File Systems - NTFS Flashcards
History & Summary of NTFS
- Created by MS to replace FAT (which can only cope with disk structures up to 2TB)
- Most commonly encountered File System type
- Not as regimented as FAT which has well definied structures followed by the data area (where files are found).
- In NTFS Sectors / Clusters start at the very beginning of the volume.
- In NTFS the entire volume forms the data area - everything is treated as a file.
Summary of NTFS Structures
- One file has guaranteed location: $BOOT. Always at beginning. Sector 0. NTFS has many more structures (metadata files) than FAT, but we do not need all of them to recover files.
Other key structures are:
- $MFT Master File Table. $Boot provides the first cluster for $MFT. The first entry in this is for iteself.
Then there are many attributes. 4 example ones that are important in forensics are…..
-$Standard Information. Contains most of the metadata.
- $File_Name
- $Data. Tells us where the file contents can be found
- $Index_Root
Everything is LE and needs converting to BE (unless otherwise stated)
$BOOT
- $BOOT is the equivilant of the Boot Sector in FAT.
- Always at sector 0 (fixed place unlike other files)
- Has info on disk geometry and allows other metadata files to be located. Tell us where to find first cluster of $MFT
- also gives no of bytes per sector, no. of sectors per cluster, total sectors on the volume and the fixed size of each $MFT entry ( SIGNED BYTE)
The first step when analysing NTFS file is to analyse $BOOT to extract the $MFT
- $BOOT is a file (all are). It has an MFT entry.
Boot ends at 55AA
$MFT - Master File Table
- Get the first cluster it occupies from $BOOT
- A copy of $MFT exists as $MFTMirr
- $MFT contains the info on the files. Records metaadata info and data location for all files
- Similar to the FAT Directory Entries
- $MFT contains one record entry for each file. Each is usually 1024 bytes in size (but calc from $BOOT)
- Each Record entry (called a FILE RECORD ENTRY) has a header (details the structure of that MFT entry) and then numerous attributes which record the metadata info
After the header is the first attribute, then each attribute after until the trailer.
Means that the offset to the first attribute is therefore the LENGTH OF THE HEADER (and a pointer to where the 1st attribute starts)
$MFT Records (Cont.) ATTRIBUTES
- Store info about a file (metadata)
- Many exist but we will look at the 4 important ones for forensics
- Attributes may be RESIDENT or NON RESIDENT.
If RESIDENT then the data for the attribute is found in the attribute.
If NON RESIDENT then the attribute contains a pointer to the data
4 important ones are:
STANDARD_INFORMATION (standard metadata / timestamps etc). A RESIDENT type.
$FILE_NAME (name of file). RESIDENT
$DATA (contents of the file). RESIDENT OR NON RESIDENT
$INDEX_ROOT (info on directory contents)
ATTRIBUTE STRUCTURE (RESIDENT). 16 byte generic header, resident attribute extended header then resident attribute data. This contains a RUN LIST that shows what cluster the files contents can be found .
ATTRIBUTE STRUCTURE (NON RESIDENT). 16 byte generic header and non resident attribute extended header
$Data Attribute
Usually non resident
Only very small files are resident
How to look for file contents when non resident..…
Need to find RUN LIST
The RUN LIST tells us how many clusters are in the file and where they are. They are sequential clusters
Offset to run list is given (in header table)
Once you find start of run list you don’t know how big it is, but always ends with 0x00 value. Do not include the first 0x00 value
See photos for how to find clusters from run list
Summarise how to recover a file in NTFS
- Analyse Boot and extract MFT
- MFT contains one entry per file. Each entry has a header, trailer & numerous attributes (which are resident or non resident)
- Use the MFT header to find the first attribute, get type of attribute, length & of resident or not.
- Process the main attributes that are important forensically in turn:
- file name (to obtain the file name). Resident
- Standard Information (to obtain metadata like timestamps). Resident
- Data. This is the contents of the file. It can be resident if it is a very small file, but usually non resident.
- To obtain the file contents in a non resident data attribute we need to locate & interpret the RUN LIST.
- The non resident attribute will give us the run list location.
- Once we have the run list we interpret that to find the number of clusters occupied by the file & which cluster number the data starts at. These are sequential and run consecutively (unless fragmented).
Once we have the file contents we can extract it and we have the recovered file
Things to remember when processing NTFS files!!
When you need to manually count to find next attributes if you convert the offset to decimal that is the number of bytes to count
When processing MFT.
Remember the MFT record has its own header (table 3)
Each attribute also has its own header
which starts with the generic attribute header (16 bytes) then an extra 6 bytes for resident - A RESIDENT ATTRIBUTE HEADER is 24 BYTES not 22 implied by the table.
