File System Forensics THINK BIG WE DO U RI http://www.forensics.cs.uri.edu Digital Forensics Center Department of Computer Science and Statics NTFS Master File Table Attributes NTFS Master File Table Attributes Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles - Each FILE record is usually 1024 bytes - MFT Header - first 42 bytes - Attributes - remaining bytes - Each attribute has - a header (16 bytes) - location and size of content (8 or 56 bytes) - and content (size varies) - details of attribute Data $BOOT $MFT $MFTMirr NTFS Partition Content Content MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space Content Content Attr Header Attr Header Loc/Siz Loc/Siz Attr Header Attr Header Loc/ Siz Loc/ Siz MFT File Attributes Hex Dec Attribute Description 0x10 16 $STANDARD_INFORMATION Timestamps, link counts, file type flags, owner 0x20 32 $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in this MFT record 0x30 48 $FILE_NAME File name (repeatable) 0x40 60 $OBJECT_ID Unique Identifier for the file (not common) 0x50 80 $SECURITY_DESCRIPTOR Who owns the file and who can access it 0x80 128 $DATA Contains file data (repeatable) MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space Content Content Attr Header Attr Header Loc/Siz Loc/Siz Attr Header Attr Header Loc/ Siz Loc/ Siz MFT File Attributes MFT File Attributes Hex Dec Attribute Description 0x60 96 $VOLUME_NAME Used in $VOLUME metafile. Volume label 0x70 112 $VOLUME_INFORMATION Used in $VOLUME metafile. NTFS version & dirty flag 0x90 144 $INDEX_ROOT INDX Record - used to implement folders and indexes 0xA0 160 $INDEX_ALLOCATION INDX Record - used to implement folders and indexes 0xB0 176 $BITMAP Directory content mapping 0xC0 192 $REPARSE_POINT Used for volume mount points and shortcuts 0xD0 208 $EA_INFORMATION OS/2 compatibility extended attributes 0xE0 224 $EA OS/2 compatibility extended attributes 0x100 256 $EFS Logged utility data stream (used for EFS/encryption) MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space Content Content Attr Header Attr Header Loc/Siz Loc/Siz Attr Header Attr Header Loc/ Siz Loc/ Siz MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space Content Content Loc/Siz Loc/Siz Loc/ Siz Loc/ Siz Attr Header Attr Header Attr Header Attr Header NTFS Attribute Header Hex Dec Bytes Description 0x00 0 4 Attribute Type Identifier 0x04 4 4 Length of Attribute (includes header) 0x08 8 1 Non-Resident Flag 0x09 9 1 Length of Name (only for ADS) 0x0A 10 2 Offset to Name (only for ADS) 0x0C 12 2 Flags(Compressed, Encrypted, Sparse) 0x1E 14 2 Attribute Identifier NTFS Attribute Header 00 Content is Resident 01 Content is Non-Resident $STANDARD_INFORMATION Alternate Data Stream Name Size Length and Offset Attribute Flags 0x0001 Compressed 0x4000 Encrypted 0x8000 Sparse Attribute ID (Counter)
3
Embed
64 NTFS Attributes - homepage.cs.uri.eduthenry/csc487/video/64_NTFS... · NTFS Attribute Header HexDecBytes Description 0x000 4Attribute Type Identifier 0x044 4Length of Attribute
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFS Master File Table
Attributes
NTFS Master File Table
Attributes
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes- Each attribute has - a header (16 bytes)
- location and size of content (8 or 56 bytes)- and content (size varies) - details of attribute
Hex Dec Bytes Description0x10 16 4 Length of Attribute Content
0x14 20 2 Offset to Attribute Content
0x16 22 1 Indexed
0x17 23 1 Padding
Attribute Location & Size $STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number
$STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number
$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace (0=POSIX 1=Win32 2=DOS)
$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace