Computer Forensics NTFS File System MBR and GPT
Computer Forensics NTFS File System
MBR and GPT Disks n n MBR disks for 32 b 86 x-compatibles GPT disks for 64 b Itanium processors n n Start with a MBR in order to maintain compatibility MBR has a single partition with a partition table entry of 0 x. EE
NTFS Architecture
NTFS Architecture
NTFS Boot Sector
NTFS Boot Sector n n n 0 x 00 0 x 03 0 x 0 B 0 x 24 0 x 54 0 x 1 FE 3 B 8 B 25 B 48 B 426 B 2 B Jump Instruction OEM ID BPB Extended BPB Bootstrap Code. End of Sector Marker
NTSF Boot Sector
NTSF Boot Sector n Many fields are not important, but: n n n n 0 x 0 B, 0 x 0 D 0 x 15 0 x 28 0 x 30 0 x 38 0 x 40 0 x 48 Bytes per sector. Sectors per Cluster Media descriptor. F 8: HD; F 0: HD Floppy Total sectors. Logical cluster number for the MFT Logical cluster number copy of the MFT Clusters per MFT Record. Volume serial
NTFS Boot Sector n Win. Hex allows access to an interpreted NTFS Boot Sector. n Use the Access Tab.
NTFS BPB n n 8 sectors per cluster Total number of sectors 0 x 94 EAFF 7 MFT starts at 0 x. C 7 E 9 = 819177 LBA within partition, add 80, 325 to find physical address
NTFS Master File Table n n First four entries are replicated, so that MFT can be repaired First 16 records are reserved for metadata files, their name begins with a dollar sign ($)
NTFS Master File Table 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Master file table $MFT. Master file table mirror $Mft. Mirr. Log file $Log. File. Volume $Volume Attribute definitions $Attr. Def. The root folder “. ” Cluster bitmap $Bitmap Boot sector $Boot, Bad cluster file $Bad. Clus Security file $Secure Upcase table $Upcase NTFS extension file $Extend, that is used for future use.
NTFS Master File Table
MFT Records n n Entries are 1 KB each Entries contain n n File Attributes Location Data
MFT Records n Small Files (<900 B) are contained completely in the MFT entry.
MFT Records n n n Folders contain index data. Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure.
NTFS Versions n n File system improves. Disk Layout changes.
- Slides: 17