The document discusses NTFS forensics and the structure of the NTFS file system. Some key points:
1) NTFS stores metadata about files and folders in the Master File Table ($MFT) using file records and attributes like $FILE_NAME and $DATA.
2) Files can be recovered by finding their data runs stored in the $MFT entry and reading the data from disk.
3) Additional forensic artifacts can be found in hidden internal files like $USNJRNL, $LogFile, and $Bitmap that contain metadata about file operations and deletions.
2. NTFS Trivia
• Introduced in 1993 for Win
NT 3.1
• Default file system for NT
based OS (Win NT, 2K,
2K3, XP, )
• Feature list includes
journaling, encryption,
compression, sparse file
support, disk quotas,
reparse points,
3. Why NTFS forensics?
• To understand its format and inner-working
• To device effective file recovery strategies for deleted /
lost data
• To find forensically useful artifacts like
• Existence of hidden timestamps
• Logs
• Deleted / Leftover Metadata
4. NTFS Basics
• Everything is a file, even
the core file system
internals
• The internal files are
always hidden from user
view
Hidden files and folders in
NTFS
5. Hidden Internal Files
Filename Description
$MFT Master File Table
$MFTMirr Backup of first 4 records of MFT
$LogFile Transaction log file
$Volume Volume related information, usually empty
$AttrDef Table listing MFT attribute names and numbers
. Root folder on NTFS
$Bitmap Map showing which clusters on volume are in use
$Boot Boot code used during bootstrap
$BadClus Map of bad clusters
$Secure Security descriptors and ACLs are listed here
$Upcase Keeps all lowercase to uppercase character mappings
$Extend Optional extensions listed here (This is a folder)
6. Physical Layout of NTFS Volume
$Boot
Logical Sector 0
(Cluster 0) -
Boot Manager Internal Files $MFT $Bitmap
Internal Files
usually start at
Cluster 2
Allocated
Cluster
Free Cluster
7. Master File Table - $MFT
• Consists of 1024 byte records
• Has an entry for every file and folder including itself
• Records can be identified by header “FILE”
• A record consists of header and attributes
• All metadata is stored in attributes
• Common attributes:
• $Standard_Information
• $File_Name
• $Data
9. Understanding File Storage
MFT Entry for “Hello.txt” $MFT
$DATA Attribute
Start Length
Cluster
52 3
72 2
Illustration: NTFS concept of Data Runs
Allocated
Cluster
Free Cluster
Cluster view of NTFS Volume
10. Timestamps on NTFS
• 64 bit Timestamp
• Number of 100 Nanosecond
intervals since 1st January 1601
• 1 second = 0x989680
• 4 Timestamps
• Created
• Modified
• Accessed
• MFT Entry Modified - ?
11. Concept of Initialized Data
• NTFS has 3 size fields for each file
• Logical
• Initialized
• Physical
File ‘Properties’ snippet
Logical Size
Initialized Size
Physical Size
File ‘on disk’ view
12. Alternate Data Stream
• Every file has single $Data stream, but NTFS allows multiple
data streams
• A place to store (hide) data, which is not displayed by Windows
Explorer or command line ‘dir’ view.
• Intended to store extra file metadata
• Used by IE, Outlook Express, AV programs
• Exploited by malware to hide malicious tools
14. USN Journal - USNJRNL
• USN = Update Sequence Number
• As files, directories, and other NTFS file system
objects are added, deleted, modified, the NTFS
file system makes entries here.
• $UsnJrnl:$J
• This is a system management feature used for
recovering quickly from a computer or volume
failure
15. $UsnJrnl:$J record
Record Length
TimeStamp
Reason
File
Attributes
File name
17. INDX Records
• NTFS indexes directory metadata and stores it in a B+
tree
Explorer view Hex view of INDX directory structure
18. INDX Records
• This indexed data is stored in $I30 attributes in MFT
Attribute ID Description Name
0x90 $INDEX_ROOT $I30
0xA0 $INDEX_ALLOCATION $I30
0xB0 $BITMAP $I30
• Non-Resident vs. Resident
• “INDX” header if non-resident
• Forensic Value?
• Find Deleted file metadata (MACE times, file name, logical &
physical size, etc..)
19. $LogFile
• Contains information used by NTFS for faster
recoverability
• Used to restore metadata consistency to NTFS after a
system failure
• Format not reverse engineered completely
• It is common to find INDX records, MFT records and LNK
records here
20. File Recovery on NTFS
Get Data Runs
from $MFT entry •
•
• “FILE” • Start Cluster=54
• Number of
Search Clusters = 10 Read Data
Unallocated for from Disk
$MFT entries
21. Questions
• More forensic stuff on my Blog – www.swiftforensics.com
• Email me at yogesh@swiftforensics.com
• Thanks
22. References
• Books
• File System Forensic Analysis – Brian Carrier
• Online Resources
• MSDN