Section 5.3: Advanced NTFS Filesystem Tactics Flashcards

1
Q

NTFS features to be aware of:

A

Journaling, Hardlink, Softlink, Change tracking, Sparse file support, Access Control files, Disk usage quotes, Reparse Points, Encryption File System, Compression, VSC, Data Streams, Volumne Mount Points, & Single Instance Storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain the change tracking feature in NTFS

A

It tracks changes in the system that is journaled through update sequence number.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain the acceas control feature in NTFS

A

Its a robust feature that doesn’t allow other users to access specific files that is prohibited to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain disk usage quota feature on NTFS

A

Can control how much a user is allowed to store inside a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the distributed link tracking feature in NTFS

A

It gives files Object IDs so you can always track where they are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain the Volumne Mount points feature on NTFS

A

It allows drives to stack so they all copy easier. Example: C:\data instead of just C: and D:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain single instance storage feature on NTFS

A

It allows one file that is big to be accessable to everyone without having it download to each system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a data run?

A

A term used when a filesystem tracks a list of cluster addresses that can be followed in order to reconstruct the contents of a file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Master File Table?

A

The core metadata structure of the filesystem carrying MFT entries of every file or folder on the volumne.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What information can be obtained inside an MFT record?

A

Timestamps, file information, security, and data information such as cluster list if the entry is non-resident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What makes an MFT record resident? How big is the MFT record size?

A

The data size of the MFT is 600 bytes or less. An entry is usuallly 1024 bytes in size but can go up to 4096 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does data store on clusters? Can there be issues?

A

By storing it sequentially meaning it follows the next cluster number after the current one is written (16, 17, 18). Gaps in those sequences means they are fragmented or an anomaly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name the 12 special system files. What MFT record number does it start with? How many special files does NTFS reserve?

A

$MFT, $MFTMIRR, $LOGFILE, $VOLUMNE, ATTRDEF, ., $BITMAP, $BOOT, $BADCLUS, $SECURE, $UPCASE, $EXTEND. It starts at 0. First 24 are reserved for special files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What number is analyzed for sequential entries: 60947-128-4?

A

Number 60497 is used to observe sequential entries. Follow the next number bellow the entry to see if its connected or not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the entry attributes.

A

0x10 $Standard Information, 0x20 $Attribute_list, 0x30 $File_name, 0x40 $Object_ID, 0x50 $Security_Descriptor, 0x60 $Volumne_Name, 0x70 $Volumne_Information, 0x80 $Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The four main points overview when analyzing MFT records.

A

MFT header (46494C45 FILE ASCII), Standard Information (10 00 00 00), Filename (30 00 00 00)
Data (80 00 00 00)
End of entry (FF FF FF FF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An analyst is parsing metadata using the istat tool. What is going on with the following command: istat \.\G: 5

A

A live system parsing is happening on the G drive. Istat is focused on the root directory (.) and its MFT number is 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the MFT header fixup array mean and where can it be found?

A

The fixup array is a signature value that is used to track file data stored on a sector. The last 2 bytes of a sector must match the signature value for the data to correspond to the MFT header. The fixup array is found right after the FILE signature and are the firs 2 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How are the bytes read during hexidecimal analysis?

A

In fours [00 00 00 00] twos [00] or eights [00 00 00 00 00 00 00 00]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In MFT header, what is the hardlink offset and what is it for?

A

The offset is 0x12 and describe the number of Filename attributes this file has wether it be long or short.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

On MFT header, what is the offset for Flags and what is it indicating with its byte number?

A

The offset is at 0x16 and it indicates wether its not in use [x00], file in use [x01], directory deleted [x02], or directory in use [x03].

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Inside the MFT header, what offset is the total number of bytes allocated for the file?

A

0x1C is where the file byte size is. 0x400=1024 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

To find the Inode number (metadata sequence number), the offset on the MFT header is at..

A

2C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the Update Sequence Number and Update Sequence Array offset on the MFT header and why is it important?

A

The offset is on 0x30. It is important because it matches with the fixup array from 0x06 to match with its sectors and journalize. At the end of each 512 byte sector, a USN is written so with a file of 1024, two a written (total of 3 with 0x06 fixup).

25
Q

On what offset are the timestamps locaated inside the standard information?

A

After Content offset 0x18 [18 00 00 00]. The order is B, M, C, & A.

26
Q

What do the flags on the standard information indicate? What is the offset?

A

It describes the properties of the file such as: hidden, archive, read-only, compressed, encrypted, etc. The offset is 0x38.

27
Q

What offset are the timestamps placed inside the hexidecimal Filename?

A

0x20. They follow the same order as Standard Information.

28
Q

Where can I find the Namespace type on the Filename hexidecimal? What name type does each byte indicate?

A

Its located on 0x59. [x00] POSIX, [x01] Win32 or case-sensitive long name, [x02] DOS or short name, [x03] Win32/DOS or name is short enough for one Filename.

29
Q

What will happen if a Filename happens to be long?

A

A third set of timestamps will be created (one for the long name and the other for the short name).

30
Q

When looking at 0x59 offset of the second filename space type, what should I expect?

A

For it to be 0x02 for the DOS shortname.

31
Q

When do Filename timestamps update?

A

During file creation, file copy, and volumne file move through CLI or cut/paste. All four stamps are updated.

32
Q

What is timestomping?

A

Its a malicious technique used by adversaries to backtrack timestamps of an executable to blend in with other files on the system.

33
Q

Methods used to detect timestomping

A

If the $SI is before $FN, if $SI modification timestamp is before Shimcache modification, compile times exist after it has been written on disks since its done once, $I30 directory have recent dates than the current, MFT sequential number being out of place, and zeroed out timestamps.

34
Q

When using the exiftool, how can I identify timestomping in the compilation times?

A

Check the Time Stamp field. If the field is more recent than the modification or creation, then its timestomped.

35
Q

Where is the offset to find if the Data is resident or non-resident? What byte indicates which is which?

A

At 0x08. 0x00 is resident, 0x01 is non-resident.

36
Q

When looking at the Data hexidecimal, where can I find the name length?

A

On 0x09. A byte value only applies to a data stream present since the first stream always uses the filename name.

37
Q

What does this command do and where is it from: icat cdrive.e01 193033-133-7 | xxd?

A

In this case, the command gets the hexidecimal value of a Filename and its attribute ID (133-7) from MFT 193033. This information was gathered by the output from istat and implemented into icat.

38
Q

What are Zone Identifier IDs? What tools are unlikely to tag downloaded files with an ID?

A

Also known as “Mark of the Web”, they give information on the file download. [-1] No zone, [0] My computer, [1] Intranet, [2] Trusted, [3] Internet, [4] Untrusted. Tools who wont give an ID are Powershell and ftp.exe.

39
Q

Why is the index $I30 file important in forensics?

A

It has metadata of directories and the contents the directories once had. They can also include slack for deleted child items. Most wiping tools dont delete directory entries.

40
Q

What type of index tree does NTFS use?

A

B-tree index

41
Q

Can I use istat on directories? What is INDEX_ROOT & INDEX_ALLOCATION?

A

Yes since they are essentiallu files and also have an MFT number. INDEX_ROOT has a few entries, mandatory, and stored in the MFT file. If a directory has a lot of entries, an optional INDEX_ALLOCATION is created and saved inside clusters.

42
Q

What is the INDEX_ALLOCATION signature?

A

49 4E 44 58

43
Q

What kind of timestamps does the $I30 entry hold and why?

A

Standard Information since it is faster to pull up than Filename. Index can also have two filename timestamps if its name is long.

44
Q

What can the Indx2Csv tool parse? What other tools are available?

A

It parses active and slack index entries, $O, and $R files. Other tools include Velociraptor and INDXparse.py.

45
Q

Name the journaling features of NTFS and what they do?

A

The two journals are $LogFile and $USNJournal. $LogFile monitors lower-level transactional data in the filesystem to provide error resilience. $USNJournal monitors high-level actions that can be used by applications such as A/V and backup software.

46
Q

Logfile size is 64MB, how can I check and change its file size?

A

Check: chkdsk <volumne> /L
Change: chkdsk <volumne> /L:<size></size></volumne></volumne>

47
Q

Both USNJournal and LogFile use the word File. What are they referring to?

A

They are referring to MFT record files.

48
Q

How big are $J files?

A

3GB

49
Q

Name the code for File/Directory creation

A

LogFile: AddIndexEntryAllocation, InitializeFileRecordSegment
USNJournal: FileCreate

50
Q

Name the code for File/Directory deletion

A

LogFile:DeleteIndexEntryAllocation, DeallocateFileRecordSegment
USNJournal: FileDelete

51
Q

Name the code for File/Directory rename or move

A

LogFile: DeleteIndexEntryAllocation, AddIndexEntryAllocation
USNJournal: RenameOldName, RenameNewName

52
Q

Name the code for ADS Creation

A

LogFile: CreateAttribute with name ending in “:ADS”
USNJournal: StreamChange, NamedDataExtend

53
Q

Name the code for File Data Modification

A

LogFile: look for modification words
USNJournal: DataOverwrite, DataExtend, Data Truncation

54
Q

Directories to filter when searching inside the journals

A

System32, Recycle bin, AppData, Downloads, Prefetch, Temp, & attacker directories.

55
Q

File types to filter when searching inside the journals

A

exe, dll, sys, pyd, rar, zip, cab, 7z, ps1, vsb, bat, IOC files, and suspicious directory names.

56
Q

When LogFile is parsed, what is a good way around analyzing what I need to find?

A

Open the “LogFile_FileNames.csv” file and get the MFT record for the file or directory along with the Log Sequence Number (LSN). To get the timestamps look into the USNJournal file.

57
Q

When parsing $J file with MFTECmd.exe, what else can I do to parse deeper into the records?

A

Parse the same file with the VSS parameter to the same $J file! Just make sure the file is a full disk and not a triage.

58
Q

Name the events that happen when a file is deleted.

A

At the data layer, clusters will be marked as unallocated in &Bitmap but still exist in slack. At the metadata layer, the $MFT will change a single bit on file’s MFT record to be slacked. The journals will update this event. At the Filename layer, the $Filename_Name is preserved until reused as well as the $I30 index entry.