SlideShare une entreprise Scribd logo

Ntfs forensics

n|u - The Open Security Community
n|u - The Open Security Community

The document discusses NTFS forensics and the structure of the NTFS file system. Some key points: 1) NTFS stores metadata about files and folders in the Master File Table ($MFT) using file records and attributes like $FILE_NAME and $DATA. 2) Files can be recovered by finding their data runs stored in the $MFT entry and reading the data from disk. 3) Additional forensic artifacts can be found in hidden internal files like $USNJRNL, $LogFile, and $Bitmap that contain metadata about file operations and deletions.

FormationTechnologie
1  sur  22
Télécharger pour lire hors ligne
NTFS FORENSICS Yogesh Khatri yogesh@swiftforensics.com
NTFS Trivia • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, ) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points,
Why NTFS forensics? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like • Existence of hidden timestamps • Logs • Deleted / Leftover Metadata
NTFS Basics • Everything is a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
Physical Layout of NTFS Volume $Boot Logical Sector 0 (Cluster 0) - Boot Manager Internal Files $MFT $Bitmap Internal Files usually start at Cluster 2 Allocated Cluster Free Cluster
Master File Table - $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $Standard_Information • $File_Name • $Data
Reading an MFT Entry
Understanding File Storage MFT Entry for “Hello.txt” $MFT $DATA Attribute Start Length Cluster 52 3 72 2 Illustration: NTFS concept of Data Runs Allocated Cluster Free Cluster Cluster view of NTFS Volume
Timestamps on NTFS • 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989680 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ?
Concept of Initialized Data • NTFS has 3 size fields for each file • Logical • Initialized • Physical File ‘Properties’ snippet Logical Size Initialized Size Physical Size File ‘on disk’ view
Alternate Data Stream • Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
Alternate Data Streams Demonstration
USN Journal - USNJRNL • USN = Update Sequence Number • As files, directories, and other NTFS file system objects are added, deleted, modified, the NTFS file system makes entries here. • $UsnJrnl:$J • This is a system management feature used for recovering quickly from a computer or volume failure
$UsnJrnl:$J record Record Length TimeStamp Reason File Attributes File name
USNJRNL Record Format
INDX Records • NTFS indexes directory metadata and stores it in a B+ tree Explorer view Hex view of INDX directory structure
INDX Records • This indexed data is stored in $I30 attributes in MFT Attribute ID Description Name 0x90 $INDEX_ROOT $I30 0xA0 $INDEX_ALLOCATION $I30 0xB0 $BITMAP $I30 • Non-Resident vs. Resident • “INDX” header if non-resident • Forensic Value? • Find Deleted file metadata (MACE times, file name, logical & physical size, etc..)
$LogFile • Contains information used by NTFS for faster recoverability • Used to restore metadata consistency to NTFS after a system failure • Format not reverse engineered completely • It is common to find INDX records, MFT records and LNK records here
File Recovery on NTFS Get Data Runs from $MFT entry • • • “FILE” • Start Cluster=54 • Number of Search Clusters = 10 Read Data Unallocated for from Disk $MFT entries
Questions • More forensic stuff on my Blog – www.swiftforensics.com • Email me at yogesh@swiftforensics.com • Thanks
References • Books • File System Forensic Analysis – Brian Carrier • Online Resources • MSDN

Recommandé

Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
File system
File systemFile system
File systemHarleen Johal
 
Linux file system
Linux file systemLinux file system
Linux file systemBurhan Abbasi
 
Eventlog
EventlogEventlog
EventlogShashi Kanth
 
NTFS.ppt
NTFS.pptNTFS.ppt
NTFS.pptjlmansilla
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics nullowaspmumbai
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 

Recommandé

Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
File system
File systemFile system
File systemHarleen Johal
 
Linux file system
Linux file systemLinux file system
Linux file systemBurhan Abbasi
 
Eventlog
EventlogEventlog
EventlogShashi Kanth
 
NTFS.ppt
NTFS.pptNTFS.ppt
NTFS.pptjlmansilla
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics nullowaspmumbai
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systemsprimeteacher32
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)Ryan Blue
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Windows 2019
Windows 2019Windows 2019
Windows 2019Gary Williams
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle ArchitectureNeeraj Singh
 
Chapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data StorageChapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data StorageRaja Waseem Akhtar
 
MS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREMS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREDouglas Bernardini
 
Elk
Elk Elk
Elk Caleb Wang
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Mahout資料分析基礎入門
Mahout資料分析基礎入門Mahout資料分析基礎入門
Mahout資料分析基礎入門Jhang Raymond
 
File system.
File system.File system.
File system.elyza12
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMeghaj Mallick
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Backups And Recovery
Backups And RecoveryBackups And Recovery
Backups And Recoveryasifmalik110
 
Nfs
NfsNfs
NfsShingalaKrupa
 
Json in Postgres - the Roadmap
Json in Postgres - the Roadmap Json in Postgres - the Roadmap
Json in Postgres - the RoadmapEDB
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 

Contenu connexe

Tendances

Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)Ryan Blue
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle ArchitectureNeeraj Singh
 
Chapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data StorageChapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data StorageRaja Waseem Akhtar
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Mahout資料分析基礎入門
Mahout資料分析基礎入門Mahout資料分析基礎入門
Mahout資料分析基礎入門Jhang Raymond
 
File system.
File system.File system.
File system.elyza12
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMeghaj Mallick
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Backups And Recovery
Backups And RecoveryBackups And Recovery
Backups And Recoveryasifmalik110
 
Json in Postgres - the Roadmap
Json in Postgres - the Roadmap Json in Postgres - the Roadmap
Json in Postgres - the RoadmapEDB
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 

Tendances (20)

Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)Iceberg: A modern table format for big data (Strata NY 2018)
Iceberg: A modern table format for big data (Strata NY 2018)
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
Windows 2019
Windows 2019Windows 2019
Windows 2019
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle Architecture
 
Chapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data StorageChapter06 Managing Disks And Data Storage
Chapter06 Managing Disks And Data Storage
 
MS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREMS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTURE
 
Elk
Elk Elk
Elk
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file system
 
Mahout資料分析基礎入門
Mahout資料分析基礎入門Mahout資料分析基礎入門
Mahout資料分析基礎入門
 
File system.
File system.File system.
File system.
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating System
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it Compares
 
Backups And Recovery
Backups And RecoveryBackups And Recovery
Backups And Recovery
 
Nfs
NfsNfs
Nfs
 
Json in Postgres - the Roadmap
Json in Postgres - the Roadmap Json in Postgres - the Roadmap
Json in Postgres - the Roadmap
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt
 

En vedette

Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Web and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News ProfessionalsWeb and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News ProfessionalsSymeon Papadopoulos
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 
G Infomgnt
G InfomgntG Infomgnt
G InfomgntCTIN
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Nra
NraNra
NraCTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 

En vedette (20)

Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Web and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News ProfessionalsWeb and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News Professionals
 
Citrix
CitrixCitrix
Citrix
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Edrm
EdrmEdrm
Edrm
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Nra
NraNra
Nra
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 

Similaire à Ntfs forensics

Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisDon Caeiro
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1Pavan Illa
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Linux Basics
Linux BasicsLinux Basics
Linux BasicsLokesh C
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 

Similaire à Ntfs forensics (20)

Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Windows file system
Windows file systemWindows file system
Windows file system
 
Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and Analysis
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
Ext filesystem4
Ext filesystem4Ext filesystem4
Ext filesystem4
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Os
OsOs
Os
 
NTFS Forensics.pptx
NTFS Forensics.pptxNTFS Forensics.pptx
NTFS Forensics.pptx
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
NTFS and Inode
NTFS and InodeNTFS and Inode
NTFS and Inode
 
Linux Basics
Linux BasicsLinux Basics
Linux Basics
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
Os
OsOs
Os
 
Lecture 6
Lecture 6Lecture 6
Lecture 6
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 

Dernier (20)

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 

Ntfs forensics

  • 2. NTFS Trivia • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, ) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points,
  • 3. Why NTFS forensics? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like • Existence of hidden timestamps • Logs • Deleted / Leftover Metadata
  • 4. NTFS Basics • Everything is a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
  • 5. Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
  • 6. Physical Layout of NTFS Volume $Boot Logical Sector 0 (Cluster 0) - Boot Manager Internal Files $MFT $Bitmap Internal Files usually start at Cluster 2 Allocated Cluster Free Cluster
  • 7. Master File Table - $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $Standard_Information • $File_Name • $Data
  • 9. Understanding File Storage MFT Entry for “Hello.txt” $MFT $DATA Attribute Start Length Cluster 52 3 72 2 Illustration: NTFS concept of Data Runs Allocated Cluster Free Cluster Cluster view of NTFS Volume
  • 10. Timestamps on NTFS • 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989680 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ?
  • 11. Concept of Initialized Data • NTFS has 3 size fields for each file • Logical • Initialized • Physical File ‘Properties’ snippet Logical Size Initialized Size Physical Size File ‘on disk’ view
  • 12. Alternate Data Stream • Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
  • 13. Alternate Data Streams Demonstration
  • 14. USN Journal - USNJRNL • USN = Update Sequence Number • As files, directories, and other NTFS file system objects are added, deleted, modified, the NTFS file system makes entries here. • $UsnJrnl:$J • This is a system management feature used for recovering quickly from a computer or volume failure
  • 15. $UsnJrnl:$J record Record Length TimeStamp Reason File Attributes File name
  • 17. INDX Records • NTFS indexes directory metadata and stores it in a B+ tree Explorer view Hex view of INDX directory structure
  • 18. INDX Records • This indexed data is stored in $I30 attributes in MFT Attribute ID Description Name 0x90 $INDEX_ROOT $I30 0xA0 $INDEX_ALLOCATION $I30 0xB0 $BITMAP $I30 • Non-Resident vs. Resident • “INDX” header if non-resident • Forensic Value? • Find Deleted file metadata (MACE times, file name, logical & physical size, etc..)
  • 19. $LogFile • Contains information used by NTFS for faster recoverability • Used to restore metadata consistency to NTFS after a system failure • Format not reverse engineered completely • It is common to find INDX records, MFT records and LNK records here
  • 20. File Recovery on NTFS Get Data Runs from $MFT entry • • • “FILE” • Start Cluster=54 • Number of Search Clusters = 10 Read Data Unallocated for from Disk $MFT entries
  • 21. Questions • More forensic stuff on my Blog – www.swiftforensics.com • Email me at yogesh@swiftforensics.com • Thanks
  • 22. References • Books • File System Forensic Analysis – Brian Carrier • Online Resources • MSDN