Computer Forensics NTFS File System MBR and GPT
Computer Forensics NTFS File System
MBR and GPT Disks n n MBR disks for 32 b 86 x-compatibles GPT disks for 64 b Itanium processors n n Start with a MBR in order to maintain compatibility MBR has a single partition with a partition table entry of 0 x. EE
NTFS Architecture
NTFS Partition Layout n Boot Record n n Basic parameters of NTFS partition Master File Table (5%-10% of partition) n Table of entries n Collection of attributes. n n n Attributes can be resident or in the File System Data Master File Table Copy
NTFS Boot Sector Notice that the end of sector marker is 55 AA. You can look for this to find boot sectors for NTFS and DOS.
NTFS Boot Sector n n n 0 x 00 0 x 03 0 x 0 B 0 x 24 0 x 54 0 x 1 FE 3 B 8 B 25 B 48 B 426 B 2 B Jump Instruction OEM ID BPB Extended BPB Bootstrap Code. End of Sector Marker
NTSF Boot Sector
NTSF Boot Sector n Many fields are not important, but: n n n n 0 x 0 B, 0 x 0 D 0 x 15 0 x 28 0 x 30 0 x 38 0 x 40 0 x 48 Bytes per sector. Sectors per Cluster Media descriptor. F 8: HD; F 0: HD Floppy Total sectors. Logical cluster number for the MFT Logical cluster number copy of the MFT Clusters per MFT Record. Volume serial
NTFS Boot Sector n Win. Hex allows access to an interpreted NTFS Boot Sector. n Use the Access Tab.
NTFS BPB 0 x 0 B Bytes per sector: 00 02 0200 = 512 decimal 0 x 0 D Sectors per cluster: 0 x 08 0 x 0 E Reserved sectors 0 x 00 00
NTFS BPB n n 0 x 15: Media Descriptor: F 8 is hard drive, F 0 is floppy. 0 x 28 Total number of sectors: F 7 AF 4 E 090000 000000094 EAFF 7 156, 151, 799 sectors, i. e. ~80 GB
NTFS BPB n n 0 x 30: Logical cluster number for MFT copy 1: cluster C 07 FE 9 (File $MFT) 0 x 38: Logical cluster number for MFT copy 2: cluster 40029 D
NTFS BPB n n 0 x 40: Clusters per MFT record: F 6 0 x 48: Volume Serial Number
NTFS Master File Table n n First four entries are replicated, so that MFT can be repaired First 16 records are reserved for metadata files, their name begins with a dollar sign ($)
NTFS Master File Table 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Master file table $MFT. Master file table mirror $Mft. Mirr. Log file $Log. File. Volume $Volume Attribute definitions $Attr. Def. The root folder “. ” Cluster bitmap $Bitmap Boot sector $Boot (located at the beginning of partition) Bad cluster file $Bad. Clus Security file $Secure Upcase table $Upcase NTFS extension file $Extend, that is used for future use.
NTFS Master File Table
MFT Record Structure n n Entries are 1 KB each Entries contain n n File Attributes Location Data
MFT Records n Small Files (<900 B) are contained completely in the MFT entry.
MFT Records n n n Folders contain index data. Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure.
MFT Record n Each MFT record is addressed by a 48 bit MFT entry value. n n n First entry has address 0. Each MFT entry has a 16 bit sequence number that is incremented when the entry is allocated. MFT entry value and sequence number combined yield 64 b file reference address.
MFT Record n NTFS uses the file reference address to refer to MTF entries. n When the system crashes during allocation, then the sequence number describes whether the MTF entry belonged to the previous file or to the current one.
MFT Record n n n MFT entry attributes are loosely defined. Each attribute is preceded by the attribute header. The attribute header identifies n n n Type of attribute. Size. Name.
MFT Record Structure n n n The attribute header gives basic information about the attribute. A resident attribute is stored in the MFT entry. A non-resident entry is stored in a cluster outside the MFT.
MFT Record Structure n n Resident attributes are stored in MFT record. Non-resident attributes are stored in cluster runs. n n Cluster run consists of consecutive clusters and are identified by starting cluster and run length. NTFS distinguishes between Virtual Cluster Numbers and Logical Cluster Numbers. n n n LCN * (#sectors in cluster) = sector number LCN 0 is first cluster in the volume (boot sector). VCN 0 refers to the first cluster in a cluster run.
MFT Record Structure n MFT entry header has a fixed structure
MFT Record Structure 0 x 00 - 0 x 03: Magic Number: "FILE" 0 x 04 -0 x 05: Offset to the update sequence. 0 x 06 -0 x 07: Number of entries in fixup array 0 x 08 -0 x 0 f: $Log. File Sequence Number (LSN) 0 x 10 -0 x 11: Sequence number 0 x 12 - 0 x 13: Hard link count 0 x 14 -0 x 15: Offset to first attribute
MFT Record Structure 0 x 16 - 0 x 17: Flags: 0 x 01: record in use, 0 x 02 directory. 0 x 18 -0 x 1 b: Used size of MFT entry 0 x 1 c-0 x 1 f: Allocated size of MFT entry. 0 x 20 -0 x 27: File reference to the base FILE record 0 x 28 -0 x 29: Next attribute ID 0 x 2 a-0 x 2 b: (XP) Align to 4 B boundary 0 x 2 c-ox 2 f: (XP) Number of this MFT record 0 x 30 -0 x 100: Attributes and fixup value
MFT Record Structure n EXAMPLE 1: n A directory entry
MFT Record MFT records start with “FILE”. A bad cluster would start with “BAAD”
MFT Record Bytes 4 -5: Offset to update sequence. Bytes 6 -7: Number of entries in fixup array Bytes 8 -f: Log file sequence number Bytes 0 x 10 -0 x 11: Sequence number: 59 00
MFT Record Bytes 0 x 12 -0 x 13: 2 – hard link count Bytes 0 x 14 -0 x 15: Offset to first attribute: 0 x 38 Bytes 0 x 16 -0 x 17: Flags: In use and contains a directory 0 x 0001 | 0 x 0002
MFT Record Bytes 0 x 14 – 0 x 15: First attribute starts at 0 x 38 00 0 x 00 38
MFT List of possible attributes n Defined in $Attr. Def entry of MFT, but default is: n n n n 0 x 10 STANDARD_INFORMATION 0 x 20$ATTRIBUTE_LIST 0 x 30$FILE_NAME 0 X 40 (NT) $VOLUME_VERSION (2 K) $OBJECT_ID 0 x 50 $SECURITY_DESCRIPTOR 0 x 60$VOLUME_NAME 0 x 70 $VOLUME_INFORMATION 0 x 80$DATA 0 x 90$INDEX_ROOT 0 x. A 0$INDEX_ALLOCATION 0 x. B 0$BITMAP 0 x. C 0 (NT) $SYMBOLIC_LINK, (2 K) $REPARSE_POINT 0 x. D 0$EA_INFORMATION 0 x. E 0$EA 0 x. F 0 NT$PROPERTY_SET 0 x 100 (2 K) $LOGGED_UTILITY_STREAM
MFT Attribute Layout n n Attributes can be resident or non-resident. Beginning is always the same: n n n 0 x 00 Attribute Type Identifier 0 x 04 Length of Attribute 0 x 08 non-resident flag 0 x 09 length of name 0 x 0 a offset to name 0 x 0 c flags
MFT Attribute Example n Attribute is of type 00 00 00 01. n n Standard Information Attribute is 0 x 00 00 00 60 bytes long. Attribute is resident (0 x 00) Contents are 0 x 00 00 00 48 bytes long and start at offset 0 x 00 18.
MFT Attribute Example Standard Info Attribute Layout 0 x 00 8 File Creation Time 0 x 08 8 File Alteration Time 0 x 10 8 MFT Change 0 x 18 8 File Read Time 0 x 20 4 DOS File Permissions 0 x 24 4 Maximum number of versions 0 x 28 4 Version number 0 x 2 C 4 Class ID 0 x 30 4 2 K Owner ID
MFT Attribute Example n n This allows us to extract the file access times just as for DOS. Time values are in 100 nanoseconds since January 1, 1601 UTC.
MFT Attribute Example n Second entry has attribute number 00 00 00 03 300000. n n n $FILE_NAME attribute Total attribute length is 70 B. Contents start at offset 18 B
MFT Attribute Example n The content layout for the $FILE_NAME attribute is: n n n n n 0 x 00 0 x 08 0 x 10 0 x 28 0 x 30 0 x 38 0 x 40 0 x 42 File reference to parent directory File creation time File modification time File access time Allocated size of file Real size of file Flags File name length in unicode characters File name in unicode
MFT Attribute Example n Obviously, this is a short file name.
MFT Attribute Example n Third attribute is also a file name, but this time the complete entry
NTFS Versions n n File system improves. Disk Layout changes.
- Slides: 42