This is about NTFS Forensics

2. IDEA Objective: Gaining Factual Knowledge
(Terminology, Classification, Methods, Trends)
IDEA Objective: Learning to apply course materials
(to improve thinking, problem solving, and decisions)

3.  NTFS offers what FAT does not:
› Performance
› Reliability
› Compatibility
› Provides more information and control about/on a file
 NTFS was Microsoft’s move toward a journaling
file system
 It was designed to quickly perform standard file
operations as:
› Reading
› Writing
› Searching
› ...and File system recovery on very large hard disks

4.  FAT will still exist in mobile and small storage
devices, but NTFS more likely for Windows
 NTFS is more complex and more scalable
 FAT retrieves a file by searching the chain of
allocation units directory entries, NTFS finds
files more directly
 Less Slack Space!

5.  Designed by Microsoft and is the default file
system for:
› Windows NT
› Windows XP, Vista, 7, 8, 10, and 11

6.  The first information on the volume is the
Partition Boot Sector which starts at Sector 0
and can be up to 16 sectors long
 The first file on an NTFS volume is a Master
File Table (MFT)
› The MFT holds information about all files and
folders on the volume

7. Partition
Boot Sector
Master File Table File Area
Boot Sector: gives the starting location of the MFT, cluster size, size of each
MFT entry (usually 1024 bytes)
Master File Table: is basically a relational database table in which
information (attributes) for each file or directory is represented by a record in
the MFT. There are also System Files used by file system to store metadata
and implement the file system

10.  In the NTFS MFT
› All files and folders are stored in separate
records of 1024 bytes each
 Each record contains file or folder
information
› This information is divided into record fields
containing metadata
 A record field is referred to as an attribute
ID

12.  When a file is deleted:
› The name is removed from the parent directory index
› The MFT entry is unallocated
› Clusters are unallocated
 Problem: when filename is removed from parent
directory, the index is resorted and name information
could be lost
› However, MFT entries are found in one table, so all unallocated
entries can be found
› And each entry has the $FILE_NAME attribute with the file
reference address of the parent directory, so when an
unallocated entry is found, its entire path can be determined
 To recover all deleted files in NTFS, examine MFT for
unallocated entries and determine name using
$FILE_NAME attribute and parent directory file
reference

13.  Alternate Data streams
› Ways data can be appended to existing files
› Can obscure valuable evidentiary data, intentionally
or by coincidence
 In NTFS, a data stream becomes an additional
file attribute
› Allows the file to be associated with different
applications
 You can only tell whether a file has a data
stream attached by examining that file’s MFT
entry