Yanhui Tu-NTFS File System Kernel Analysis and Database Security

NTFS File System and Data Security
Yanhui Tu
KingSoft
Index
1 File System kernel analysis
2 Stream and Data security
3 Data recover
4 Date overwrite
NTFS File System Analysis
• File
• There are 2 different kinds
• Metafiles: user can’t access
• User files: User data
• NTFS meta file
Metadata Function
$MFT MFT itself
$MFTMirr Part image of MFT
$LogFile Log file
$Volume Volume file
$AttrDef Attribute definition list
$Root root directory
$Bitmap Bitmap file
$Boot Boot file
$BadClus Bad cluster file
$Quota（NTFS4） Quota file
$Secure Secure file
$UpCase Capitalized file
$Extend Metadata Extended Metadata directory
directory
$Extend\$Reparse Reparse Points file
$Extend\$UsnJrnl Log changing file
$Extend\$Quota Quota management file
$Extend\$ObjId Object ID file
• $MFT（Master File Table ）
• Includes all information about files, and these
information called attributes
• The NTFS file system contains a file called the master file
table, or MFT. There is at least one entry in the MFT for
every file on an NTFS file system volume, including the
MFT itself
Normal file MFT
MFT header
10H
$STANDARD_INF
ORMATION
30H
$FILE_NAME
80H $DATA and
$BITMAP
MFT End
Resident attribute
and non-resident
attribute
Resident attribute
save data in file data
area
Non-resident
attributes saved in
MFT
Directory’s MFT
MFT header
10H（STANDARD
INFORMATION）
30H（File Name）
90H（Index Root ）
A0H（ Index
Allocation）
B0H（BitMap
MFT END
Structure of file
index
• Index header
（every 4KB index
block has a file
index header.）
• Index item（every
item record a
file’s filename，
MFT number,
parent directory
MFT number etc. ）
• $LogFile’s
MFT
log file’s
structure is
very
complicated
and it’s
structures
details are still
unknown
• $LogFile log
file
log file’s
structure is very
complicated and
it’s structures
details are still
unknown, we
only know it’s
separated into
many 4k blocks
and each block
start with RCRD
• $LogFile log
file
recorded a
example of
file
rename
• Volume
file
• Label in
offset 60H
• $AttrDef
file
• List of record all
attributes
• Content
of
$AttrDef
• Records all
attributes
definition
• “.” file
（root）
• Root of
directory tree
• 90H
attribute
of root
directory
• $Bitmap
file
• Content of
$Bitmap
file
• $Boot file
MFT
• Content of
$Boot
• Content of
$Boot
• $UpCase
file MFT
• Content of
$UpCase
file
• $BadClus
file MFT
• It maintains a
list of bad
clusters on the
drive.
Stream and Data Security
• Put file in
stream
• 29A released a stream based virus

at 2000
• Currently no Anti-virus support
stream scaning in China
• Stream
in disk
• Stream in
disk
and Data Security Stream
• Stream
can put in
directory
• API designed for stream
programing
• 1、Travel ：
– FindFirstStreamW and FindNextStreamW
（Win2003server）
– BackupRead 和BackupSeek（Win2000）
• 2、Delete：
– DeleteFile
• And if you can access stream without
above APIs with knowledge of NTFS data
structure
Data Recover
• Normally, user access
files by using file system,
these files store on user’s
hard disk and organized
by file system and supply
files to users.
• What users see are only
files, users don’t care
about how these file
stored in disk, they can
use commands supplied
by OS to read and write
files, but if one of data or
file system is corrupted
user can’t access files
anymore.
Data Recover
• When file system is corrupt, we have 2
methods to recover data.
• First method: Rebuild this file
system ,fix corrupt part, and system
can access this file system normally
and recover the lost data. For
example: When hard disk’s partition
table is corrupt, we can rebuild
partition table to recovery data; If
some partitions can’t access normally,
we can rebuild BPB to fix that. This
method is suitable for repairing
some of key data, only need very
small data of rebuild.
• Second method: Rebuild lost
data to files from source devices.
When try to rebuild some extremely
unstable file system, like file data
unsure before corrupted, or need large
mount of data writing. This method
is suitable for recovering deleted
files, partition format scenarios.
File Recover
• Scenario：When files deleted or
format but not destroyed file data
just deleted some file information
on file system and release file
spaces.
File Deleting Processing
• Deleting file in FAT
• 1、Replace first byte of directory’s
filename area to E5H
• 2、Mark this directory to unused
File Deleting Processing
• Deleting file in NTFS
• When deleting a file in NTFS need 3
changes:
– 1. There is a byte at offset 16H of this
file’s MFT header. If 0 means this file is
deleted, 1 means this file is using, 2
means this is a directory, 3 means this
directory is deleted;
– 2. Parent directory attribute INDEX_ROOT
（90H）or attribute INDEX_ALLOCATION
（A0H）；
– 3. Set 0 to file’s corresponding bits in
$Bitmap.
Recover Demo
• FAT recover demo
• 1、Locate file directory items
• 2、Analysis directory items
• 3、Locate data area
• 4、Save recovered file
Recover Demo
• NTFS label recover
• 1、locate file MFT
• 2、MFT attribute analysis
• 3、locate date erea
• 4、Save recovered file
•
Data Overwrite
（DoD ）5220.22-M
• a. Degauss with a Type I degausser
• b. Degauss with a Type II degausser.
• c. Overwrite all addressable locations with a single character.
• d. Overwrite all addressable locations with a character, its
complement, then a random character and verify. THIS METHOD
IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP
SECRET INFORMATION.
• e. Overwrite all addressable locations with a character, its
complement, then a random character.
• f. Each overwrite must reside in memory for a period longer than
the classified data resided.
• g. Remove all power to include battery power.
• h. Overwrite all locations with a random pattern, all locations with
binary zeros, all locations with binary ones.
• i. Perform a full chip erase as per manufacturer's data sheets.
• j. Perform i above, then c above, a total of three times.
• k. Perform an ultraviolet erase according to manufacturer's
recommendation.
• l. Perform k above, but increase time by a factor of three.
• m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt.
• n. Destruction required only if classified information is contained.
Data Overwrite
Media Clear Sanitize
Magnetic Tape1
Type I a or b a, b, or m
Type II a or b b or m
Type III a or b m
Magnetic Disk
Bernoullis a, b, or c m
Floppies a, b, or c m
Non-Removable Rigid Disk c a, b, d , or m
Removabel Rigid Disk a, b, or c a, b, d , or m
Optical Disk
Read Many, Write Many c m

Read Only m, n
Write Once, Read Many (Worm) m, n

Data Overwrite
Media Clear Sanitize
Memory
Dynamic Random Access memory c or g c, g, or m
(DRAM)
Electronically Alterable PROM i j or m
(EAPROM)
Electronically Erasabel PROM i h or m
(EEPROM)
Erasable Programmable (ROM k l, then c, or m
(EPROM)
Flash EPROM (FEPROM) i c then i, or m
Programmable ROM (PROM) c m
Magnetic Bubble Memory c a, b, c, or m
Magnetic Core Memory c a, b, e, or m
Magnetic Plated Wire c c and f, or m
Magnetic Resistive Memory c m
Nonvolatile RAM (NOVRAM) c or g c, g, or m
Read Only Memory ROM m
Static Random Access Memory c or g c and f, g, or m
(SRAM)
• http://www.zdelete.com/dod.htm
D or E level of Overwrite
• Method 1：
• 1、Open file
• 2、Write file
• 3、Close file
• Features：Simple but not safe
D or E level of Overwrite
• Method 2：
• 1、Locate file’s MFT or Index in file
system
• 2、Locate file’s physical address in
disk3、Write disk
• Features：Complex（need very deep
knowledge in file system and disk
structure）、Safe（can make sure
overwrite on same place of file）
References
• 涂彦晖戴士剑. 《数据安全与编程技术》.
北京：清华大学出版社，2005
• 戴士剑涂彦晖. 《数据恢复技术》（第2
版）.北京：电子工业出版社，2005
Thank
YOU!

Yanhui Tu-NTFS File System Kernel Analysis and Database Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Yanhui Tu-NTFS File System Kernel Analysis and Database Security

Uploaded by

Copyright:

Available Formats

NTFS File System and Data Security

• 29A released a stream based virus

Non-Removable Rigid Disk c a, b, d , or m

Removabel Rigid Disk a, b, or c a, b, d , or m

Read Many, Write Many c m

Write Once, Read Many (Worm) m, n

You might also like