SlideShare a Scribd company logo

Forensic Analysis of NTFS File Systems and Data Recovery

Download as PPTX, PDF
Gaurav Ragtah
Gaurav Ragtah

Short presentation on NTFS file system and how computer forensic investigators work with it.

Technology
1 of 15
By: Gaurav Ragtah and Nell Lapres 1
 Goal: to locate and extract evidence from computers and digital storage media in criminal cases.  Interest has grown recently.  Widely accepted as reliable in US and European courts.  Lots of information on NTFS computers can be used as evidence. 2
 Volatile data stored in RAM  Non-volatile data stored on hard disk.  Don’t want to lose date and time information when starting the computer.  Boot to a forensic CD. 3
 Standard file system of Windows NT  Preferred over FAT for Microsoft’s Windows Operating systems  Microsoft currently provides a tool to convert FAT file systems to NTFS  Improvements  Improved support for metadata  Use of advanced data structures to improve performance  Reliability  File system journaling  Disk space utilization  Multiple data streams 4
NTFS Log  Uses NTFS log to record metadata changes to the volume  Help in maintaining consistency in case of system crash  Rollback of uncommitted changes  A recoverable file system. Update Sequence Number Journal  A system management feature that records changes to all files, streams and directories on the volume.  Made available so that applications can track changes to the volume 5
 Contains information about settings for hardware and software.  Changes in control panel or to installed software is seen in registry entries. 6
 NTFS supports multiple data streams  Data could be hidden in the ADS  Hidden partitions by altering the partition table.  Can be found in end-of-file slack space 7
 The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly- overwritten data to shadow copy.  Allows data backup programs to archive files that are in use by the file system 8
 All file data stored as metadata in the Master File Table.  Continuously changed as files and folders are modified.  First 16 records in MFT are for NTFS metadata files.  An MFT record has a size limit of 1 KB. 9
Segment File name Description number 0 $MFT NTFS's Master File Table. Contains one base file record for each file and folder on an NTFS volume. 1 $MFTMirr A partial copy of the MFT. Serves as a backup to the MFT in case of a single-sector failure. 2 $Logfile Contains transaction log of file system metadata changes. 3 $Volume Contains information about the volume. 4 $AttrDef A table of MFT attributes which associates numeric identifiers with names. 5 . Root directory 6 $Bitmap Array of bit entries, indicating whether a cluster is free or not. 7 $Boot Volume boot record. 8 $BadClus A file which contains all clusters marked as having bad sectors. 9 $Secure Access control list. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. 10
 Creation:  Bitmap file in MFT updated.  Index entry created to point to file.  Deletion:  Bitmap file changed.  File remains on disk until overwritten.  Allows for reconstruction. 11
 $BadClus can be used to store hidden data.  User writes information into good section of bad cluster.  User marks good cluster as bad. 12
Segment Filename Purpose Number 10 $UpCase A table of unicode uppercase characters for ensuring case insensitivity in Win32 and DOS namespaces. 11 $Extend A filesystem directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl. 12-23 Reserved for $MFT extension entries. 24 $Extend$Q Holds disk quota information. Contains two index roots, uota named $O and $Q. 25 $Extend$O Holds distributed link tracking information. Contains an bjId index root and allocation named $O. 26 $Extend$Re Holds reparse point data (such as symbolic links). Contains parse an index root and allocation named $R. 27 file.ext Beginning of regular file entries. 13
 Could be used maliciously  Steal information  Spy 14
 What are two ways to uncover hidden or deleted data or illegal action an NTFS computer?  1) Registry Entries – contains settings and changes in hardware and software which can show illegal activity.  2.) VSS – keeps historical versions of activities so can be used to create temporal reconstruction.  3.) MFT – stores the metadata for changes and file is only lost if another file is written over. Can reconstruct by going to space where file was stored.  4.) Look in bad clusters for hidden data. 15

Recommended

Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 

Recommended

Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics nullowaspmumbai
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 
Data recovery from storage device
Data recovery from storage deviceData recovery from storage device
Data recovery from storage deviceMohit Shah
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FATTanveer Ahmed
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 

More Related Content

What's hot

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Data recovery from storage device
Data recovery from storage deviceData recovery from storage device
Data recovery from storage deviceMohit Shah
 

What's hot (20)

Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Data recovery
Data recoveryData recovery
Data recovery
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Data recovery from storage device
Data recovery from storage deviceData recovery from storage device
Data recovery from storage device
 

Viewers also liked

01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
The 20th Century New Wave of Argentine Literature
The 20th Century New Wave of Argentine LiteratureThe 20th Century New Wave of Argentine Literature
The 20th Century New Wave of Argentine LiteratureGaurav Ragtah
 
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrewAndrew,Seongcheol Bang
 
Keramik hicheel
Keramik hicheelKeramik hicheel
Keramik hicheelsaraiberh
 
14) audience survey music video
14) audience survey music video14) audience survey music video
14) audience survey music videoalegge
 
Somen mahdollisuudet urapolun rakentamisessa
Somen mahdollisuudet urapolun rakentamisessaSomen mahdollisuudet urapolun rakentamisessa
Somen mahdollisuudet urapolun rakentamisessaHenna-Riikka Ahvenjärvi
 
Presentació del hardware
Presentació del hardwarePresentació del hardware
Presentació del hardwareainacomas
 
How to find new products to license (plg journal july 2010)
How to find new products to license (plg journal july 2010)How to find new products to license (plg journal july 2010)
How to find new products to license (plg journal july 2010)Genericlicensing.com
 
IAF134 nº3dixital
IAF134 nº3dixitalIAF134 nº3dixital
IAF134 nº3dixitalIGADI
 
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)acri009
 
тест булгаа
тест булгаатест булгаа
тест булгааsaraiberh
 
дом. задания2
дом. задания2дом. задания2
дом. задания2tulga0513
 
Pharma mag being seen by major clients online
Pharma mag being seen by major clients onlinePharma mag being seen by major clients online
Pharma mag being seen by major clients onlineGenericlicensing.com
 
I am thakfull for asha
I am thakfull for ashaI am thakfull for asha
I am thakfull for ashaskipperlauren
 
Joseph Nowoslawski Tribal Healthcare
Joseph Nowoslawski Tribal HealthcareJoseph Nowoslawski Tribal Healthcare
Joseph Nowoslawski Tribal HealthcareJoseph Nowoslawski MD
 
Jimmy choo platemontasje
Jimmy choo platemontasjeJimmy choo platemontasje
Jimmy choo platemontasjeKElnes
 

Viewers also liked (20)

NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Cphi licensing pavillion 2011
Cphi licensing pavillion 2011Cphi licensing pavillion 2011
Cphi licensing pavillion 2011
 
The 20th Century New Wave of Argentine Literature
The 20th Century New Wave of Argentine LiteratureThe 20th Century New Wave of Argentine Literature
The 20th Century New Wave of Argentine Literature
 
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew
2014.08 OPR_ dusan group_growth & evolutionary stategies(a)_by andrew
 
Keramik hicheel
Keramik hicheelKeramik hicheel
Keramik hicheel
 
Hoezo rustig adang van der torre
Hoezo rustig adang van der torreHoezo rustig adang van der torre
Hoezo rustig adang van der torre
 
14) audience survey music video
14) audience survey music video14) audience survey music video
14) audience survey music video
 
Somen mahdollisuudet urapolun rakentamisessa
Somen mahdollisuudet urapolun rakentamisessaSomen mahdollisuudet urapolun rakentamisessa
Somen mahdollisuudet urapolun rakentamisessa
 
Presentació del hardware
Presentació del hardwarePresentació del hardware
Presentació del hardware
 
How to find new products to license (plg journal july 2010)
How to find new products to license (plg journal july 2010)How to find new products to license (plg journal july 2010)
How to find new products to license (plg journal july 2010)
 
IAF134 nº3dixital
IAF134 nº3dixitalIAF134 nº3dixital
IAF134 nº3dixital
 
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)
עמדת הקואליציה בנוגע להחלטות מועצת רמי אוגוסט 2011 (1)
 
тест булгаа
тест булгаатест булгаа
тест булгаа
 
дом. задания2
дом. задания2дом. задания2
дом. задания2
 
Pharma mag being seen by major clients online
Pharma mag being seen by major clients onlinePharma mag being seen by major clients online
Pharma mag being seen by major clients online
 
grep ruby
grep rubygrep ruby
grep ruby
 
I am thakfull for asha
I am thakfull for ashaI am thakfull for asha
I am thakfull for asha
 
Joseph Nowoslawski Tribal Healthcare
Joseph Nowoslawski Tribal HealthcareJoseph Nowoslawski Tribal Healthcare
Joseph Nowoslawski Tribal Healthcare
 
Jimmy choo platemontasje
Jimmy choo platemontasjeJimmy choo platemontasje
Jimmy choo platemontasje
 

Similar to Forensic Analysis of NTFS File Systems and Data Recovery

Alternate Data Streams
Alternate Data StreamsAlternate Data Streams
Alternate Data Streamsnephijohnson
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMeghaj Mallick
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
File system Os
File system OsFile system Os
File system OsNehal Naik
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File SystemNtu
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and outputMythiliA5
 
linuxfilesystem-180727181106 (1).pdf
linuxfilesystem-180727181106 (1).pdflinuxfilesystem-180727181106 (1).pdf
linuxfilesystem-180727181106 (1).pdfShaswatSurya
 
The Storage Systems
The Storage Systems The Storage Systems
The Storage Systems Dhaivat Zala
 
introduction to information security and management
introduction to information security and managementintroduction to information security and management
introduction to information security and managementChyonChyon
 
2 introduction of storage
2 introduction of storage2 introduction of storage
2 introduction of storageHameda Hurmat
 
Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Accenture
 
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext Виталий Стародубцев
 

Similar to Forensic Analysis of NTFS File Systems and Data Recovery (20)

Alternate Data Streams
Alternate Data StreamsAlternate Data Streams
Alternate Data Streams
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating System
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File Systems
 
File system Os
File system OsFile system Os
File system Os
 
Distributed File System
Distributed File SystemDistributed File System
Distributed File System
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and output
 
Operating System
Operating SystemOperating System
Operating System
 
Os
OsOs
Os
 
Linux file system
Linux file systemLinux file system
Linux file system
 
linuxfilesystem-180727181106 (1).pdf
linuxfilesystem-180727181106 (1).pdflinuxfilesystem-180727181106 (1).pdf
linuxfilesystem-180727181106 (1).pdf
 
The Storage Systems
The Storage Systems The Storage Systems
The Storage Systems
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
XFS.ppt
XFS.pptXFS.ppt
XFS.ppt
 
introduction to information security and management
introduction to information security and managementintroduction to information security and management
introduction to information security and management
 
2 introduction of storage
2 introduction of storage2 introduction of storage
2 introduction of storage
 
Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011
 
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext
Файловая система ReFS в Windows Server 2012/R2 и её будущее в vNext
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Forensic Analysis of NTFS File Systems and Data Recovery

  • 1. By: Gaurav Ragtah and Nell Lapres 1
  • 2.  Goal: to locate and extract evidence from computers and digital storage media in criminal cases.  Interest has grown recently.  Widely accepted as reliable in US and European courts.  Lots of information on NTFS computers can be used as evidence. 2
  • 3. Volatile data stored in RAM  Non-volatile data stored on hard disk.  Don’t want to lose date and time information when starting the computer.  Boot to a forensic CD. 3
  • 4. Standard file system of Windows NT  Preferred over FAT for Microsoft’s Windows Operating systems  Microsoft currently provides a tool to convert FAT file systems to NTFS  Improvements  Improved support for metadata  Use of advanced data structures to improve performance  Reliability  File system journaling  Disk space utilization  Multiple data streams 4
  • 5. NTFS Log  Uses NTFS log to record metadata changes to the volume  Help in maintaining consistency in case of system crash  Rollback of uncommitted changes  A recoverable file system. Update Sequence Number Journal  A system management feature that records changes to all files, streams and directories on the volume.  Made available so that applications can track changes to the volume 5
  • 6. Contains information about settings for hardware and software.  Changes in control panel or to installed software is seen in registry entries. 6
  • 7. NTFS supports multiple data streams  Data could be hidden in the ADS  Hidden partitions by altering the partition table.  Can be found in end-of-file slack space 7
  • 8. The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly- overwritten data to shadow copy.  Allows data backup programs to archive files that are in use by the file system 8
  • 9. All file data stored as metadata in the Master File Table.  Continuously changed as files and folders are modified.  First 16 records in MFT are for NTFS metadata files.  An MFT record has a size limit of 1 KB. 9
  • 10. Segment File name Description number 0 $MFT NTFS's Master File Table. Contains one base file record for each file and folder on an NTFS volume. 1 $MFTMirr A partial copy of the MFT. Serves as a backup to the MFT in case of a single-sector failure. 2 $Logfile Contains transaction log of file system metadata changes. 3 $Volume Contains information about the volume. 4 $AttrDef A table of MFT attributes which associates numeric identifiers with names. 5 . Root directory 6 $Bitmap Array of bit entries, indicating whether a cluster is free or not. 7 $Boot Volume boot record. 8 $BadClus A file which contains all clusters marked as having bad sectors. 9 $Secure Access control list. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. 10
  • 11. Creation:  Bitmap file in MFT updated.  Index entry created to point to file.  Deletion:  Bitmap file changed.  File remains on disk until overwritten.  Allows for reconstruction. 11
  • 12. $BadClus can be used to store hidden data.  User writes information into good section of bad cluster.  User marks good cluster as bad. 12
  • 13. Segment Filename Purpose Number 10 $UpCase A table of unicode uppercase characters for ensuring case insensitivity in Win32 and DOS namespaces. 11 $Extend A filesystem directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl. 12-23 Reserved for $MFT extension entries. 24 $Extend$Q Holds disk quota information. Contains two index roots, uota named $O and $Q. 25 $Extend$O Holds distributed link tracking information. Contains an bjId index root and allocation named $O. 26 $Extend$Re Holds reparse point data (such as symbolic links). Contains parse an index root and allocation named $R. 27 file.ext Beginning of regular file entries. 13
  • 14. Could be used maliciously  Steal information  Spy 14
  • 15. What are two ways to uncover hidden or deleted data or illegal action an NTFS computer?  1) Registry Entries – contains settings and changes in hardware and software which can show illegal activity.  2.) VSS – keeps historical versions of activities so can be used to create temporal reconstruction.  3.) MFT – stores the metadata for changes and file is only lost if another file is written over. Can reconstruct by going to space where file was stored.  4.) Look in bad clusters for hidden data. 15

Editor's Notes

  1. http://books.google.com/books?hl=en&lr=&id=xoZn5tJJ4gkC&oi=fnd&pg=PR3&dq=computer+forensics&ots=LCvAeaoKim&sig=WNaEwufz7KS7fUjnubWSytXrpjs#v=onepage&q=CD&f=false