Data Carving Flashcards
What is Data Carving?
Unallocated system space has files extracted from it
Data rebuilding
Fixing files that are damaged or partially deleted.
What is the MFT?
Master File Table?
What uses the MFT?
NTFS
What is the overall structure of an MFT entry called?
A file record segment.
What things does a file record segment have in it?
- Header
- Attribute Record Header
- Attribute type/name/value
- Attribute record header…
- 0xffffff
How big is each MFT entry?
0x400
SequenceNumber
Incremented each time the file record segment is freed.
FILE_RECORD_SEGMENT_IN_USE
Says if the file is deleted or not.
BaseFileRecordSegment
File reference to the base file record segment.
How far in is the SequenceNumber?
16 bytes
How far in is the FILE_RECORD_SEGEMNT_IN_USE?
22 bytes in
How far in is the BaseFileRecordSegment?
32 bytes
States for the FRSIU
01000 -> Existing file
00000 -> Deleted file
03000 -> existing folder
02000 -> deleted folder
States for the BaseFileRecordSegment
0 if the record is the “base” (first record for the file)
Otherwise it points to the base.
MFT Attributes
Each unit of information associated with a file.
Where are attributes written that are too large for the current segment?
In an “extent”
What is an ADS?
Alternate data stream.
What is an alternate data stream?
A user defined attribute.
What ADS’ is interesting to us?
The ZoneID
HostUrl
ReferrerUrl
Why is the ZoneID interesting?
ZoneID 3 is the internet, meaning that the file was explicitly downloaded from the internet.
Why is the HostUrl interesting
The URL of the file
Why is the ReferrerUrl interesting?
URL that served the file
Data recovery vs data carving
Recovery - the file is still in its fullness there
Carving - Raw medium without File system info
