 Length of Attribute 0x30 = 48

08 - 08 Non-Resident Flag 0x01 = Non-Resident

32 - 33 Offset of the Runlist 0x40 = 64

64 - 64 Size of Following Fields 0x31

65 – 65* Run Length (clusters) 0x2E = 46

66 – 68* Cluster Offset 0x014D30 = 85,296

So What Does This Mean?

* The range will vary as determined by the hex value in byte 64.

• Byte offset 64 is organized into the upper and lower 4 bits (nibble). • The lower 4 bits show the number of bytes for the run length (i.e. how many clusters are in the run). • The upper 4 bits show the number of bytes in the offset field (i.e. starting cluster for the file’s data).


$DATA: Non-Resident Example• Examining the volume boot record (see slide 7)

– 8 sectors / cluster – 512 bytes / sector

• Examining the MFT entry – Filename = pf.jpg – Created on 12/16/2013 @ 22:50:45 EST – Modified on 03/26/2013 @ 20:51:58 EST – Data is non-resident – Starting cluster is 85,296 – Extends for 46 clusters

• Conversions: – Cluster 85,296 = Sector 682,358 – Sector 682,358 = Byte 349,372,416

NTFS File System - Villanova University · Villanova University – Department of Computing...

Documents

Transcript of NTFS File System - Villanova University · Villanova University – Department of Computing...