NTFS

Question 1

Explain how to write a file in NTFS

Answer 1

• Read $BOOT to find location for $MFT
• read first entry of $MFT to find $MFT layout
• Allocate $MFT entry for new file
• Initialize $STANDARD_INFORMATION attribute
• Find free clusters in $BITMAP
• Set cluster status to 1 (allocated)
• Write contents to clusters and update $DATA attribute in $MFT
• Read the root directory, and find dir1/
• Read $INDEX_ROOT attribute for dir1/ and determine where file1.txt should go
• Create new index entry, Resort index tree
  Enter all steps in $LogFile (as each one is taken)

Question 2

Explain how to Delete a file in NTFS

Answer 2

• Read volume boot record to locate $MFT
• Determine layout of $MFT
• Locate dir1 in the Root Directory
• Find file1.txt in dir1’s $INDEX_ROOT entry
• Remove filename from index, resort index.
• Unallocate the $MFT entry
• Set $Bitmap entries to 0
• Record steps in $Logfile as each is taken

Question 3

What is NTFS

Answer 3

NTFS - New Technology File System

Question 4

What are the files that make up an NTFS File System

Answer 4

• MFT (Master file table)
• MFTMirror (copy of MFT)
• LogFile (logs all metadata file changes)
• Volume (information about file system)
• . (information on root directory)
• Bitmap (1 bit for each cluster showing its allocation status)
• Boot (similar to FAT boot sector)

Question 5

Where is $BOOT stored

Answer 5

$BOOT is stored in same location for every NTFS volume (Sector 0)

Question 6

What endian are multi bytes stored in for NTFS

Answer 6

All multibyte structures are stored in LE for NTFS unless otherwise states

Question 7

Explain how to identify $MFT starting location

Answer 7

Bytes per Sector / Sector Size: 0x0002 (LE) -> 0x0200 = 512 bytes per sector
Number of Sectors per Cluster = 0x08 (BE) -> 8 = 8 sectors per cluster
Cluster size = 512*8 = 4,096 bytes

Starting Cluster of MFT = 0x0400 0000 0000 0000 (LE) = 4
First cluster of MFT is at cluster 4

Question 8

What is the $MFT file

Answer 8

$MFT - master file table
- Similar to FAT Directory entries
- Contains one file record entry for each file
- Each file entry is usually 1024 bytes
- File Record contains header, and then attributes (metadata)

Question 9

Explain how to identify the number of attributes for a file

Answer 9

File Record Entry Example:

File Signature: 0x4649 = FILE0
Offset to first attribute: 0x3800 (LE) = 0x0038 (number of bytes in hex of header)
Allocation status: 0x0100 (LE) = 0x01 = Allocated
Number of Attributes: 0400 (LE) = 0x04 = 4 attributes

Question 10

What are the two types of attributes in NTFS

Answer 10

• Resident: data is stored in attribute
• Non-Resident: contains pointer to data (using run lists)

Question 11

What is a run list

Answer 11

tells how many clusters are in it and where they are located (by finding two byes at 0x20 in Non-Resident Attribute)

Question 12

Interpret this run list:

21 03 03 22

Answer 12

21 - add the nibbles of the first byte to get the number of bytes in this portion
- 2 , 1 = nibbles
- 2+1 = 3
- 3 is the number of bytes of run list

The high order nibble(2) = number of bytes in starting cluster
Starting cluster = 03 22 -> (LE) -> 2203 -> 8707(decimal)

Low order nibble (1) = number of bytes in run list length

Number of clusters (length of run list) = 03

Run list contains 3 clusters beginning at 8707
- Would be 8707, 8708, 8709 in total
- Can check with istat ntfs.dd 65

Question 13

What information is stored in $Standard_Information

Answer 13

-Creation: File creation time
- Modification: File content modification time
- Change: File metadata modification time
- Access: File access / read time