SYSDA - Lec 5
Windows file systems
FAT file systems- FAT-= file allocation table
File system of MS-DOS
Now replaced with NTFSStill widely used on small devices such as USB sticks
FAT versions:
12
16
32
Number corresponds to bit entries
Clusters
These are very close to the blocks we see in UNIX- family file systems
Stores content of files and directories
Size will be small power of two multiple of sector size
Typicall 512mb to 16kb
Each file/directory allocated clusters to hold its content
Clusters for a single file may be consecutive or randomly scattered (fragmented)
Can appear as such
Metadata- directory entries
Directories
Just files containing directory entries
First cluster address for the root directory is stored In the boot sector of parititon
Entries- short fixed size of 32bytes
Includes
File name/directory name
Attributes and creation/modification/acess dates
Address of first cluster for content
The file allocation table
Directory entry contains id of the first cluster only
Remaining clusters located through a separate data structure
One fat entry for each cluster
Each entry is small
Fat entries implement cluster chains- represents file content
Can see here that firectory entry starts at 41- takes you to 41- takes you 45 which is end of file
Marked as such
Recovering deleted files in FAT
0x00 or 0xE5 in first character means this
Will contain address of first cluster of data, which may still hold information
If unfragmented- successive clusters may contain remaining content
NTFS
Value of $DATA attributes holds content of file
Can have more than one $DATA attributes
Multiple $DATA attributes leads to possibility of multiple data streams in a single file – this is also called Alternate Data Streams
Has the potential relevance of hidden data
MFT
Most of this I have already covered- every entry has a fixed size, usually 1kb
Containes one entry describing every file and directory
Attributes such as type, name and size are in short headers in the MFT
Single file record look like image below
Resident vs non resident
Values can be either
Attributes- short fixed length usually
Attributes with large values, normally non resident- value stored outside MFT with just storage locations stored in the file record
Clusters
Non-resident attributes stored in groups of clusters
Fixed size- 4kb is typical
Numbered from 0 at the start of the partition
Boot sector info contained in cluster 0
Non resident attributes
Contains a list of cluster-runs
Runs are consecutive groups of clusters
Single run is represented by starting cluster address and number of clusters in the run
If too big, may be additional entries
Storage of the MFT
MFT itself Is just a file- contains its own metadata in file record –
$DATA attribute is non resident
Boot sector contains cluster number of the first cluster in the MFT
This contains the $DATA attribute- which tells us where to find the rest of the MFT
Directories
Stored differently
Uses
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP
FORMAT IS NOT A SIMPEL LIST
Is infact a B tree
File name information stored once in the directory containing object and once in the object itself
Useful for forensics!
People may only remove one not the other!
NTFS file recovery
File record in the MFT is typically not immediately erased- simply marked as unallocated
The Windows Registry
Stores config settings
Directories called keys
Contains values
Values have name and data
Stored in windows- system 32- config
Important info- SAM stores local passwords
Covered in COMFIC lecture
Newer file systems
EXT4- newer linux
Uses things similar to cluster-runs in NTFS
REFS
Newer file system from MS
Built in integrity checking
Supports large volumes
Comments
Post a Comment