Scribd
Upload
22 views21 pages

Module 2 v2

Uploaded by

İlqar Məmmədli

This document provides an overview of analyzing the Windows NTFS filesystem. It discusses how NTFS works, including: - The Master File Table (MFT) contains metadata for all files and directories on the filesystem. - Files and directories are represented as entries in the MFT, which are 1KB in size and have a defined structure for the first 42 bytes. - Attributes within MFT entries can be resident (storing small files internally) or non-resident (storing data elsewhere via cluster chains). - Standard attribute types include $STANDARD_INFORMATION, $FILE_NAME, $OBJECT_ID, and $DATA attributes. - The Sleuth Kit can be

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Module 2 v2

Uploaded by

İlqar Məmmədli
22 views21 pages
This document provides an overview of analyzing the Windows NTFS filesystem. It discusses how NTFS works, including: - The Master File Table (MFT) contains metadata for all files and directories on the filesystem. - Files and directories are represented as entries in the MFT, which are 1KB in size and have a defined structure for the first 42 bytes. - Attributes within MFT entries can be resident (storing small files internally) or non-resident (storing data elsewhere via cluster chains). - Standard attribute types include $STANDARD_INFORMATION, $FILE_NAME, $OBJECT_ID, and $DATA attributes. - The Sleuth Kit can be

Original Title

Module_2_v2

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

This document provides an overview of analyzing the Windows NTFS filesystem. It discusses how NTFS works, including: - The Master File Table (MFT) contains metadata for all files and directories on the filesystem. - Files and directories are represented as entries in the MFT, which are 1KB in size and have a defined structure for the first 42 bytes. - Attributes within MFT entries can be resident (storing small files internally) or non-resident (storing data elsewhere via cluster chains). - Standard attribute types include $STANDARD_INFORMATION, $FILE_NAME, $OBJECT_ID, and $DATA attributes. - The Sleuth Kit can be

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
22 views21 pages

Module 2 v2

Uploaded by

İlqar Məmmədli
This document provides an overview of analyzing the Windows NTFS filesystem. It discusses how NTFS works, including: - The Master File Table (MFT) contains metadata for all files and directories on the filesystem. - Files and directories are represented as entries in the MFT, which are 1KB in size and have a defined structure for the first 42 bytes. - Attributes within MFT entries can be resident (storing small files internally) or non-resident (storing data elsewhere via cluster chains). - Standard attribute types include $STANDARD_INFORMATION, $FILE_NAME, $OBJECT_ID, and $DATA attributes. - The Sleuth Kit can be

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 21

Windows System

Forensics
Module 2: The Windows NTFS
Filesystem
Module 2: The Windows NTFS Filesystem

• Learning Objectives
– Understanding NTFS Internals
– Understanding the Master File Table (MFT)
– Using the Sleuth Kit to Analyze the MFT
– Using the Sleuth Kit to Recover Deleted File Data from NTFS
NTFS Internals and the Master
File Table (MFT)
NTFS Internals and the Master File Table (MFT)

The “New Technologies File System” (NTFS) is the default filesystem for
Microsoft Windows, from Windows NT, through Windows 2000, XP, all
versions of Server, and up to the current day. In this module we will cover:
• NTFS Concepts
• NTFS Analysis
• NTFS Data Structures
Introduction to NTFS

• NTFS was designed to replace the “File Allocation Table” filesystems


(FAT12/16/32) with a focus on reliability, security, and scalability.
– While still in wide use on small portable devices, FAT filesystems have no support
for ownership or permissions on files, and very limited scalability.
o It remains the default for consumer devices like USB sticks, cameras, etc.
o We will discuss it in a later module.
• NTFS is a complex filesystem, and remains without published
specification from Microsoft.
• This module is heavily based on Brian Carrier’s detailed reverse-
engineering of it as published in File System Forensic Analysis which is a
highly recommended book.
Availability of NTFS

• Due to years of analysis, NTFS is fairly freely available on Linux and


other OSs.
• We will use Linux to create and dissect it throughout this module, for
ease of use of free access and tools.
• It is unclear if these are “valid” NTFS filesystems from Microsoft’s
perspective, but they have proven widely compatible and demonstrate
an open illustration of the concepts and structures.
NTFS Concepts

• Everything Is a File
– The first sectors of the volume contain the bootable code (whether using BIOS or
the “Unified Extensible Firmware Interface” (UEFI) that replaces it in Windows 10
and beyond.
– Otherwise the entire filesystem contains data units that can be allocated to any file,
including the metadata files: notably the Master File Table ($MFT) and its copies.
• The MFT is the heart of NTFS, as it contains all the information about
files and directories in one place—unlike inodes in Unix/Linux which are
not centrally grouped.
– Every file/directory has at least one entry in the table.
– They are 1024B (1KB) with the first 42 bytes having a very defined structure.
MFT Concepts

• The MFT is itself a file too, and it has an entry for itself: “$MFT” (entry
“0”).
• Its starting location is described in the boot sector of the NFTS Volume,
and so the whole thing must be parsed from there.
• The first 16 entries are reserved for filesystem metadata files.
– These all begin with “$” and are capitalized.
o 0: $MFT—the entry for itself
o 1: $MFTMirr—the entry for a backup copy
o 2: $LogFile—the transaction journal
o 3: $Volume—volume information
o etc.
MFT Attributes

• The first 46 bytes of an MFT entry are very structured.


• Attributes can be any size up to the maximum size of the MFT record
which is usually 1024B but can be defined differently at filesystem
creation (much like the Unix/Linux block size and number of inodes).
• Attributes also have headers prior to their content:
Resident vs. Non-Resident Attributes

• A “resident” attribute stores actual file


content (up to the usual 1024B limit)!
• Beyond that limitation, the “non-
resident” attribute stores the address of
the first “cluster” in a chain of “cluster
runs” of consecutive data units, and the
run length.
• The MFT entry for that file can have
multiple “cluster runs” for non-
contiguous runs.
• These would have different starts and
lengths.
Standard Attribute Types

• All attribute types start with a “$” and are in all capital letters.
• Not all exist for every attribute, but there are some common standard
types, including:
– 16: $STANDARD_INFORMATION—flags, CAM times, ownership, etc.
– 48: $FILE_NAME—in Unicode and also CAM times
– 64: $OBJECT_ID— a 16-bit unique identifier for the file or directory
– 128: $DATA—file contents
Encrypted Attributes

• Windows allows $DATA attributes to be encrypted.


• Only the content is encrypted, never the attribute header.
• A $LOGGED_UTILITY_STREAM attribute is created which contains the
the keys.
• Further details are beyond the scope of this course but can be found in
Carrier’s book.
NTFS Analysis with TSK
Using Tsurugi, let’s create an NTFS filesystem to look at:
NTFS Analysis with TSK (cont.)
Let’s have a look with fsstat:
NTFS Analysis with TSK (cont.)
Let’s Look at the $MFT
with istat:
NTFS Analysis with TSK (cont.)
Next the $MFTMirr (entry 1)
NTFS Analysis with TSK (cont.)
Next the $Boot (entry 7)
Demo: Carving and Analyzing
an NTFS Partition
Happy Fun Time!
Carving and Recovering Deleted Data from
NTFS!
Module Quiz

You might also like