COMP 4027 Windows and Forensics. MS File structures Need to understand MS file structures to know where files are stored in Windows Need to understand.

COMP 4027

Windows and Forensics

MS File structures

• Need to understand MS file structures to know where files are stored in Windows

• Need to understand clusters, File Allocation Table (FAT) and NTFS

• Need to know how the OS stores data to know where files and parts of files may be hidden

Exploring Microsoft File Structures

1 - 4 Sectors grouped in Clusters – Storage allocation units of 512, 1024, 2048, 4096, or more bytes.

Logical Address – Clusters are numbered sequentially and number assigned by the operating system.

Sectors are Physical Address – Addresses that reside at the hardware or firmware level.


Many hard disks are partitioned

Partition – A logical drive on a disk. It can be the entire disk or a portion thereof.

Inner-Partition Gap – Partitions created with unused space or voids between the primary partition and the first logical partition.

Can use an editor and edit partition table to hide this gap




Master Boot Record (MBR) – On Windows and DOS computer systems, the boot disk file, which contains information regarding the files on a disk and their locations, size, and other critical items.


File Allocation Table (FAT) – The original file structure database that Microsoft originally designed for floppy disks.

Prior to Windows NT and 2000

It is written to the outermost track of a disk and contains information about each file stored on the drive. The variations are FAT12, FAT16, and FAT32.


Cluster sizes vary according to size of disk and file system


• Disk space is allocated by cluster

• Results in drive slack

• If you create a 5000 byte Word file then on a FAT 16 1.6 GB disk then the OS reserves 1 cluster

• However in FAT 16 32,000 bytes allocated to your file = 27,000 file slack

• 5000 byte file uses 10 sectors = 5120 bytes so 120 bytes spare as RAM slack where any info in RAM is put such as login ID, password etc



• Space provided to reduce fragmentation of file

• If file fills up the reserved 27000 bytes then another cluster is allocated producing more slack space

• As file grows clusters are chained together usually contiguous

• As files created, deleted etc then chain can be broken, fragmented lost



End-of-File Marker – 0x0FFFFFFF. This code is typically used with FAT file systems to show where the file ends.

When file is deleted only reference to it is removed – this area can receive new data

Unallocated Disk Space –The area of disk where the deleted file resides.

Examining NTFS Disks

New Technology File System – Introduced when Microsoft created Windows NT. NTFS is the primary file system for Windows XP. NTFS uses security features, allows for smaller cluster sizes, and uses Unicode, which makes it a much more versatile operating system.

Much less slack space

Everything on the disk is a file


Partition Boot Sector – The first data set of an NTFS disk. It starts at sector [0] of the disk drive and it can be expanded up to 16 sectors.

Master File Table – Used by NTFS to track files. Like FAT. It contains information about the access rights, date and time stamps, system attributes, and parts of the file. 12.5% of disk on creation and can be up to 50%



Unicode – A 16-bit character code representation that is replacing ASCII. It is capable of representing over 64,000 characters.

American Standard Code for Information Interchange (ASCII) – A coding scheme using 7 or 8 bits that assigns numeric values up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.

Examining NTFS DisksMeta-Data – In NTFS, this refers to information stored in the MFT.




All files and folders have attributes (eg. Name, security, data). Each attribute has a code

Resident Attributes – When referring to MFT, all attributes that are stored in the MFT of the NTFS.

Nonresident Attributes – When referring to MFT of the NTFS, all data that is stored in a location separate from the MFT.



Logical Cluster Numbers (LCNs) – Used by the MFT of NTFS. It refers to a specific physical location on the drive.

Virtual Cluster Number (VCN) – When a file is saved in the NTFS, it is assigned both a logical cluster number and a virtual cluster number. The logical cluster is a physical location, while the virtual cluster consists of chained clusters.



Multiple Data Streams – Ways in which data can be appended to a file intentionally or not. In NTFS, it becomes an additional data attribute of the file.

Searching for evidence

• If metadata entry is unallocated then we can recover metadata – links and properties

• May be out of sync if we are unsure whether data units are allocated to new files

• Very difficult to determine

• Compressed files are also a challenge since he tool used to recover the compressed file must support the same algorithm

Application level searching

• Many application files have a structure and signature type

• Data ‘carving’ can be carried out where a chunk of data is searched for signatures of beginning and end of file eg standard jpg headers and footers

• Eg tool foremost has signatures and searches for – Eg jpg y 200000 \xff\xd8 \xff\xd9


Encrypted File System (EFS) –Encryption first used in Windows 2000 on NTFS formatted disks.

If a user encrypts a recovery certificate is generated and sent to admin account – otherwise will automatically decrypt on use


EFS Recovery Agent Functions – DOS commands

-CIPHER

-COPY

-EFSRECVER


• Deleting files– File is renamed and moved to recycle bin

– Windows stores info about path in Info2 file

– Files are permanently deleted in the same way as in FAT

• Associated clusters marked as free for new data

• $BITMAP attribute updated to reflect deletion

• File attribute record marked as being available

• Andy linking nodes and VFN/LCN cluster removed

• Any link references removed

Understanding Microsoft Boot Tasks

Need to understand boot tasks to know what might be altered if you had to boot up

Windows XP, 2000, and NT Startup

-Power on self test

-Initial startup

-Boot loader

-Hardware detection and configuration

-Kernel loading

-User logon


Windows XP startup

NT Loader (NTLDR) – Loads Windows NT. It is located in the root folder of the system partition.

Reads boot.ini to display booyt menu

Runs Ntoskrnl.exe and Bootvid.dll, Hal.dllamd device drviers


• Boot.ini – Specifies the Windows NT path installation.

• BootSect.dos – Contains the address of the boot sector location of each operating system.

• NTDetect.com – A command file that identifies hardware components during bootup and sends the information to NTLDR.


NTBootdd.sys – Device driver that allows access to SCSI or ATA drives that are not related to the BIOS.

Ntoskrnl.exe – The Windows NT operating system kernel. It is located in the Windows\System32 folder.

Hal.dll – Hardware abstraction layer dynamic link library. It tells the operating system kernel how to interface with the hardware.

Device Drivers – Contain instructions for the operating system for hardware devices.



• When you start Win NT or older NTFS several file are immediately accessed and thus dates change to current date


DOS Protected-Mode Interface (DPMI) – Used by many computer forensics tools that do not operate in the Windows environment.


Understanding Microsoft Boot TasksCommand.com – Provides a prompt when booting to MS-DOS mode. User interface for the MS-DOS operating system. Contains the following commands:

-DIR

-CD

-CLS

-DATE

-COPY

-DEL


-MD

-PATH

-PROMPT

-RD

-SET

-TIME

-TYPE

-VER

-VOL

Understanding MS-DOS Startup Tasks

IO.SYS – The first file loaded after the ROM bootstrap loader finds the operating system. This file allows for communication between the computer’s BIOS and Hardware, and with MS-DOS code.

MSDOS.SYS – A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel.

CONFIG.SYS – A text file that contains commands that are typically run only at system startup.


AUTOEXEC.BAT – An automatically executed batch file that contains customized commands and settings for MS-DOS.


Summary

-The Microsoft operating systems used FAT12 and FAT16 on older systems such as MS-DOS, Windows 3.X and Windows 9x.

-The Registry on older Windows OSs is used to keep a record of hardware attached, user preferences, network information, and installed software.

-The capacity of a hard disk is obtained by using the cylinders, heads, and sectors. To find the capacity of a disk, multiply the number of heads, sectors, and tracks.

Summary

-Clusters are used to accommodate large files. Sectors are grouped into clusters and clusters are chained to minimize the overhead of reading and writing files to a disk.

-The New Technology File System is more versatile because it uses the MFT to track information such as security items, the first 750 bytes of data, long and short filenames, and a list of nonresident attributes.

-File slack, RAM slack, and drive slack are all areas in which valuable information may reside on a drive.

Summary

-To be an effective computer forensics investigator, you need to maintain a library of older operating systems and applications.

-NTFS uses Unicode to store information. Unicode is an international code and uses a 16-bit configuration instead of an 8-bit configuration used by ASCII.

-Hexadecimal codes provide information about files and OSs. You can determine the file type by using various tools such as WinHex and Hex Workshop.

Summary

-NTFS uses inodes to link file attribute records to other file attribute records. Attributes fall into two categories: resident and nonresident.

-NTFS can compress individual files, folders, or entire partitions. FAT16 can only compress entire volumes.

COMP 4027 Windows and Forensics. MS File structures Need to understand MS file structures to know where files are stored in Windows Need to understand.

Documents

file slide

file system slide

file slack

deleted file

byte file

fragmentation of file

file ends

ntfs disks slide