Labels
Labels:

NTFS File systems

SYSDA
NTFS
NTFS is the most commonly used file system
It holds values in a sea of bytes, also known as a sea
Content of files is held in $DATA attribute ; but files can have more than one $DATA, which leads to multiple data streams, also known as alternate data streams
They are shown in the following format filename:streamname


MFT
Contains one entry of file record descriptions for every file in the system
File records are laid out as follows:
%FILE_NAME refers to the files name in Unicode
$STD_INFO- information about flags, access times, owner ship etc
%DATA is the contents of the file
Resident vs non-resident attributes
Value of any attribute can be resident or non-resident
Short fixed length attirbutes will normally be resident
Clusters
Are where non-resident attributes are stored- in groups of clusters
Have a fixed size, usually 4,096 bytes
This is represented in the MFT with Cluster-runs (consecutive groups of clusters)
A single cluster run is represented by starting cluster address and number of clusters in the run
See how it is giving the cluster runs to find the content
But how does the MFT represent itself?
It contains itself- file record 0
The $DATA attribute is non-resident which is found by the first cluster (found in boot sector)
Once finding the $DATA attribute we can find the rest of the MFT
Important files
  1. MFT
  2. MFT
5- Root directory
7- Bootstrap loader
16- First user file
Implementation of directories
Directory contents are stored using the attributes
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP
The format of which is a B-tree
So can see directory of eee.txt contains aaa and bbb
File name information is not just stored in B-tress
File name information also stored in $FILENAME attribute- which is great for forensics


Recovering files in NTFS
File record in MFT not immediately erased- marked as unallocated
Suggested further reading:
  • Brian Carrier, “File System Forensic Analysis”, Addison Wesley, 2005 (FSFA)
    • Material in this lecture is mainly covered by chapters 9 through 13.
  • Andrew S. Tanenbaum, “Modern Operating Systems”, 4th Edition, Pearson, 2014 (MOS)
    • Material in this lecture is covered by chapter 11.

Comments

Post a Comment