2010 Second International Workshop on Education Technology and Computer Science

Analysis and Implementation of NTFS File System

Based on Computer Forensics
Zhang Kai ,Cheng En , Gao Qinquan
  


Key Laboratory of Underwater Acoustic Communication and Marine
Information Technology,Ministry of Education ,Xiamen University, Xiamen, China

Department of Automation, Xiamen University, Xiamen, China
E-mail: chengen@xmu.edu.cn

Abstract—NTFS, which restores and manages the important
data, is a common file system in Windows Operating System,.
Tapping and analyzing the useful data of the NTFS file system
has become an important means of current computer forensic.
Through detailed analysis and research on the storage
principles of the NTFS file system, the object-oriented method
is put forward to design NTFS file parsing system. This system
parses the binary data stored in disk, achieving the total
analysis of both the normal files and the deleted files. Then, all
the data retrieved can be restored into the form of a friendly
user interface which can provide a reliable data source for the
computer forensics.
Keywords-computer forensics;NTFS;file system;data recover;
object-oriented
features, such as webǃdisk quota and file encryption. NTFS
supports the managing function of encrypting files, and so it
can provide a higher- level security guarantees to the users.
A. Framework of NTFS
In NTFS, system obtains the storage location of data by
Master File Table (MFT).MFT is a database relative to the
file, consisting of a series of File Record[2]. Each file in the
volume has a file record (There may be many file records in
accord with a mass file), MFT can also have its own record
file.The structure of NTFS partition is shown in Figure1..
Boot MFT System file File area

I. INTRODUCTION Figure 1. Structure of NTFS partition

With the rapid development of information technology
and Internet, computers have been extensively used in many
different fields of our life, while computer-related crimes
occur more and more frequently. As a new kind of
high-technology crime, the evidence of computer crime is
stored and transmitted through the computers or webs.
Therefore, based on the computer forensics, tapping and
analyzing of the data stored in various storage devices
becomes an important part of taking evidence from
computers[1].
Windows Operating System (OS) has played an
important role in our life, and NTFS, which stored and
managed the important data, is the common file system
under Windows Operating System. Tapping and analyzing
the useful data of NTFS file system is of great importance in
computer forensics. If the data is deleted, we couldn’t
directly observe it under Windows Operating System, but it
sometimes includes some important evidence of crime.
Through detailed analysis and study on the Memory
Principle s of the NTFS file system, this paper puts forward
the object-oriented idea to design NTFS file parsing system,
parse the most derived binary data that was saved to disk,
achieving the totally analysis of the normal files and the
deleted files. Then a friendly interface is used to display all
these data of tree structure to the users. It provides a reliable
data source and a powerful tool for the computer forensics.
II. ANALYSIS OF NTFS FILE SYSTEM
NTFS is a common file system under Windows NT OS
and Windows NT advanced network server OS. Meanwhile
it is a special disk format designed for management safety
NTFS locates files by VCN, each of which has a
corresponding file and may record one or more date records,
and each record includes initial cluster and length of file,.
Several file records can be combined into the date of a file.
B. The Volume Access Process By MFT In NTFS
The volume access process by MFT in NTFS is as
follows; first, when NTFS accesses one volume, it must load
the volume; and then NTFS check the guided files and find
the physical disk address of MFT; and from the data attribute
of file record it could obtain the mapping of VCN to LCN,
and save into the relative memory. The operating position of
MFT is located by this mapping[3].
(1)Small File(SF) And Small Directory(SD) Access
All the attributes of SD and SF can be resident in MFT.
The unnamed attributes of SD can include all file data.
(2)Mass File Access
The size of a file record is fixed at 1K, so mass files and
mass directory cannot be saved in a single file record, thus
NTFS assigns spaces for them outside the MFT. These
spaces are always called a Run or an Extent that can save the
attribute values, such as file date. If the attribute value
increases, NTFS will assign a new Run for the additional
values. The attributes saved in Run not in MFT are called
nonresident attribute. A nonresident attribute, like mass file
data, includes the relevant information in its head by which
NTFS locates the attribute value on the disk. The structure of
the mass file is shown in Figure2.

Corresponding Author:Cheng en ,E-mail:chengen@xmu.edu.cn

978-0-7695-3987-4/10 $26.00 © 2010 IEEE 325

DOI 10.1109/ETCS.2010.434

Figure 2. storage structure of mass file
A data Run is corresponding to a nonresident attribute,
and the file data is composed of two nonresident attributes.
Only the increasing attribute is non-resident in standard
attribute. As to the file, the increasing attributes can be data,
attribute list and so on. Standard information and file name
are always resident attribute. MFT record the content of file
by VCN-LCN mechanism. The structure of VCN-LCN is
shown in Figure3.
Figure 3. Corresponding VCN-LCN for files
If a file has too many attributes to be saved in MFT
record, then a second MFT file record can be used to
accommodate these extra attributes (or the head of
nonresident attribute). In this case, an attribute called
Attribute List is added. Attribute list includes the name of
file attribute, type codes and the attribute quote in the MFT.
The attribute list is always a scattered file which need several
MFT file record for the mapping of VCV-LCV is too
large[4].
(3)Directory Access
The folder in NTFS is only an index of a simple file
name and file quote. If the size of directory’s attribute list is
smaller than a record’s length, then all the information of this
folder can be saved in MFT record. As to the one which is
bigger, it should use B+ tree to manage, and use a pointer to
point at an Extent. This cluster is used to save the folder’s
attributes that MFT can’t hold. The process is shown in
Figure4.
Figure 4. NTFS Directory access
III. DESIGN OF OBJECT-ORIENTED NTFS FILE SYSTEM
A. The Frame of Object-oriented NTFS File System
In the resolving process of NTFS file system, according
to the structure of the NTFS file system, the system extracts
all the information existed as document, remote directory
and file partition and so forth from the most derived binary
data stream. Then a friendly interface is used to display these
data of tree structure to the users. Meanwhile, the various
326
operation interfaces is provided for preferable analysis and
forensics[5].
Based on the objectives to be achieved, this paper
presents a thought of object-oriented file parsing. we regards
all files as an object which encapsulated each attribute of the
objects and various interface functions for the objects, and
each object is an independent one. In the file list parsed,
project, disk ˈ partition, directory and document are all
inherited from CMyFile. According to the different effects of
objects, CMyFile develops class CDevice and CProject.
CDevice is used to express device and CProject is used to
express project. Likewise, CDevice develops class
ClogicDisk and Cdisk. ClogicDisk is used to express
partition, and Cdisk is used to express disk. Thus we could
obtain the framework of the whole file system as is shown in
Figure5[6].
Figure 5. The overall class framework diagram of NTFS file system
We define an object of CSource in each CDevice class,
and CSource express the data source of this device, so that
the construction and acquisition of each file object could be
easier. Data source is divided into hard disk data source and
mirror image data source according to the different
applications. Therefore, two subclasses of CDeviceSource
and CFileSource are derived from the CSource base class.
One is used to express hard data source and the other is used
to express document data source. Functions such as
CREATEFILE and READFILE are achieved in these
subclasses, thus we could obtain the class inheritance
framework of the whole file system, which is shown in
Figure6.
Figure 6. The resource class framework diagram of NTFS file system
B. The Analysis Of NTFS File System[7]
(1)The Analytic Techniques Of Normal files
As in NTFS, all data is included in file, and file obtain its
store location on disk and record its information by MFT.
According to the explanation in the previous section, this
paper designs an analytical method to normal files under
NTFS as follows:
1 Read the dos boot record DBR of NTFS, and obtain the
initial logical cluster number of MFT;
2 According to the cluster number, read the whole MFT
record and save it in memory;
 3 Through cyclic traversal, analyze each file record in
MFT, and parse every piece of file information in the record.
The concrete process for each file record is as follows:
3.1 Read the head of MFT file record, and analyze the
flag byte at offset 0X16 byte. If the value is 0X00, it
indicates that the file is a deleted one, and the value 0X02
indicates a deleted folder.
3.2 Through the head of file record, the fragment offset
of the first attribute can be obtained. In general case the
offset value is 10H as standard attribute, from which size,
set-up time, last amending time, last accessing time and file
attribute of the deleted file can be extracted.
3.3 According to the size of the first attribute, continue to
analyze the offset, the file name attribute 30H can be
obtained, from which some important information like file
name can be extracted; after that, the data attribute recording
the details of the file can be gained. When data attribute is
resident, file content can be saved in file record; when data
attribute is non-resident, that is to say, the file size is too big,
and we should assign extra space to store them. Meanwhile,
through analysis, record the sector information in which file
is saved.
3.4.Read root folder attribute 0X90 and index attribute
0X0A, build folder structure of file, put all these data been
analyzed into folder tree structure.
According to the above analysis, a flow chart for the
analysis of normal NTFS files is designed as Figure7.
Figure 7. The flowchart of the analysis of normal NTFS files
(2)The Recovery Techniques Of Deleted Files
In Windows OS, when the NTFS file is deleted, file data
area is not cleared at once. The system only alter file status
byte value from 01(remain using) to 00(deleted) in file
record, and all other important information is remained.
327
Therefore it provides probability to recover NTFS data. But
we can not see the deleted file at original position. If we
write data into hard-disk again, these clusters may be over
write. That is to say, when the deleted file’s original clusters
are covered by new information, the deleted file might not be
recovered.
According to the design idea of this paper, the data area
of deleted file can be defined as totally recoverable, partial
recoverable and totally non-recoverable. Specific judgment
is as follows:
1. Totally recoverable model:

Figure 8. Totally recoverable model
2. Partial recoverable model:

Figure 9. Partial recoverable model
3. Totally non-recoverable model:

Figure 10. Totally non-recoverable model
Based on the above analysis, when the data area of
deleted file is not covered by the adjacent two files, then it
can be totally recovered. When the area is partly covered by
the adjacent two files, then the area that is uncovered can be
extracted, and based on the analysis of normal file we should
cut out the covered sectors. When the area is totally covered
by the adjacent files, then the data is lost and is totally
non-recoverable.
According to the storage principles of NTFS and the
processing techniques to deleted files, the technique of
deleted files implementation is as follows:
1. According to the normal file analysis, parse all the files,
and store the flag bit information of the deleted file.
2. Sort order of all file by address space.
3. When analysis is over, find the deleted file and folder
through the flag byte.
4. When the data area of deleted file is not covered by the
adjacent two files, the file date is fine, so do not clip.
5. When the area is partly covered by the adjacent two
files, we should cut out the covered space, and then the
remainder is right content after analysis.
6. When the area is totally covered by the adjacent files,
then the data is lost and is totally non-recoverable.
According to the above analysis, we design a flow chart
for the recovery of deleted files under NTFS as Figure11.

Figure 11. The flowchart of the reparsing the deleted file
(3) Assembly Software Flow Chart
Through parsing the file system, we may obtain the
whole hard-disk or partition. Thus, we should judge the
device type first. When it is partition, we shall judge whether
it is NTFS partition. If it is NTFS partition, then build the
partition object, and progressively parse the partition from
root directory. And finally, store them in the tree structure.
When it is hard disk, we should build hard disk object. Then
cyclic parsing the partition list of hard disk, extract the NTFS
partition, and build the corresponding NTFS partition. Then,
according to the analysis method for partition, parse the
extracted partition object until the end. The flowchart of the
object-oriented parsing of NTFS file system is shown in
Figure12[8].
Figure 12. The flowchart of the object-oriented parsing
of NTFS file system
IV. VERIFICATION OF SYSTEM
We implement the method under Windows XP+SP2
OS and Microsoft Visual C++ 2005 platform. Use this
system to analyze the NTFS file system can obtain a right
result. The running interface is shown in Figure13. The result
of the tests indicated object-oriented NTFS file system
analysis is feasible. Then a friendly interface can be used to
display all these data of tree structure to users, providing a
reliable data source for the computer forensics[9].
Figure 13. The Interface of object-oriented parsing of NTFS file system
V. CONCLUSION
Aiming at the demand of computer forensics based on
NTFS file system, this paper proposes a method of
object-oriented method to design and analyze NTFS file
system. The inherit relationship and encapsulation of class
are used to deeply analyze different kinds of data sources. It
not only implements normal file analysis, but restores the
deleted file. The result of analysis is displayed in a friendly
interface. A reliable data source for the computer forensics is
provided. Meanwhile, many interfaces have reference value
for the design of upper computer forensics software.
REFERENCES
[1] WANG Lina; YANG Mo; WANG Hui; GUO Panfeng, “Computer
Forensics Research and Implementation Based on NTFS File
System,” Journal of Wuhan University(Natural Science Edition),vol.
5, pp. 519–522.
[2] Liang Jinqian;Zhang Yue, “The Main Data Structure of NTFS File
System,”Computer Engineering and Applications[J],2003,
pp.116-130.
[3] Tu Yanhui;Dai Shijian, Data security and programming techniques
[M]. Beijing: Tsinghua University Press, 2005. (in Chinese)
[4] Wan Lan-ying, Ju Jin-wu.“Analysis of NTFS file system
structure[J],”Computer Engineering and Design,2005,27(3),
pp.418-420.
[5] Zhang Jingsheng 㧘 Wang Zhongxia 㧘 Liu Wei. Data Recovery
Methods and Case Analysis [MJ]. Beijing: Electronics Industry Press,
2008. (in Chinese)
[6] Liang Jinming, Object-Oriented System Analysis and Design
(UMLPattern)[M]. Beijing: Tsinghua University Press, 2005. (in
Chinese)
[7] Sun Xing㧘Yu An’ping. Detailed analysis of the VC + + [M]. Beijing:
Electronics Industry Press, 2004. (in Chinese)
[8] Wang Shilin, Data Structure Algorithm and Application [M].Beijing:
Machinery Industry Press, 2000. (in Chinese)
[9] Clifford A. Shaffer.A, Practical Infroducation to Data Structures and
Algorithm Analysis[M]. Beijing: Electronics Industry Press.2005.
328