Академический Документы
Профессиональный Документы
Культура Документы
Key Laboratory of Underwater Acoustic Communication and Marine
Information Technology,Ministry of Education ,Xiamen University, Xiamen, China
Department of Automation, Xiamen University, Xiamen, China
E-mail: chengen@xmu.edu.cn
Abstract—NTFS, which restores and manages the important features, such as webǃdisk quota and file encryption. NTFS
data, is a common file system in Windows Operating System,. supports the managing function of encrypting files, and so it
Tapping and analyzing the useful data of the NTFS file system can provide a higher- level security guarantees to the users.
has become an important means of current computer forensic.
Through detailed analysis and research on the storage A. Framework of NTFS
principles of the NTFS file system, the object-oriented method In NTFS, system obtains the storage location of data by
is put forward to design NTFS file parsing system. This system Master File Table (MFT).MFT is a database relative to the
parses the binary data stored in disk, achieving the total
file, consisting of a series of File Record[2]. Each file in the
analysis of both the normal files and the deleted files. Then, all
volume has a file record (There may be many file records in
the data retrieved can be restored into the form of a friendly
user interface which can provide a reliable data source for the
accord with a mass file), MFT can also have its own record
computer forensics. file.The structure of NTFS partition is shown in Figure1..
Boot MFT System file File area
Keywords-computer forensics;NTFS;file system;data recover;
object-oriented
With the rapid development of information technology NTFS locates files by VCN, each of which has a
and Internet, computers have been extensively used in many corresponding file and may record one or more date records,
different fields of our life, while computer-related crimes and each record includes initial cluster and length of file,.
occur more and more frequently. As a new kind of Several file records can be combined into the date of a file.
high-technology crime, the evidence of computer crime is
stored and transmitted through the computers or webs. B. The Volume Access Process By MFT In NTFS
Therefore, based on the computer forensics, tapping and The volume access process by MFT in NTFS is as
analyzing of the data stored in various storage devices follows; first, when NTFS accesses one volume, it must load
becomes an important part of taking evidence from the volume; and then NTFS check the guided files and find
computers[1]. the physical disk address of MFT; and from the data attribute
Windows Operating System (OS) has played an of file record it could obtain the mapping of VCN to LCN,
important role in our life, and NTFS, which stored and and save into the relative memory. The operating position of
managed the important data, is the common file system MFT is located by this mapping[3].
under Windows Operating System. Tapping and analyzing (1)Small File(SF) And Small Directory(SD) Access
the useful data of NTFS file system is of great importance in All the attributes of SD and SF can be resident in MFT.
computer forensics. If the data is deleted, we couldn’t The unnamed attributes of SD can include all file data.
directly observe it under Windows Operating System, but it (2)Mass File Access
sometimes includes some important evidence of crime. The size of a file record is fixed at 1K, so mass files and
Through detailed analysis and study on the Memory mass directory cannot be saved in a single file record, thus
Principle s of the NTFS file system, this paper puts forward NTFS assigns spaces for them outside the MFT. These
the object-oriented idea to design NTFS file parsing system, spaces are always called a Run or an Extent that can save the
parse the most derived binary data that was saved to disk, attribute values, such as file date. If the attribute value
achieving the totally analysis of the normal files and the increases, NTFS will assign a new Run for the additional
deleted files. Then a friendly interface is used to display all values. The attributes saved in Run not in MFT are called
these data of tree structure to the users. It provides a reliable nonresident attribute. A nonresident attribute, like mass file
data source and a powerful tool for the computer forensics. data, includes the relevant information in its head by which
NTFS locates the attribute value on the disk. The structure of
II. ANALYSIS OF NTFS FILE SYSTEM the mass file is shown in Figure2.
NTFS is a common file system under Windows NT OS
and Windows NT advanced network server OS. Meanwhile
it is a special disk format designed for management safety
326
3 Through cyclic traversal, analyze each file record in Therefore it provides probability to recover NTFS data. But
MFT, and parse every piece of file information in the record. we can not see the deleted file at original position. If we
The concrete process for each file record is as follows: write data into hard-disk again, these clusters may be over
3.1 Read the head of MFT file record, and analyze the write. That is to say, when the deleted file’s original clusters
flag byte at offset 0X16 byte. If the value is 0X00, it are covered by new information, the deleted file might not be
indicates that the file is a deleted one, and the value 0X02 recovered.
indicates a deleted folder. According to the design idea of this paper, the data area
3.2 Through the head of file record, the fragment offset of deleted file can be defined as totally recoverable, partial
of the first attribute can be obtained. In general case the recoverable and totally non-recoverable. Specific judgment
offset value is 10H as standard attribute, from which size, is as follows:
set-up time, last amending time, last accessing time and file 1. Totally recoverable model:
attribute of the deleted file can be extracted.
3.3 According to the size of the first attribute, continue to
analyze the offset, the file name attribute 30H can be
obtained, from which some important information like file
name can be extracted; after that, the data attribute recording
the details of the file can be gained. When data attribute is Figure 8. Totally recoverable model
resident, file content can be saved in file record; when data
attribute is non-resident, that is to say, the file size is too big, 2. Partial recoverable model:
and we should assign extra space to store them. Meanwhile,
through analysis, record the sector information in which file
is saved.
3.4.Read root folder attribute 0X90 and index attribute
0X0A, build folder structure of file, put all these data been Figure 9. Partial recoverable model
analyzed into folder tree structure.
According to the above analysis, a flow chart for the 3. Totally non-recoverable model:
analysis of normal NTFS files is designed as Figure7.
Figure 10. Totally non-recoverable model
327
Figure 12. The flowchart of the object-oriented parsing
of NTFS file system
328