The NTFS File System
Transcript of The NTFS File System
The NTFS File System
OVERVIEW: This lab is part of a series of lab exercises intended to support courseware for Forensics training. Thedevelopment of this document is funded by the Department of Labor (DOL) Trade Adjustment AssistanceCommunity College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.
In this lab, students will enumerate hosts on the network using various tools.
This lab includes the following tasks:
1 – Examining the NTFS File System
2 – Using a HEX Editor to explore an NTFS Partition
3 – Verifying and viewing the image details
4 – Analyzing an NTFS Partition With Autopsy
Key TermDescription
NTFS
The acronym NTFS stands for New Technology File System. The NTFS File System was originallyintroduced with the Windows NT. NTFS is a journaling file system which means it keeps a log ofchanges being written to the disk. If a computer is shutdown improperly, it will have a betterchance of recovery if it has a journaling file system. Files and folder access can be restrictedwith the security feature of NTFS. Starting with Windows 2000, Microsoft included the EncryptedFile System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect againstunauthorized access.
EFSA Feature of the NTFS File system that allows you to encrypt files and folders. The featurebecame available on the NTFS File system starting with Windows 2000, and is still availabletoday on Windows 10 and Server 2016.
ADSAn Alternate Data Stream, or ADS, is a feature of the NTFS file system that allowed compatibilitywith older versions of the Mac OS. The feature can be utilized by an individual who is attemptingto hide data on their system with an NTFS volume.
timestompThe timestomp command allows you to change file Modified, Access, and Created times. Thecommand can only change MAC times on an NTFS volume.
$MFT The Master File Table is basically like the Table of Contents for an NTFS volume.
Reading AssignmentIntroductionThis lab investigates the New Technology File System (NTFS) which is one of the most commonly used filesystems by the Microsoft Windows operating system. The NTFS is robust and includes many usefulfeatures such the ability to set security permissions on files and folders. Figure 1 shows the lab topology.
FIGURE 1 – LAB TOPOLOGY
This lab includes the following tasks:
Examining the NTFS
Using a Hex editor to explore an NTFS partition
Verifying and viewing the image details
Analyzing an NTFS partition with Autopsy
File SystemsDigital devices store information in Random Access Memory (RAM) or on storage systems like a hard diskor a solid-state drive (SSD). We will investigate the different file systems from Windows. Normally,operating systems provide this service “behind the scenes,” but it is critical you understand how these filesystems work as a digital forensic specialist. File systems that are common to Microsoft operating systemsinclude FAT (File Allocation Table) and NTFS (New Technology File System).
Windows File Systems
FAT
File Allocation Table is a table that holds information about where files are stored on avolume. When a file is deleted from the disk, the entry or entries for those files areremoved from the table and the space is marked as available. However, the file, or parts ofthe file, can remain on the disk until overwritten by information from new files that arewritten to the disk. There are many limitations to using FAT32. One is the fact that file sizesare limited to 4 GB. The other issue is that you cannot create a FAT32 volume larger than32 GB in some versions of Windows, such as Windows XP, Windows 7, and Windows 8.However, in some much older versions of Windows such as Windows 98 and Windows ME(Millennium Edition), users can create a 127.53 GB FAT32 volume. The likely reason for thisis that the Windows 98 and Windows ME operating systems cannot read NTFS.
NTFS
The acronym NTFS stands for New Technology File System. The NTFS was originallyintroduced with the Windows NT. NTFS is a journaling file system which means it keeps alog of changes being written to the disk. If a computer is shut down improperly, it will havea better chance of recovery if it has a journaling file system. Files and folder access can berestricted with the security feature of NTFS. Starting with Windows 2000, Microsoft includedthe Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files toprotect against unauthorized access.
EFS is a feature of the NTFS that allows you to encrypt files and folders. The featurebecame available on the NTFS starting with Windows 2000 and is still available today onWindows 10 and Server 2019.
An Alternate Data Stream, or ADS, is a feature of the NTFS that allowed compatibility witholder versions of the Mac OS. The feature can be used by an individual who is attempting tohide data on their system with an NTFS volume.
Figure 2 shows the differences in structure between NTFS and FAT32 file systems.
FIGURE 2 – NTFS VS. FAT32 (SOURCE: LINK)
Hex EditorsA hexadecimal or hex editor can be a Graphical User Interface (GUI) or command line tool that can be usedto analyze the hexadecimal output of files. File headers have hexadecimal signatures that are unique to aparticular type of file. Figure 3 shows the hex editor in Windows.
FIGURE 3 – HEX EDITOR
In this lab, you will review NTFS images in a hex editor.
Introduction to HashingHashing is the process of taking in a stream of plain text and transforms the data into a hashed text usinga hashing algorithm. You can use the hash to make sure that a message was not modified duringtransmission. Figure 4 shows the hashing process.
In this lab, you are going to image a disk and use a hashing tool to get the hash value of that disk image.That hash can also make sure that the disk image was not tampered with. Hashed images are used inforensics investigations. Hashing is also used on files, passwords, and other pieces of data.
FIGURE 4 – HASHING PROCESS (SOURCE: LINK)
A hashing algorithm is what takes the data and creates a hash. There are many hashing algorithms thatexist such as MD5, SHA1, SHA-256, SHA-384, and SHA-512. Let’s look at MD5, which is one of mostinsecure algorithms that exist today. The message digest algorithm (MD5) is an algorithm that creates128-bit outputs. Although they are extremely rare, collisions could occur with an MD5 hash which meansthat two or more different inputs can result in the same 128-bit hash. The next algorithm is the SecureHash Algorithm, SHA1, which creates 160-bit outputs. SHA-256 has a length of 256 bits or 64 hexcharacters, which is 2^256 combinations. SHA-384 is 384 bits long, which is 2^384 combinations, andSHA-512 which is 512 bits and 2^512 combinations.
Let us take a closer look at hashing works. Figure 5 illustrates the hashing process.
FIGURE 5 – HASHING PROCESS
So, a hashing algorithm takes a message/data and breaks it up in blocks depending on the hashingfunction you are using. If the data is not a multiple of the hashing blocks (e.g., 256-bit block for SHA-256),then the last block will be padded. Each block is run through the algorithm depending on the number ofblocks in the message/data. The first block runs through the algorithm, and then it runs through thealgorithm with the second block, etc., until you get a hash.
Linux’s ddIn Linux, you have a command called dd that copies a file or a whole disk. It can be used to create an ISOdisk image, which is used by systems to mount as a CD/DVD. You can use the following commands tocreate a hash based on the hashing algorithm such as md5sum, sha1sum, sha256sum, sha384sum, orsha512sum. You can use properties of a file in Windows to review the hashes for the image.
TimestompThe timestomp command allows you to change file Modified, Access, and Created times. This utility canonly be used to change MAC times on an NTFS volume. Figure 6 shows the timestomp command.
FIGURE 6 – TIMESTOMP
Autopsy Forensic BrowserAutopsy Forensic Browser, a Graphical User Interface (GUI), is open-source forensic investigation toolkitthat will allow a user to collect, examine, analyze, and report digital evidence especially disk images.Figure 7 shows the Autopsy Forensic Browser.
FIGURE 7 – AUTOPSY FORENSIC BROWSER
The Autopsy Forensic Browser runs on Windows, Linux, and OS X. Autopsy can be used to capture andanalyze disk images, perform analysis, and create reports. One of the most important tasks an investigatorperforms is to produce a report of his or her findings. A built-in report generator in Autopsy reports on anytagged items.
CONCLUSION: In this lab, you will use Autopsy Forensic Browser and a hex editor to investigate different Windows filesystems (NTFS and FAT).
Examining NTFS FeaturesThe most common Windows file systems are FAT and NTFS. There are several versions of NTFS. The olderversion included on Windows NT did not support the Encrypted File System, or EFS. Starting with Windows2000, NTFS versions support the EFS feature.
Viewing File SystemsLog on to the External Windows 7 Machine
Click the START button in the adjoining window.1.
INITIALIZING THE VIRTUAL ENVIRONMENT
Click on the Windows 7 machine in the topology.2.
Note: If the Windows 7 machine is still booting, just give it the time to fully start.
WINDOWS 7 MACHINE
Log on to Windows 7 as student with the password of password and press <Enter>.3.
Note: The password of password will not be displayed when you type it for security purposes.
LOGGING ON TO THE WINDOWS 7 MACHINE
Click on the Perl (Start button) and click on the link to Computer.4.
COMPUTER LINK
Right-click on the FAT 32 Drive (F:) and go to the Properties tab.5.
PROPERTIES OF THE FAT32 DRIVE
Notice that there is no Security or Quota tab on a FAT32 Volume.6.
EXAMINING A FAT32 VOLUME
Close FAT32 (F:).7.
CLOSING FAT32(F:) PROPERTIES
Right-click on Local Disk (C:) and go to the Properties tab.8.
PROPERTIES OF THE DRIVE
Notice the flag of 999818. Click on the Challenge icon and type the flag number into the answer9.box. This is just to show you how to capture Challenge Flags you will see throughout this lab.
Challenge Sample #View the File system type, which should be listed as NTFS.9.
NTFS DRIVE
Note: On NTFS volumes, security permissions and quotas can be configured. Security permissionscan be configured to restrict access to files or folders. Quotas are used to restrict the amount ofstorage for each user to prevent a disk from running out of space.
Click on the Security tab. This is where Access Control Lists can be configured.10.
NTFS PERMISSION
Notice the flag2 user displayed in the list.11.
Challenge #Click on the Quota tab. This is where disk usage can be restricted for users.11.
THE QUOTA TAB
Close all windows.12.
CLOSING WINDOWS
We will now examine some of the features of an NTFS disk, including the Encrypted File System (EFS),Alternate Data Streams (ADS), and timestomping of MAC (Modified Access Created) times. These featuresare not available on FAT file system volumes.
Double-click on the shortcut to the Command Prompt on the Desktop.13.
COMMAND PROMPT SHORTCUT
Type the following command and press <Enter> to view files and folders.14.
C:\>dir
Type the following command and press <Enter> to view the contents of the flag3.txt file.14.
Challenge #Type the following command and press <Enter> to make a file called hiddenstuff.txt on the root of14.C:.
C:\>echo this is a regular file > regular.txt
MAKING A FILE
Type the following command and press <Enter> to view the file called hiddenstuff.txt on the root15.of C:.
C:\>more regular.txt
SHOWING THE CONTENTS OF A FILE
Type the following command and press <Enter> to make a file called hiddenstuff.txt on the root of16.C:.
C:\>echo this file will be hidden > hidden.txt
MAKING A FILE
Type the following command and press <Enter> to view the file called hiddenstuff.txt on the root17.of C:.
C:\>more hidden.txt
SHOWING THE CONTENTS OF A FILE
Next, we will hide the file called hidden.txt within the file regular.txt using an alternative data stream orADS. Before doing so, we will examine the file size of regular.txt.
Type the following command and press <Enter> to view the file size of the regular.txt file.18.
C:\>dir regular.txt
VIEWING THE FILE
To create the ADS, type the following command and press <Enter>.19.
C:\>type hidden.txt > regular.txt:hidden.txt
CREATING AN ADS
Just to get rid of the evidence, we will delete our file with ‘hidden info by typing the following20.command and pressing <Enter>.
C:\>del hidden.txt
DELETING A FILE
Type the following command and press <Enter> to view the file size of regular.txt. It did not21.increase.
C:\>dir regular.txt
VIEWING THE FILE
If you type the command and press <Enter> to list all files and folders, the ADS will not be22.present.
C:\>dir
VIEWING FILES
Type the following command and press <Enter> to view all ADS files on the root of C:.23.
C:\>dir /r
VIEWING ADS FILES
Note: The dir /r command is not available in operating systems prior to Windows Vista.
Type the following command and press <Enter> to view the contents of the ADS file.24.
C:\>notepad regular.txt:hidden.txt
VIEWING THE CONTENTS OF THE ADS
Close the text file when you are finished viewing it by clicking on the red X.26.
CLOSING THE FILE
Type the following command to delete the regular.txt file.31.
Type the following command and press <Enter> to view all ADS files on the root of C:.31.
C:\>dir /r
Type the following command and press <Enter> to view the contents of the ADS file.32.
C:\>notepad flag.txt:flag4.txt
Challenge #Close the text file when you are finished viewing it by clicking on the red X.33.
Note: The timestomp.exe utility below can be used on an NTFS volume to change MAC times.
Type the following command and press <Enter> to view the option for the timestomp.exe utility.27.
C:\>timestomp
TIMESTOMP COMMAND
Type the following command and press <Enter> to view the current dates and times of files.28.
C:\>dir
VIEWING FILES
Type the following command and press <Enter> to view the option for the timestomp.exe utility.29.
C:\>timestomp hi.txt –f config.sys
TIMESTOMPING A FILE
Type the following command and press <Enter> to view the current dates and times of files.30.
C:\>dir
VIEWING THE TIMESTOMPED FILE
Type the following command and press <Enter> to make a directory called private on the root of31.C:.
C:\>mkdir private
MAKING A DIRECTORY
Type the following command and press <Enter> to list all files and folder on the root of C:.32.
C:\>dir
PRIVATE DIRECTORY
Type the following command and press <Enter> to enter the private directory on the root of C:.33.
C:\>cd private
ENTERING THE DIRECTORY
Create a file called SSN.txt that says 123-45-6789 by typing the following command and pressing34.<Enter>.
C:\private>echo 123-45-6789 > SSN.txt
CREATING SSN.TXT
Type the following command and press <Enter> to view the files and folders in the private35.directory.
C:\private>dir
DIRECTORY LISTING
Type the following command and press <Enter> to view the contents of the SSN.txt file.36.
C:\private>type SSN.txt
VIEWING THE CONTENTS OF THE FILE
Type the following command and press <Enter> to leave the command line environment.37.
C:\private>exit
EXITING THE COMMAND LINE
Click on the Start button (Pearl) and select Computer from the Start Menu.38.
START MENU
Under Hard Disk Drives (5), double-click on Local Disk (C:).39.
THE C: DRIVE
Right-click on the private folder in the list and select Properties.40.
PROPERTIES OF THE FOLDER
On the General tab, click the Advanced button.41.
ADVANCED TAB
Check the box that states Encrypt contents to secure data. Click OK.42.
ENCRYPT CONTENTS
Click OK. Select Apply changes to this folder, subfolder and files. Click OK.43.
APPLYING CHANGES TO THE FOLDER
View the private folder on the C: Drive; the color of the file changed to green.44.
ENCRYPTED FOLDER
Click the close button.45.
CLOSING WINDOW
Open a Command Prompt by double-clicking on the shortcut on the Desktop.46.
OPENING THE COMMAND PROMPT
Create a user on the Windows 7 system by typing the following command and press <Enter>.47.
C:\>net user jessejames cowboy /add
CREATING A USER
Verify that the user exits and get information about them by typing the following command and55.pressing <Enter>.
C:\>net user jessejames
Type the following command and press <Enter> to add the user to the local administrators group.48.
C:\>net localgroup administrators jessejames /add
ADDING THE USER TO ADMINISTRATORS
Verify that the user has been added to the administrators group by typing the following command49.and pressing <Enter>.
C:\>net localgroup administrators
VIEWING THE ADMINISTRATORS GROUP
Verify that the user exits and get information about them by typing the following command and50.pressing <Enter>.
C:\>net user flag5
Challenge #Click on the Start Button (Pearl), click to the right of Shut down, and select Log off.50.
LOG OFF
Click on the icon with the name jessejames at the Welcome Page.51.
SELECTING THE USER
Type cowboy for the password and press <Enter> for the jessejames account.52.
Note: The password of cowboy will not be displayed when you type it for security purposes.
TYPING THE PASSWORD
Click on the Start button and select Computer from the Start Menu.53.
START MENU
Under Hard Disk Drives (5), double-click on Local Disk (C:).54.
THE C: DRIVE
Double-click on the private older. Try to open SSN.txt. Access is denied.55.
ACCESS IS DENIED
Click on the Start Button (Pearl), click to the right of Shut down, and select Log off.56.
LOG OFF
Click on the Student icon.57.
ACCESSING STUDENT FORM
Log on to Windows 7 as student with the password of password and press <Enter>.58.
Note: The password of password will not be displayed when you type it for security purposes.
LOGGING ON TO THE WINDOWS 7 MACHINE
CONCLUSION: There are many variations of file systems that are used on operating systems. File Systems that arecommon to Microsoft operating systems include File Allocation Table (FAT) and New Technology FileSystem (NTFS). Some of the features included with the NTFS file system include Alternate Data Streams(ADS) and the Encrypted File System (EFS). A hacker can also perform timestomping on an NTFS volume.
DISCUSSION QUESTIONS: What is an Alternate Data Stream?1.
How is timestomping performed?2.
What is the command to display an ADS from the command line?3.
How do you encrypt a file using the EFS feature of NTFS?4.
Using a HEX Editor to Explore an NTFS PartitionIn this section, we will explore the NTFS file system with the hexadecimal (hex) editor HxD. Make sure thatyou are at Sector 0, Offset 00000000. You are looking at the Master Boot Record or MBR for an NTFS filesystem. We will begin dissecting it.
Exploring an NTFS PartitionDouble-click on the HxD icon on the Desktop.1.
HXD SHORCUT
From the Menu bar, select Extras > Open disk image.2.
OPENING A DISK IMAGE
Double-click on the 10-ntfs-disk.dd - Shortcut.lnk.3.
NTFS.DD SHORTCUT
Leave the Sector size as 512 bytes. Click OK.4.
OPENING THE IMAGE
Highlight bytes 00000000 to 00000162 by clicking and dragging from the beginning bytes down5.to byte 00000162. If you look at the bottom of the Hex Editor, it counts the hex values for you. Thisis a piece of the boot code for the drive that allows it to become bootable.
BOOTABLE CODE
Highlight bytes 00000163 to 000001B2. This area is also part of the boot code and contains any6.error messages. If you look at the ASCII on the right, you see the message, Missing operatingsystem.
MISSING OPERATING SYSTEM
Note: The entire boot code spans from 00000000 to 000001BD or 0-445 in decimal.
ENTIRE BOOT CODE
Click on Offset located in the upper left to view the decimal values. It will change from h to d.7.
CHANGING THE OFFSET
The first partition of the disk begins at location 1BE to 1CD (446–461 in decimal) and is 16 bytes8.long.
FIRST PARTITION
You can have up to four primary partitions on a standard DOS based system. There are three more9.partitions on this image. The second partition goes from 1CE to 1DD or from 462 to 477 decimal.
SECOND PARTITION
The third partition is from 1DE to 1ED or from 478 to 493 in decimal.10.
THIRD PARTITION
The fourth and last partition is from 1EE to 1FD or from 494 to 509 decimal.11.
FOURTH PARTITION
The entire partition table is 64 bytes in length.12.
PARTITION TABLE
Look at the first partition again and highlight 1BE to 1CD or 446–461 in decimal.13.
FIRST PARTITION
The first byte of the partition tells whether it is a bootable partition or not. Our entry is 00, which14.indicates a non-bootable partition. A value of 80 would indicate a bootable partition.
OPENING THE IMAGE
The next three bytes indicate where the starting Head, Sector and Cylinder (yes, they are out of15.order) are located and is commonly called the CHS address for the partition. In our case, CHS is(0,1,1).
Note: Data stored by Intel processors is written with LSB (Least Significant Byte) first and MSB(most significant byte) last, so the byte order must be reversed.
CHS INFORMATION
The fifth byte is the Partition Type (there are many). In this case, it is 07, which indicates an NTFS16.partition.
PARTITION TYPE
The next three bytes indicate the ending CHS address.17.
OPENING THE IMAGE
The next four bytes is for Logical Block Addressing (LBA). The Operating System determines the LBA.18.Possible choices are either CHS or LBA mode but not both for the partition.
LBA INFORMATION
The last 4 bytes indicate the size in sectors of the partition.19.
PARTITION SIZE
Note: This same analysis applies for each partition.
Finally, the MBR signature is at the end of the Master Root Record as highlighted below—55 AA.20.
MASTER BOOT RECORD
From the Menu bar, select Extras > Open disk image.21.
OPENING A DISK IMAGE
Double-click on the 10-ntfs-part1.dd.22.
OPENING THE IMAGE
Click Open and leave the Sector size as 512 bytes. Click OK.23.
OPENING THE IMAGE
Look at the signature for the partition. It is NTFS as identified in the MBR.24.
NTFS
Right-click the program on the taskbar and select Close window.25.
CLOSING PROGRAM
Click the Windows icon and select Shutdown.26.
SHUTTING DOWN WINDOWS
Close the VM window.27.
CLOSING VM WINDOW
CONCLUSION: NTFS stands for New Technology File System. A hexadecimal (hex) editor like HxD will allow you toexamine the details of FAT or FAT32 Partitions and disk images.
DISCUSSION QUESTIONS: What is the byte range for in decimal for the first partition?1.
What number indicated that a partition is bootable?2.
What does LBA stand for and what does it do?3.
The Master Boot Record ends with what signature?4.
Verifying and Viewing the Image DetailsAn image is a bit by bit copy of a disk. In this case, the NTFS file system was used on a volume where theoperating system was installed. Starting with Windows Vista, NTFS had to be used on the OS drive. NTFS isalso commonly utilized on data drives.
Verifying IntegrityClick on the Machine running Windows 10 in the topology.1.
WINDOWS 10
Click on the file explorer in Windows 10.2.
FILE EXPLORER
Click on Local Disk (C:).3.
LOCAL DISK
Double-click on the images directory.4.
IMAGES DIRECTOR
Note: When an investigator takes an image, they should record the SHA1 and MD5 hashes. Thehashes for the disk image are usually put into a text file that accompanies the image file.
Double-click on the ntfsdd.txt file.5.
HASH FILE
View the MD5 and SHA1 hash values as well as Flag 6. Minimize the text file with the hashes.6.
ACQUISITION INFORMATION
Challenge #Right-click on ntfs.dd file and go to Properties.7.
PROPERTIES
Click the File Hashes tab. Wait for the File Hashes to complete.8.
VIEWING HASHES
Double-click the ntfsdd.txt file.9.
Move so both windows can be displayed at the same time. Notice that the MD5 sum matches the9.sum from the acquisition text file. Notice that the SHA1 sum matches the sum from the acquisitiontext file. Close all of the windows.
NOTEPAD
CONCLUSION: When an image is collected, the incident responder should generate a corresponding text file with theimage MD5 and SHA1 hash values as well as other information such as the cyclical redundancy check (CRCvalue). The md5sum and sha1sum utilities can be utilized from the terminal to hash a data set to verify theintegrity of the data.
DISCUSSION QUESTIONS: What Linux command can be used to parse information out of a txt file?1.
How many bits is the MD5 hashing algorithm?2.
How many bits is the SHA1 hashing algorithm?3.
Which hashing algorithm is more accurate, MD5 or SHA1?4.
Analyzing an NTFS Partition with AutopsyForensic Analysis requires loading an image file into a forensic tool. The most widely used forensic toolsare commercial tools such as EnCase and Forensic Tool Kit (FTK). EnCase is made by Guidance softwareand FTK is made by Access Data. Both tools require hardware dongles which helps to prevent illegal copiesof the software. There are some free tools, such as Autopsy, which also can be used to perform forensicanalysis.
Loading the NTFS Image into AutopsyTo use the Autopsy forensic browser, double-click on the shortcut to the Desktop.1.
AUTOPSY
Click Create New Case.2.
AUTOPSY
For the Case Name, type Lab10. For the Base Directory, type C:\images. Verify that the Case3.data will be saved to C:\images\Lab10 and click Next.
AUTOPSY
For the Case Number, type 1. For the Examiner name, type student. Click Finish.4.
AUTOPSY
Click Browse.5.
AUTOPSY
Click This PC and then double-click Local Disk (C:).6.
AUTOPSY
Double-click on the images folder.7.
AUTOPSY
Click ntfs.dd and then click Open.8.
AUTOPSY
Click Next.9.
AUTOPSY
Click Next.10.
AUTOPSY
Click Finish.11.
AUTOPSY
Double-click on ntfs.dd.12.
AUTOPSY
Scroll down using the down arrow on the left side of autopsy. Notice the NTFS system files13.including the Master File Table $MFT and the $MFTMirr.
AUTOPSY
Close the VM window.14.
CLOSING VM WINDOW
Note: Press the STOP button to complete the lab.
LAB COMPLETE
CONCLUSION: Autopsy is a forensic analysis tool that is free to use. Commercial forensic products, such as EnCase andFTK, are more widely used but are not free and require hardware dongles. All of these products allow youto parse fornesic images and examine files.
DISCUSSION QUESTIONS: How do you load an image into Autopsy?1.
Name two NTFS system files.2.
Name three files that should be on every NTFS image.3.
What is the function of the $MFT?4.
References: Comparing NTFS and FAT file systems1.windows.microsoft.com/en-us/windows-vista/comparing-ntfs-and-fat-file-systems
EFS2.https://technet.microsoft.com/en-us/library/cc700811.aspx
Alternate Data Streams3.http://www.irongeek.com/i.php?page=security/altds
FAT32 vs. NTFS4.http://www.pcmag.com/article2/0,2817,2421454,00.asp
Encrypted File System5.http://en.wikipedia.org/wiki/Encrypting_File_System
Organization: Moraine Valley Community College
Author: Jesse Varsalone
Copyright © National Information Security, Geospatial Technologies Consortium (NISGTC)
The development of this document is funded by the Department of Labor (DOL) Trade AdjustmentAssistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. TheNational Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin Collegeof Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del MarCollege of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt LakeCommunity College of Utah. This work is licensed under the Creative Commons Attribution 3.0 UnportedLicense. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter toCreative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
© Infosec Learning, LLC. All rights reserved.