Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014 NTFS File System A Forensic Perspective
Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014
NTFS File System A Forensic Perspective
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• NTFS – Proprietary file system developed by Microsoft – Designed for reliability, security and large storage
devices. – Encryption – File / Folder Permissions – Every file and folder in the volume is treated as a file. – Date and time stamps are recorded in UTC. – Date and time resolution is from 12:00 A.M. January 1,
1601
New Technologies File System
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
New Technologies File System
• File Size • 16 EB (Technically) • 16 TB (Real World)
• Volume Size: • 16 EB (Technically) • 16 TB (Real World)*
• Files Per Volume: • 4,294,967,295
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• $MFT – contains a record for each file and folder on the NTFS volume.
• $MFTMirr – backup of the 1st four $Mft records. • $LogFile – journal log used by the file system to recover from a
failure. • $Volume – contains the volume label and volume version. • $AttrDef – contains attribute names, numbers and descriptions. • . – root directory. • $Bitmap – keeps track of the allocation status for each cluster on the
volume. • $Boot – contains information needed to mount the volume.
NTFS System Files
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
• $BadClus – keeps track of all clusters identified as bad and not longer usable.
• $Secure – contains unique security descriptors for all files within the volume.
• $Upcase – converts lowercase characters to matching unicode uppercase characters
• $Extend – reserved for optional extensions (i.e. quotas, reparse, point data and object identifiers.
NTFS System Files
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
NTFS Organization
NTFS Boot Sector
Master File Table ($MFT)
File System Data
Master File Table Copy ($MFTMirr)
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
NTFS Boot Record
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Range Description Example
00 - 02 Jump Instruction (ëR)03 - 10 OEM ID (NTFS) NTFS
11 - 12 Bytes / Sector 0x0200 = 512
13 - 13 Sectors / Cluster 0x08 = 8
40 - 47 Total Number of Sectors 0x1fe7ff = 2,091,007
48 - 55 $MFT starting logical cluster 0x015455 = 87,125
72 - 79 Volume Serial Number A1 05 13 06 25 13 06 56
84 - 509 Bootstrap Code
510 - 511 End of Sector Marker 55 AA
Parsing NTFS Boot Record
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Master File Table
• MFT is the heart of the file system as it contains information about every file and folder on the volume.
• Microsoft reserves the first 16 MFT entries for file system files.
• Starts small and expands as needed. • Uses a “first-available” algorithm for new files / folders. • MFT entries are not deleted after they have been created. • MFT entries are 1,024 bytes in size. • Attributes can be resident or non-resident.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
MFT Entry Structure
MFT Entry
Attribute Headers
Attribute ContentAttribute Content Attribute Content
MFT Entry Header
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$MFT Basic MFT Entry
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Range Description Example
00-03 Signature “FILE”08-15 $LogFile Sequence Number (LSN) 0x40B05F (4239455)
16-17 Sequence Value 08
18-19 Link Count 02
20-21 Offset to 1 0x0038 (56)
22-23 Flags 01
$Parsing MFT Entry
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$STANDARD_INFORMATION
Range Description Example
00-03 Attribute Type Identifier 0x10 = $STANDARD_INFORMATION
04-07 Length of Attribute (bytes) 0x60 = 96
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content (bytes) 0x48 = 36
20-21 Offset to Content 0x18 = 24
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Range Description Example
00-07 Creation Time 0x186982A54BF9CE01
08-15 Modified Time 0x8EBAA37A4BF9CE01
16-23 MFT Record Modified 0x186982A54BF9CE01
24-31 Last Accessed Date 0x186982A54BF9CE01
32-35 Flags 0x20 = Archive
$STANDARD_INFORMATION
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Date and Time
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$FILE_NAME
Range Description Example
00-03 Attribute Type Identifier 0x30 = $FILE_NAME
04-07 Length of Attribute (bytes) 0x78 = 120
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content (bytes) 0x5A = 90
20-21 Offset to Content 0x18 = 24
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$FILE_NAME
Range Description Example
00-07 Parent Directory Refers to the MFT Entry # of Parent08-15 Creation Time 0x186982A54BF9CE01
16-23 Modified Time 0x186982A54BF9CE01
24-31 MFT Record Modified 0x186982A54BF9CE01
32-39 Last Accessed Date 0x186982A54BF9CE01
56-59 Flags 0x20 = Archive
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$FILE_NAME
Range Description Example
64-64 Length of Name 0x0C = 1265-65 NameSpace 02 = DOS Name
66+ Name MFT_RE~1.txt
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$FILE_NAME – (2nd)
• Notice this Namespace is 0x01 (Win32 Name Scheme) • File Name = MFT_Record_Entry_Test.txt
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$DATA: Resident Example
Range Description Example
00-03 Attribute Type Identifier 0x80 = $DATA
04-07 Length of Attribute 0x30 = 48
08-08 Non-Resident Flag 0x00 = Resident
16-19 Size of Content 0x18 = 24
20-21 Offset to Content 0x18 = 24
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Example Text File
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$DATA: Non-Resident Example
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$DATA: Non-Resident Example
Range Description Example
00 - 03 Attribute Type Identifier 0x80 = $DATA04 - 07 Length of Attribute 0x30 = 48
08 - 08 Non-Resident Flag 0x01 = Non-Resident
32 - 33 Offset of the Runlist 0x40 = 64
64 - 64 Size of Following Fields 0x31
65 – 65* Run Length (clusters) 0x2E = 46
66 – 68* Cluster Offset 0x014D30 = 85,296
So What Does This Mean?
* The range will vary as determined by the hex value in byte 64.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$DATA: Non-Resident Example• Examining the volume boot record (see slide 7)
– 8 sectors / cluster – 512 bytes / sector
• Examining the MFT entry – Filename = pf.jpg – Created on 12/16/2013 @ 22:50:45 EST – Modified on 03/26/2013 @ 20:51:58 EST – Data is non-resident – Starting cluster is 85,296 – Extends for 46 clusters
• Conversions: – Cluster 85,296 = Sector 682,358 – Sector 682,358 = Byte 349,372,416
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
$DATA: Non-Resident Example