Windows File System

https://www.ntfs.com/ntfs_basics.htm
 Understanding File Systems

• File system
– Gives OS a road map to data on a disk
• Type of file system an OS uses determines how
data is stored on the disk
• A file system is usually directly related to an OS
• When you need to access a suspect’s computer to
acquire or inspect data
– You should be familiar with the computer’s platform
 Understanding the Boot Sequence

• Complementary Metal Oxide Semiconductor

(CMOS)
– Computer stores system configuration and date and
time information in the CMOS
• When power to the system is off
• Basic Input/Output System (BIOS)
– Contains programs that perform input and output at
the hardware level
 Understanding the Boot Sequence
(continued)

• Bootstrap process
– Contained in ROM, tells the computer how to
proceed
– Displays the key or keys you press to open the
CMOS setup screen
• Could be Delete, F2, F10, Ctrl+Alt+Insert, Ctrl+A,
Ctrl+S, Ctrl+F1, or something else
• CMOS should be modified to boot from a forensic
floppy disk or CD
BIOS Setup Utility
 Understanding Disk Drives

• Disk drives are made up of one or more platters

coated with magnetic material
• Disk drive components
– Geometry
– Head
– Tracks
– Cylinders
– Sectors
• Holds 512 bytes, you cannot read or write anything
less than a sector
Understanding Disk Drives (continued)

• Properties handled at the drive’s hardware or

firmware level
– Zoned bit recording (ZBR) (resizing sectors to
compensate for distance from the center)
– Track density
– Areal density
– Head and cylinder skew
 No Need for Multi-Path Erasure

• On older disks, the space between tracks was

wider, which allowed heads to wander
• This made it possible for specialists to retrieve data
from previous writes to a platter, even after erasure
– Using an electron microscope
• On any IDE or SATA or later hard drive, this is
impossible
• A single pass of zeroes erases all data on a disk so
it cannot be recovered by any currently known
technique
Exploring Microsoft File
Structures
 Exploring Microsoft File Structures

• In Microsoft file structures, sectors are grouped to

form clusters
– Storage allocation units of one or more sectors
• Clusters are typically 512, 1024, 2048, 4096, or
more bytes each
• Combining sectors minimizes the overhead of
writing or reading files to a disk
 Exploring Microsoft File Structures
(continued)
• Clusters are numbered sequentially starting at 2
– First sector of all disks contains a system area, the
boot record, and a file structure database
• OS assigns these cluster numbers, called logical
addresses
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a
logical disk drive, which is a disk partition
 Disk Partitions

• A partition is a logical drive

• FAT16 does not recognize disks larger than 2 GB
– Large disks have to be partitioned
• Hidden partitions or voids
– Large unused gaps between partitions on a disk
• Partition gap
– Unused space between partitions
 Disk Partitions (continued)

• Disk editor utility can alter information in partition

table
– To hide a partition
• Can examine a partition’s physical level with a disk
editor:
– HxD, Norton DiskEdit, WinHex, or Hex Workshop
• Analyze the key hexadecimal codes the OS uses to
identify and maintain the file system
 Demo: VM with Three Partitions

• Partition Types
– NTFS: 07
– FAT: 06
– FAT32: 0B
 Viewing the Partition Table HxD
• Start HxD, Extras, Open Disk, choose Physical
Disk
• Partition Table starts at 0x1BE
• Partition Type field is at offset 0x04 in each record
 Master Boot Record Structure

• From Wikipedia
 Partition Table Structure

• From Wikipedia
 Partition Mark at Start of Volume
• Start HxD, Extras, Open Disk
• NTFS

• FAT32
 BMP File in HxD
• Start HxD, File, Open
• BM at start indicates a BMP file
 Word Doc File in HxD
• Start HxD, File, Open
• Word 2003 Format uses these 7 bytes

• .docx format is actually a Zip archive

 Master Boot Record

• On Windows and DOS computer systems

– Boot disk contains a file called the Master Boot
Record (MBR)
• MBR stores information about partitions on a disk
and their locations, size, and other important items
• Several software products can modify the MBR,
such as PartitionMagic’s Boot Magic
 Examining FAT Disks

• File Allocation Table (FAT)

– File structure database that Microsoft originally
designed for floppy disks
– Used before Windows NT and 2000
• FAT database is typically written to a disk’s
outermost track and contains:
– Filenames, directory names, date and time stamps,
the starting cluster number, and file attributes
• FAT versions
– FAT12, FAT16, FAT32, FATX (for Xbox), and VFAT
 FAT Versions

• FAT12—for floppy disks, max size 16 MB

• FAT16—allows hard disk sizes up to 2 GB
• FAT32— allows hard disk sizes up to 2 TB 
• FATX—For Xbox media
– The date stamps start at the year 2000, unlike the other FAT
formats that start at 1980
• VFAT (Virtual File Allocation Table)
– Allows long file names on Windows (MS-DOS had 8.3
limitation)
 Examining FAT Disks (continued)

• Cluster sizes vary according to the hard disk size

and file system
• This table is for FAT-16
 Examining FAT Disks (continued)
• Microsoft OSs allocate disk space for files by clusters
– Results in RAM/drive slack
• Unused space in a cluster between the end of an active file and
the end of the cluster
• Slack, in general, refers to the difference between the logical file size and
physical size.
• Slack can be broken down into two different areas, RAM slack and File
Slack.
• RAM slack is the slack between the end of the logical file and the rest of
that sector
• File Slack is the remaining sectors to the end of the cluster
• RAM slack is the slack at the byte and sector level. File slack is the
sectors to the cluster level.
Examining FAT Disks (continued)
 Examining FAT Disks (continued)

• When you run out of room for an allocated cluster

– OS allocates another cluster for your file, which
creates more slack space on the disk
• As files grow and require more disk space,
assigned clusters are chained together
– The chain can be broken or fragmented
ProDiscover Showing Cluster Chain
 Examining FAT Disks (continued)

• When the OS stores data in a FAT file system, it

assigns a starting cluster position to a file
– Data for the file is written to the first sector of the first
assigned cluster
• When this first assigned cluster is filled and runs
out of room
– FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the
current cluster
– File becomes fragmented
 Deleting FAT Files

• In Microsoft OSs, when a file is deleted

– Directory entry is marked as a deleted file
• With the HEX E5 (σ) character replacing the first letter
of the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides
becomes unallocated disk space
– Available to receive new data from newly created
files or other files needing more space
 Examining NTFS Disks

• New Technology File System (NTFS)

– Introduced with Windows NT
– Recommended file system for Windows 200 Pro,
XP, and later versions through Windows 7 at least
• Improvements over FAT file systems
– NTFS provides more information about a file
– NTFS gives more control over files and folders
• NTFS was Microsoft’s move toward a journaling file
system
 Examining NTFS Disks (continued)

• In NTFS, everything written to the disk is

considered a file
• On an NTFS disk
– First data set is the Partition Boot Sector
– Next is Master File Table (MFT)
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode
– An international data format
 NTFS File System
• Formatting a volume with the NTFS file system
results in the creation of several system (metadata)
files such as $MFT — Master File Table, $Bitmap,
$LogFile and others, which contains information
about all the files and folders on the NTFS volume.
• MFT contains information about all files on the disk
– Including the system files the OS uses
• In the MFT, the first 15 records are reserved for
system files
• Records in the MFT are called metadata
• The first information on an NTFS volume is the Partition Boot
Sector ($Boot metadata file), which starts at sector 0 and can be
up to 16 sectors long. This file describes the basic NTFS volume
information and a location of the main metadata file — $MFT.

• When you format an NTFS volume, the format program allocates

the first 16 sectors for the $Boot metadata file. First sector, in fact,
is a boot sector with a "bootstrap" code and the following 15
sectors are the boot sector's IPL (initial program loader).
 MFT
• The first record of this table describes the master file table itself,
followed by a MFT mirror record.
• If the first MFT record is corrupted, NTFS reads the second record
to find the MFT mirror file, whose first record is identical to the first
record of the MFT. The locations of the data segments for both the
MFT and MFT mirror file are recorded in the boot sector.
NTFS File System (continued)
NTFS File System (continued)
 MFT and File Attributes
• In the NTFS MFT
– All files and folders are stored in separate records of
1024 bytes each
• Each record contains file or folder information
– This information is divided into record fields
containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of
two ways in an MFT record:
– Resident and nonresident
 MFT and File Attributes (continued)

• Files larger than 512 bytes are stored outside the

MFT
– MFT record provides cluster addresses where the
file is stored on the drive’s partition
• Referred to as data runs
• Each MFT record starts with a header identifying it
as a resident or nonresident attribute
Resident File in a MFT Record
 Resident File Data in the MFT

• This figure is a repeat of a portion of the previous

one
Nonresident File's MFT Record
 MFT and File Attributes (continued)

• When a disk is created as an NTFS file structure

– OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster
numbers (LCNs)
– Become the addresses that allow the MFT to link to
nonresident files on the disk’s partition