Scribd Logo
Upload

Welcome to Scribd!

  • Module 2 v2

    Uploaded by

    İlqar Məmmədli
    4 views21 pages

    Original Title

    Module_2_v2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views21 pages

    Module 2 v2

    Uploaded by

    İlqar Məmmədli

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    Windows System

    Forensics
    Module 2: The Windows NTFS
    Filesystem
    Module 2: The Windows NTFS Filesystem

    • Learning Objectives
    – Understanding NTFS Internals
    – Understanding the Master File Table (MFT)
    – Using the Sleuth Kit to Analyze the MFT
    – Using the Sleuth Kit to Recover Deleted File Data from NTFS
    NTFS Internals and the Master
    File Table (MFT)
    NTFS Internals and the Master File Table (MFT)

    The “New Technologies File System” (NTFS) is the default filesystem for
    Microsoft Windows, from Windows NT, through Windows 2000, XP, all
    versions of Server, and up to the current day. In this module we will cover:
    • NTFS Concepts
    • NTFS Analysis
    • NTFS Data Structures
    Introduction to NTFS

    • NTFS was designed to replace the “File Allocation Table” filesystems


    (FAT12/16/32) with a focus on reliability, security, and scalability.
    – While still in wide use on small portable devices, FAT filesystems have no support
    for ownership or permissions on files, and very limited scalability.
    o It remains the default for consumer devices like USB sticks, cameras, etc.
    o We will discuss it in a later module.
    • NTFS is a complex filesystem, and remains without published
    specification from Microsoft.
    • This module is heavily based on Brian Carrier’s detailed reverse-
    engineering of it as published in File System Forensic Analysis which is a
    highly recommended book.
    Availability of NTFS

    • Due to years of analysis, NTFS is fairly freely available on Linux and


    other OSs.
    • We will use Linux to create and dissect it throughout this module, for
    ease of use of free access and tools.
    • It is unclear if these are “valid” NTFS filesystems from Microsoft’s
    perspective, but they have proven widely compatible and demonstrate
    an open illustration of the concepts and structures.
    NTFS Concepts

    • Everything Is a File
    – The first sectors of the volume contain the bootable code (whether using BIOS or
    the “Unified Extensible Firmware Interface” (UEFI) that replaces it in Windows 10
    and beyond.
    – Otherwise the entire filesystem contains data units that can be allocated to any file,
    including the metadata files: notably the Master File Table ($MFT) and its copies.
    • The MFT is the heart of NTFS, as it contains all the information about
    files and directories in one place—unlike inodes in Unix/Linux which are
    not centrally grouped.
    – Every file/directory has at least one entry in the table.
    – They are 1024B (1KB) with the first 42 bytes having a very defined structure.
    MFT Concepts

    • The MFT is itself a file too, and it has an entry for itself: “$MFT” (entry
    “0”).
    • Its starting location is described in the boot sector of the NFTS Volume,
    and so the whole thing must be parsed from there.
    • The first 16 entries are reserved for filesystem metadata files.
    – These all begin with “$” and are capitalized.
    o 0: $MFT—the entry for itself
    o 1: $MFTMirr—the entry for a backup copy
    o 2: $LogFile—the transaction journal
    o 3: $Volume—volume information
    o etc.
    MFT Attributes

    • The first 46 bytes of an MFT entry are very structured.


    • Attributes can be any size up to the maximum size of the MFT record
    which is usually 1024B but can be defined differently at filesystem
    creation (much like the Unix/Linux block size and number of inodes).
    • Attributes also have headers prior to their content:
    Resident vs. Non-Resident Attributes

    • A “resident” attribute stores actual file


    content (up to the usual 1024B limit)!
    • Beyond that limitation, the “non-
    resident” attribute stores the address of
    the first “cluster” in a chain of “cluster
    runs” of consecutive data units, and the
    run length.
    • The MFT entry for that file can have
    multiple “cluster runs” for non-
    contiguous runs.
    • These would have different starts and
    lengths.
    Standard Attribute Types

    • All attribute types start with a “$” and are in all capital letters.
    • Not all exist for every attribute, but there are some common standard
    types, including:
    – 16: $STANDARD_INFORMATION—flags, CAM times, ownership, etc.
    – 48: $FILE_NAME—in Unicode and also CAM times
    – 64: $OBJECT_ID— a 16-bit unique identifier for the file or directory
    – 128: $DATA—file contents
    Encrypted Attributes

    • Windows allows $DATA attributes to be encrypted.


    • Only the content is encrypted, never the attribute header.
    • A $LOGGED_UTILITY_STREAM attribute is created which contains the
    the keys.
    • Further details are beyond the scope of this course but can be found in
    Carrier’s book.
    NTFS Analysis with TSK
    Using Tsurugi, let’s create an NTFS filesystem to look at:
    NTFS Analysis with TSK (cont.)
    Let’s have a look with fsstat:
    NTFS Analysis with TSK (cont.)
    Let’s Look at the $MFT
    with istat:
    NTFS Analysis with TSK (cont.)
    Next the $MFTMirr (entry 1)
    NTFS Analysis with TSK (cont.)
    Next the $Boot (entry 7)
    Demo: Carving and Analyzing
    an NTFS Partition
    Happy Fun Time!
    Carving and Recovering Deleted Data from
    NTFS!
    Module Quiz

    You might also like