File System Forensics THINK BIG WE DO U RI http://www.forensics.cs.uri.edu Digital Forensics Center Department of Computer Science and Statics NTFS Master File Table Layout NTFS Master File Table Layout Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles Data $BOOT $MFT $MFTMirr NTFS Partition NTFS Metafiles Data $BOOT $MFT Record MetaFile Name Description 0 $MFT Self Reference to Master File Table 1 $MFTMirr Backup of first four MFT FILE Records 2 $LogFile Helps to preserve file system consistency if system error 3 $Volume Volume Information (name, number, etc.) 4 $AttrDef Definitions of supported file attributes 5 . (dot) Root Directory of Volume 6 $Bitmap Bit representation of used/free clusters on volume 7 $Boot Boot sector of volume (not encrypted on BitLocker volume) 8 $BadClus List of Bad Clusters on the volume 9 $Secure Security descriptors for all files 10 $UpCase Table of UNICODE uppercase characters for sorting 11 $Extend For optional extensions 12-14 15-23 Extension records for MFT if it is heavily fragmented 24 + $Volume $AttrDef $Bitmap $BadClus $LogFile $UpCase $Secure . (dot) $Extend $Quota Disk space allocated and used by each user $UsrJrnl Changes made to files $Reparse Shortcuts, mount points and junctions $ObjId Alternate way to reference a file $MFTMirr NTFS Metafiles Master File Table Master File Table $MFT - Location and attributes for all files on partition - Including other metafiles - Each FILE record is usually 1024 bytes - MFT Header - first 42 bytes - Attributes - remaining bytes Data $BOOT $MFT $MFTMirr NTFS Partition MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space MFT Record Header NTFS Partition MFT File Record MFT Header Attribute Attribute Attribute Attribute Unused Space Hex Dec Bytes Description 0x00 0 4 Signature [46 49 4C 45] “FILE” 0x04 4 2 Offset to Fix-up Array 0x06 6 2 Number of Entires in Fix-up Array 0x08 8 8 Logfile Sequence Number (LSN) 0x10 16 2 Incremental Sequence Value 0x12 18 2 Hard Link Count 0x14 20 2 Offset to Start of Attributes 0x16 22 2 Flags (in-use and directory) 0x18 24 4 Used Size of MFT Entry 0x1C 28 4 Allocated Size of MFT Entry 0x20 32 8 File reference to Base Record 0x28 40 2 Next Attribute ID 0x2A 42 2 Fix-Up Codes and Attributes 0x2C 44 4 $MFT File Record Number Byte es 42-1 1024 Fix-up Codes and Attributes MFT Record Header Other Possible Signatures: INDX BAAD Data $BOOT $MFT $MFTMirr MFT Record Header 46 49 4C 45 FILE 49 4E 44 58 INDX 42 41 41 44 BAAD Fix-Up Data
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFSMaster File Table
Layout
NTFSMaster File Table
Layout
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
NTFS Metafiles
Data
$BOOT
$MFT
Record MetaFile Name Description0 $MFT Self Reference to Master File Table
1 $MFTMirr Backup of first four MFT FILE Records
2 $LogFile Helps to preserve file system consistency if system error
3 $Volume Volume Information (name, number, etc.)
4 $AttrDef Definitions of supported file attributes
5 . (dot) Root Directory of Volume
6 $Bitmap Bit representation of used/free clusters on volume
7 $Boot Boot sector of volume (not encrypted on BitLocker volume)
8 $BadClus List of Bad Clusters on the volume
9 $Secure Security descriptors for all files
10 $UpCase Table of UNICODE uppercase characters for sorting
11 $Extend For optional extensions
12-14 Reserved for future use (not used or empty)
15-23 Extension records for MFT if it is heavily fragmented
24 + Records for regular files
$Volume
$AttrDef
$Bitmap
$BadClus
$LogFile
$UpCase
$Secure
. (dot)
$Extend
$Quota Disk space allocated and used by each user
$UsrJrnl Changes made to files
$Reparse Shortcuts, mount points and junctions
$ObjId Alternate way to reference a file
$MFTMirr
NTFS Metafiles Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes