Ntfs forensics

10,008 views

Published on

null Mumbai Meet - January 2012

Published in: Education, Technology
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total views
10,008
On SlideShare
0
From Embeds
0
Number of Embeds
818
Actions
Shares
0
Downloads
395
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

Ntfs forensics

  1. 1. NTFS FORENSICSYogesh Khatriyogesh@swiftforensics.com
  2. 2. NTFS Trivia• Introduced in 1993 for Win NT 3.1• Default file system for NT based OS (Win NT, 2K, 2K3, XP, )• Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points,
  3. 3. Why NTFS forensics?• To understand its format and inner-working• To device effective file recovery strategies for deleted / lost data• To find forensically useful artifacts like • Existence of hidden timestamps • Logs • Deleted / Leftover Metadata
  4. 4. NTFS Basics• Everything is a file, even the core file system internals• The internal files are always hidden from user view Hidden files and folders in NTFS
  5. 5. Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
  6. 6. Physical Layout of NTFS Volume $BootLogical Sector 0(Cluster 0) -Boot Manager Internal Files $MFT $BitmapInternal Filesusually start atCluster 2 Allocated Cluster Free Cluster
  7. 7. Master File Table - $MFT• Consists of 1024 byte records• Has an entry for every file and folder including itself• Records can be identified by header “FILE”• A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $Standard_Information • $File_Name • $Data
  8. 8. Reading an MFT Entry
  9. 9. Understanding File Storage MFT Entry for “Hello.txt” $MFT $DATA Attribute Start Length Cluster 52 3 72 2Illustration: NTFS concept of Data Runs Allocated Cluster Free Cluster Cluster view of NTFS Volume
  10. 10. Timestamps on NTFS• 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989680• 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ?
  11. 11. Concept of Initialized Data• NTFS has 3 size fields for each file • Logical • Initialized • Physical File ‘Properties’ snippet Logical Size Initialized Size Physical Size File ‘on disk’ view
  12. 12. Alternate Data Stream• Every file has single $Data stream, but NTFS allows multiple data streams• A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view.• Intended to store extra file metadata • Used by IE, Outlook Express, AV programs• Exploited by malware to hide malicious tools
  13. 13. Alternate Data Streams Demonstration
  14. 14. USN Journal - USNJRNL• USN = Update Sequence Number• As files, directories, and other NTFS file system objects are added, deleted, modified, the NTFS file system makes entries here. • $UsnJrnl:$J• This is a system management feature used for recovering quickly from a computer or volume failure
  15. 15. $UsnJrnl:$J record Record Length TimeStampReasonFileAttributes File name
  16. 16. USNJRNL Record Format
  17. 17. INDX Records• NTFS indexes directory metadata and stores it in a B+ tree Explorer view Hex view of INDX directory structure
  18. 18. INDX Records• This indexed data is stored in $I30 attributes in MFT Attribute ID Description Name 0x90 $INDEX_ROOT $I30 0xA0 $INDEX_ALLOCATION $I30 0xB0 $BITMAP $I30• Non-Resident vs. Resident • “INDX” header if non-resident• Forensic Value? • Find Deleted file metadata (MACE times, file name, logical & physical size, etc..)
  19. 19. $LogFile• Contains information used by NTFS for faster recoverability• Used to restore metadata consistency to NTFS after a system failure• Format not reverse engineered completely• It is common to find INDX records, MFT records and LNK records here
  20. 20. File Recovery on NTFS Get Data Runs from $MFT entry • •• “FILE” • Start Cluster=54 • Number of Search Clusters = 10 Read Data Unallocated for from Disk $MFT entries
  21. 21. Questions• More forensic stuff on my Blog – www.swiftforensics.com• Email me at yogesh@swiftforensics.com• Thanks
  22. 22. References• Books • File System Forensic Analysis – Brian Carrier• Online Resources • MSDN

×