Section 5.3: Advanced NTFS Filesystem Tactics

Question 1

NTFS features to be aware of:

Answer 1

Journaling, Hardlink, Softlink, Change tracking, Sparse file support, Access Control files, Disk usage quotes, Reparse Points, Encryption File System, Compression, VSC, Data Streams, Volumne Mount Points, & Single Instance Storage.

Question 2

Explain the change tracking feature in NTFS

Answer 2

It tracks changes in the system that is journaled through update sequence number.

Question 3

Explain the acceas control feature in NTFS

Answer 3

Its a robust feature that doesn’t allow other users to access specific files that is prohibited to them.

Question 4

Explain disk usage quota feature on NTFS

Answer 4

Can control how much a user is allowed to store inside a system.

Question 5

Explain the distributed link tracking feature in NTFS

Answer 5

It gives files Object IDs so you can always track where they are.

Question 6

Explain the Volumne Mount points feature on NTFS

Answer 6

It allows drives to stack so they all copy easier. Example: C:\data instead of just C: and D:

Question 7

Explain single instance storage feature on NTFS

Answer 7

It allows one file that is big to be accessable to everyone without having it download to each system.

Question 8

What is a data run?

Answer 8

A term used when a filesystem tracks a list of cluster addresses that can be followed in order to reconstruct the contents of a file.

Question 9

What is the Master File Table?

Answer 9

The core metadata structure of the filesystem carrying MFT entries of every file or folder on the volumne.

Question 10

What information can be obtained inside an MFT record?

Answer 10

Timestamps, file information, security, and data information such as cluster list if the entry is non-resident.

Question 11

What makes an MFT record resident? How big is the MFT record size?

Answer 11

The data size of the MFT is 600 bytes or less. An entry is usuallly 1024 bytes in size but can go up to 4096 bytes.

Question 12

How does data store on clusters? Can there be issues?

Answer 12

By storing it sequentially meaning it follows the next cluster number after the current one is written (16, 17, 18). Gaps in those sequences means they are fragmented or an anomaly.

Question 13

Name the 12 special system files. What MFT record number does it start with? How many special files does NTFS reserve?

Answer 13

$MFT, $MFTMIRR, $LOGFILE, $VOLUMNE, ATTRDEF, ., $BITMAP, $BOOT, $BADCLUS, $SECURE, $UPCASE, $EXTEND. It starts at 0. First 24 are reserved for special files.

Question 14

What number is analyzed for sequential entries: 60947-128-4?

Answer 14

Number 60497 is used to observe sequential entries. Follow the next number bellow the entry to see if its connected or not.

Question 15

Name the entry attributes.

Answer 15

0x10 $Standard Information, 0x20 $Attribute_list, 0x30 $File_name, 0x40 $Object_ID, 0x50 $Security_Descriptor, 0x60 $Volumne_Name, 0x70 $Volumne_Information, 0x80 $Data

Question 16

The four main points overview when analyzing MFT records.

Answer 16

MFT header (46494C45 FILE ASCII), Standard Information (10 00 00 00), Filename (30 00 00 00)
Data (80 00 00 00)
End of entry (FF FF FF FF)

Question 17

An analyst is parsing metadata using the istat tool. What is going on with the following command: istat \.\G: 5

Answer 17

A live system parsing is happening on the G drive. Istat is focused on the root directory (.) and its MFT number is 5.

Question 18

What does the MFT header fixup array mean and where can it be found?

Answer 18

The fixup array is a signature value that is used to track file data stored on a sector. The last 2 bytes of a sector must match the signature value for the data to correspond to the MFT header. The fixup array is found right after the FILE signature and are the firs 2 bytes.

Question 19

How are the bytes read during hexidecimal analysis?

Answer 19

In fours [00 00 00 00] twos [00] or eights [00 00 00 00 00 00 00 00]

Question 20

In MFT header, what is the hardlink offset and what is it for?

Answer 20

The offset is 0x12 and describe the number of Filename attributes this file has wether it be long or short.

Question 21

On MFT header, what is the offset for Flags and what is it indicating with its byte number?

Answer 21

The offset is at 0x16 and it indicates wether its not in use [x00], file in use [x01], directory deleted [x02], or directory in use [x03].

Question 22

Inside the MFT header, what offset is the total number of bytes allocated for the file?

Answer 22

0x1C is where the file byte size is. 0x400=1024 bytes.

Question 23

To find the Inode number (metadata sequence number), the offset on the MFT header is at..

Answer 23

2C

Question 24

What is the Update Sequence Number and Update Sequence Array offset on the MFT header and why is it important?

Answer 24

The offset is on 0x30. It is important because it matches with the fixup array from 0x06 to match with its sectors and journalize. At the end of each 512 byte sector, a USN is written so with a file of 1024, two a written (total of 3 with 0x06 fixup).

Question 25

On what offset are the timestamps locaated inside the standard information?

Answer 25

After Content offset 0x18 [18 00 00 00]. The order is B, M, C, & A.

Question 26

What do the flags on the standard information indicate? What is the offset?

Answer 26

It describes the properties of the file such as: hidden, archive, read-only, compressed, encrypted, etc. The offset is 0x38.

Question 27

What offset are the timestamps placed inside the hexidecimal Filename?

Answer 27

0x20. They follow the same order as Standard Information.

Question 28

Where can I find the Namespace type on the Filename hexidecimal? What name type does each byte indicate?

Answer 28

Its located on 0x59. [x00] POSIX, [x01] Win32 or case-sensitive long name, [x02] DOS or short name, [x03] Win32/DOS or name is short enough for one Filename.

Question 29

What will happen if a Filename happens to be long?

Answer 29

A third set of timestamps will be created (one for the long name and the other for the short name).

Question 30

When looking at 0x59 offset of the second filename space type, what should I expect?

Answer 30

For it to be 0x02 for the DOS shortname.

Question 31

When do Filename timestamps update?

Answer 31

During file creation, file copy, and volumne file move through CLI or cut/paste. All four stamps are updated.

Question 32

What is timestomping?

Answer 32

Its a malicious technique used by adversaries to backtrack timestamps of an executable to blend in with other files on the system.

Question 33

Methods used to detect timestomping

Answer 33

If the $SI is before $FN, if $SI modification timestamp is before Shimcache modification, compile times exist after it has been written on disks since its done once, $I30 directory have recent dates than the current, MFT sequential number being out of place, and zeroed out timestamps.

Question 34

When using the exiftool, how can I identify timestomping in the compilation times?

Answer 34

Check the Time Stamp field. If the field is more recent than the modification or creation, then its timestomped.

Question 35

Where is the offset to find if the Data is resident or non-resident? What byte indicates which is which?

Answer 35

At 0x08. 0x00 is resident, 0x01 is non-resident.

Question 36

When looking at the Data hexidecimal, where can I find the name length?

Answer 36

On 0x09. A byte value only applies to a data stream present since the first stream always uses the filename name.

Question 37

What does this command do and where is it from: icat cdrive.e01 193033-133-7 | xxd?

Answer 37

In this case, the command gets the hexidecimal value of a Filename and its attribute ID (133-7) from MFT 193033. This information was gathered by the output from istat and implemented into icat.

Question 38

What are Zone Identifier IDs? What tools are unlikely to tag downloaded files with an ID?

Answer 38

Also known as “Mark of the Web”, they give information on the file download. [-1] No zone, [0] My computer, [1] Intranet, [2] Trusted, [3] Internet, [4] Untrusted. Tools who wont give an ID are Powershell and ftp.exe.

Question 39

Why is the index $I30 file important in forensics?

Answer 39

It has metadata of directories and the contents the directories once had. They can also include slack for deleted child items. Most wiping tools dont delete directory entries.

Question 40

What type of index tree does NTFS use?

Answer 40

B-tree index

Question 41

Can I use istat on directories? What is INDEX_ROOT & INDEX_ALLOCATION?

Answer 41

Yes since they are essentiallu files and also have an MFT number. INDEX_ROOT has a few entries, mandatory, and stored in the MFT file. If a directory has a lot of entries, an optional INDEX_ALLOCATION is created and saved inside clusters.

Question 42

What is the INDEX_ALLOCATION signature?

Answer 42

49 4E 44 58

Question 43

What kind of timestamps does the $I30 entry hold and why?

Answer 43

Standard Information since it is faster to pull up than Filename. Index can also have two filename timestamps if its name is long.

Question 44

What can the Indx2Csv tool parse? What other tools are available?

Answer 44

It parses active and slack index entries, $O, and $R files. Other tools include Velociraptor and INDXparse.py.

Question 45

Name the journaling features of NTFS and what they do?

Answer 45

The two journals are $LogFile and $USNJournal. $LogFile monitors lower-level transactional data in the filesystem to provide error resilience. $USNJournal monitors high-level actions that can be used by applications such as A/V and backup software.

Question 46

Logfile size is 64MB, how can I check and change its file size?

Answer 46

Check: chkdsk <volumne> /L
Change: chkdsk <volumne> /L:<size></size></volumne></volumne>

Question 47

Both USNJournal and LogFile use the word File. What are they referring to?

Answer 47

They are referring to MFT record files.

Question 48

How big are $J files?

Answer 48

3GB

Question 49

Name the code for File/Directory creation

Answer 49

LogFile: AddIndexEntryAllocation, InitializeFileRecordSegment
USNJournal: FileCreate

Question 50

Name the code for File/Directory deletion

Answer 50

LogFile:DeleteIndexEntryAllocation, DeallocateFileRecordSegment
USNJournal: FileDelete

Question 51

Name the code for File/Directory rename or move

Answer 51

LogFile: DeleteIndexEntryAllocation, AddIndexEntryAllocation
USNJournal: RenameOldName, RenameNewName

Question 52

Name the code for ADS Creation

Answer 52

LogFile: CreateAttribute with name ending in “:ADS”
USNJournal: StreamChange, NamedDataExtend

Question 53

Name the code for File Data Modification

Answer 53

LogFile: look for modification words
USNJournal: DataOverwrite, DataExtend, Data Truncation

Question 54

Directories to filter when searching inside the journals

Answer 54

System32, Recycle bin, AppData, Downloads, Prefetch, Temp, & attacker directories.

Question 55

File types to filter when searching inside the journals

Answer 55

exe, dll, sys, pyd, rar, zip, cab, 7z, ps1, vsb, bat, IOC files, and suspicious directory names.

Question 56

When LogFile is parsed, what is a good way around analyzing what I need to find?

Answer 56

Open the “LogFile_FileNames.csv” file and get the MFT record for the file or directory along with the Log Sequence Number (LSN). To get the timestamps look into the USNJournal file.

Question 57

When parsing $J file with MFTECmd.exe, what else can I do to parse deeper into the records?

Answer 57

Parse the same file with the VSS parameter to the same $J file! Just make sure the file is a full disk and not a triage.

Question 58

Name the events that happen when a file is deleted.

Answer 58

At the data layer, clusters will be marked as unallocated in &Bitmap but still exist in slack. At the metadata layer, the $MFT will change a single bit on file’s MFT record to be slacked. The journals will update this event. At the Filename layer, the $Filename_Name is preserved until reused as well as the $I30 index entry.