1 Examining NTFS Disks

!  New Technology File System (NTFS)

!  Introduced with Windows NT
!  Primary file system for Windows Vista and Windows 7
!  In NTFS, everything written to the disk is considered a
file
Windows System Artifacts !  Default cluster size is 4KB (8 sectors) in most disks
!  http://support.microsoft.com/kb/140365

COMP 2555: Principles of Computer Forensics

Autumn 2014
http://www.cs.du.edu/2555

L5: Windows System Artifacts

2 NTFS Disk Structure
3 NTFS File System

!  First sector is the Partition Boot Sector !  MFT contains information about all files and folders on
!  Similar structure like FAT16 the disk
!  Offset 0x30: logical cluster number (8 bytes) for the MFT file !  Including the system files the OS uses
!  Information about one file is a record
!  Next 15 sectors are reserved !  The MFT is nothing but a table of records
!  Holds bootloader code
!  The first 16 records are reserved for system files
!  Next is MFT Zone that holds the Master File Table !  Records in the MFT are called metadata
(MFT) !  Data about data
!  Contains information about every file in the system
L5: Windows System Artifacts

L5: Windows System Artifacts

!  Initially about 12.5% of the disk space is reserved for it
!  Always check boot sector for start cluster of MFT!
4 MFT Records
5 MFT and File Attributes

Record No. Filename Description !  In the NTFS MFT

0 $MFT
1 $MFTMirr
2 $LogFile
3 $Volume
4 $AttrDef
5 $
6 $Bitmap
7 $Boot
8 $BadClus
9 $Secure
10 $Upcase
Base file record !  All metadata about files and folders are stored in separate
First 4 records of MFT records of 1024 bytes each
File system transaction history !  Signed integer at offset 0x40 in boot sector (4 bytes)
Information specific to the volume
!  Each record contains file or folder information
Table of attribute name, numbers and definitions
Root folder of the NTFS volume !  This information is divided into record fields containing
Bitmap showing which clusters are in use
metadata
Data from the boot sectors !  A record field is also referred to as an attribute
Information about bad clusters !  File or folder information is typically stored in one of
Access control list two ways in an MFT record:
Uppercase Unicode character Resident : file contents fit within the 1024 bytes of the

L5: Windows System Artifacts

L5: Windows System Artifacts

! 
11 $Extend Optional Extensions record itself
12-15 Reserved for future use
!  Nonresident : data is stored outside the MFT record
16 onwards User file records
http://technet.microsoft.com/en-us/library/cc938949.aspx

6 MFT and File Attributes (contd.)

7 Reading MFT Records

!  Files larger than 512 bytes are stored outside the MFT !  The term offset means the location relative to the
!  MFT record provides cluster addresses where the file is beginning of something
stored on the drive’s partition !  Numeric data is typically stored in little-endian format
!  Referred to as data runs
!  E.g. if you are looking at say 4 bytes of data in a hex editor
!  Each MFT record starts with a header identifying it as a
resident or nonresident attribute 00 AE 97 02
it signifies the number 0x0297AE00 = 43494912
L5: Windows System Artifacts

L5: Windows System Artifacts

8 MFT Record Header
9 MFT Record Header (contd.)

!  Offset 0x00
MFT record identifier Size of record (0x00000400)
!  Identifier : all MFT records begin with hex values 46 49 4C
45 at this offset
!  Offset 0x1C to 0x1F
!  Size of MFT record; default is 0x0400 (1024) bytes
!  Offset 0x14
!  Length of header : this is where other record fields (attribute
IDs) start

L5: Windows System Artifacts

L5: Windows System Artifacts

Length of header; attribute IDs start here

10 MFT Attribute IDs

11 Some MFT Attribute IDs

!  Offset information below is relative to where the !  0x10 : Standard information such as file creation time,
attribute begins permission, etc.
!  Offset 0x00 !  0x20 : Used when list of attributes do not fit in the
!  Attribute ID : tells you what information follows 1024 bytes of the record
!  Offset 0x04 and 0x05 !  0x30 : File name
!  Size of the attribute from the beginning of the attribute !  0x80 : File data or data runs
!  More available in the book
!  The idea is to know (by reading documentations)
!  What an attribute ID stands for, and
!  How is information corresponding to that attribute
L5: Windows System Artifacts

L5: Windows System Artifacts

organized
12 MFT Attribute IDs (contd.)
13 MFT Attribute IDs (contd.)

Attribute ID Attribute length (0x0060)

Attribute 0x10 information ends here

End of record marker

Next attribute ID
Attribute length (0x0068)

L5: Windows System Artifacts

L5: Windows System Artifacts

And the next
attribute ID

14 Attribute 0x10 : Standard Information

15 Attribute 0x30 : Filename

!  Offset relative to beginning of attribute information !  You may see two instances of this attribute in a record
!  Offset 0x18 to 0x1F !  One for the short MS-DOS style name
!  File’s create date and time; stored in Win32 Filetime format !  Another for the long name
!  Offset 0x20 to 0x27 !  Offset 0x04 and 0x05
!  Last modified date and time !  Size of this attribute (like in all other attributes)
!  Offset 0x28 to 0x2F !  Offset 0x5A onwards
!  Last access date and time !  The name
!  And there’s more!! !  Use the size to determine how much to read from here
L5: Windows System Artifacts

L5: Windows System Artifacts

16 Attribute 0x30 : Filename (contd.)
17 MFT and Cluster Numbers

!  When a disk is created as a NTFS file structure

!  OS assigns logical clusters to the entire disk partition
!  These assigned clusters are called logical cluster
numbers (LCNs)
!  Become the addresses that allow the MFT to link to
nonresident files on the disk’s partition
File name
!  A cluster number relative to another cluster number is
called a virtual cluster number (VCN)

L5: Windows System Artifacts

L5: Windows System Artifacts

18 Attribute 0x80 : Data
19 Attribute 0x80 : Resident File

!  Offset 0x08
!  Value of 0x00 means resident file
!  Value of 0x01 means non-resident file
!  If resident file
!  Offset 0x10 : Number of bytes of data
!  Offset 0x18 : Beginning of data
Attribute ID
!  If non-resident file Resident
!  Offset 0x40 : Data runs
!  A list of cluster addresses where the data can be found
L5: Windows System Artifacts

L5: Windows System Artifacts

No. of bytes of data (0x20 = 32 bytes)
20 Attribute 0x80 : Non-Resident File
21 Interpreting Data runs

!  Data run:
!  32 B1 07 8C 8C 00 22 63 07 95 ED 32 BC 06 3C 36 01
00
!  Every data run has three components
!  First: tells the length of the other two components
!  Second: run length
Attribute ID !  Third: LCN or VCN
Non-Resident

Data run

L5: Windows System Artifacts

L5: Windows System Artifacts

End of data run marker

22 Interpreting Data runs (contd.)

23 Interpreting Data runs (contd.)

!  Data run: !  Data run:

!  32 B1 07 8C 8C 00 22 63 07 95 ED 32 BC 06 3C 36 01 !  32 B1 07 8C 8C 00 22 63 07 95 ED 32 BC 06 3C 36 01
00 00
!  First data run: 32 B1 07 8C 8C 00 !  Second data run: 22 63 07 95 ED
!  First component: 32
!  Third component from now on is a VCN
!  Lower half byte (0x2 here) means there are 0x2 bytes in the second
component !  Also, should be read as a signed integer
!  Upper half byte (0x3 here) means there are 0x3 bytes in the third !  After reading the data as indicated by the first data run,
component continue reading from
!  Second component: B1 07 , i.e. 0x07B1 = 1969 !  Cluster 35980 + (-4715) = 31265 (0xED95 is -4715)
!  Third component: 8C 8C 00 ,i.e. 0x008C8C = 35980 !  And read 0x0763 (=1891) clusters contiguously
!  This means data resides in 1969 contiguous clusters starting
L5: Windows System Artifacts

L5: Windows System Artifacts

from cluster number 35980
!  Hence, cluster number is an LCN in the first data run
!  There is more data!!
24 Interpreting Data runs (contd.)
25 NTFS Data Streams

!  Data run: !  Data streams

!  32 B1 07 8C 8C 00 22 63 07 95 ED 32 BC 06 3C 36 01 !  Ways data can be appended to existing files
00 !  Can obscure valuable evidentiary data, intentionally or by
coincidence
!  Third data run: 32 BC 06 3C 36 01
!  In NTFS, a data stream becomes an additional 0x80 file
!  After reading the data as indicated by the second data run,
attribute
continue reading from
!  Regular opening of the file just reads the first 0x80 attribute
!  Cluster 31265 + (79420) = 110685 (0x01363C is 79420)
information
!  And read 0x06BC (=1724) clusters contiguously
!  You can only tell whether a file has a data stream
!  Fourth data run ?? attached by examining that file’s MFT entry
!  The next byte is 00 which means end of data run !  Allows more file information to be stored within the file
For really large files, data runs themselves may be stored itself

L5: Windows System Artifacts

L5: Windows System Artifacts

! 
outside the MFT record! !  E.g. store the thumbnail of an image with the image file itself
!  Can also be used to hide information!

26 Creating a Data Stream

27 0x80 for Data Streams

!  Example !  Determine if resident or non-resident by checking offset

!  echo I am invisible > filename.txt:small_stream.txt 0x08
!  type largefile > filename.txt:large_stream.dat
!  If resident
!  Offset 0x09 : length of the name of the stream (say N)
!  Following the name (2N bytes from offset 0x18) is the data
!  However, there will be padding if name does not end on a 8 byte
boundary
!  If non-resident
!  Offset 0x20 and 0x21 : offset where data run begins
!  This is rather a very short list – there can be other
L5: Windows System Artifacts

L5: Windows System Artifacts

possibilities, e.g. a resident/non-resident data stream
with/without a name
28 0x80 for Data Streams (contd.)
29 0x80 for Data Streams (contd.)

Length of stream name (10 bytes)

Resident data stream Non-resident data stream

Padding

Stream name (2x10 = 20 bytes)

L5: Windows System Artifacts

L5: Windows System Artifacts

Data run begins at offset 0x58

30 NTFS Compressed Files

31 NTFS Encrypting File System (EFS)

!  NTFS provides compression similar to FAT DriveSpace !  Encrypting File System (EFS)
3 !  Introduced with Windows 2000
!  Under NTFS, files, folders, or entire volumes can be !  Implements a public key and private key method of
compressed encrypting files, folders, or disk volumes
!  Most computer forensics tools can uncompress and
analyze compressed Windows data !  When EFS is used in Windows Vista Business Edition or
higher, XP Professional, or 2000,
!  A recovery certificate is generated and sent to the local
Windows administrator account
L5: Windows System Artifacts

L5: Windows System Artifacts

32 EFS Recovery Key Agent
33 Deleting NTFS Files

!  Recovery Key Agent implements the recovery certificate !  When a file is deleted in Windows XP, 2000, or NT
!  Which is in the Windows administrator account !  The OS renames it and moves it to a special folder called the
!  Windows administrators can recover a key in two Recycle Bin
!  Additional attributes store where the file came from
ways
!  through Windows or
!  from an MS-DOS command prompt !  Can use the del (delete) MS-DOS command
!  Eliminates the file from the MFT listing in the same way FAT
!  MS-DOS commands
does
!  Cipher
!  Copy
!  Efsrecvr (used to decrypt EFS files)

L5: Windows System Artifacts

L5: Windows System Artifacts

34 References

!  Ch 6: B. Nelson, A. Phillips and C. Steuart, Guide to

Computer Forensics and Investigations. ISBN:
978-1-435-49883-9
!  NTFS Boot Sector: http://ntfs.com/ntfs-partition-boot-
sector.htm
!  NTFS MFT Attributes: http://stderr.org/doc/ntfsdoc/
attributes/index.html
L5: Windows System Artifacts