SlideShare a Scribd company logo

NTFS

A
ArthyR3

Cyber Forensics - Unit IV

Engineering
1 of 6
Download to read offline
DEPARTMENT OF INFORMATION TECHNOLOGY Subject Code : CS6004 Staff Name : R. Arthy, AP/IT Subject Name: Cyber Forensics Class : IV IT NT FILE SYSTEM (NTFS) NTFS Disks  NT File System (NTFS) o Introduced with Windows NT o Primary file system for Windows 8  Improvements over FAT file systems o NTFS provides more information about a file o NTFS gives more control over files and folders  NTFS was Microsoft’s move toward a journaling file system o It records a transaction before the system carries it out  In NTFS, everything written to the disk is considered a file  On an NTFS disk o First data set is the Partition Boot Sector o Next is Master File Table (MFT)  NTFS results in much less file slack space  Clusters are smaller for smaller disk drives  NTFS also uses Unicode o An international data format
NTFS System Files  MFT contains information about all files on the disk o Including the system files the OS uses  In the MFT, the first 15 records are reserved for system files o Records in the MFT are called metadata MFT and File Attributes  In the NTFS MFT o All files and folders are stored in separate records of 1024 bytes each  Each record contains file or folder information o This information is divided into record fields containing metadata  A record field is referred to as an attribute ID  File or folder information is typically stored in one of two ways in an MFT record: o Fields in Resident file format  All MFT records start with Field
 Start of attribute 0x10  Length of attribute 0x10 (value 60)  Start of attribute 0x30  Length of attribute 0x30 (value 70)  Start of attribute 0x40  Length of attribute 0x40 (value 28)  Start of attribute 0x80  Length of attribute 0x80 (value 70)  Attribute 0x80 resident flag  Starting position of resident data o Data for a nonresident file - Attribute 0x30 o Fields in Nonresident file format  Start of nonresident attribute 0x80  Length of nonresident attribute 0x80  Attribute 0x80 nonresident flag  Starting point of data run  End-of-record marker (FF FF FF FF) for the MFT record o Data for a nonresident file - Attribute 0x80  Files larger than 512 bytes are stored outside the MFT o MFT record provides cluster addresses where the file is stored on the drive’s partition  Referred to as data runs
 Each MFT record starts with a header identifying it as a resident or nonresident attribute  When a disk is created as an NTFS file structure o OS assigns logical clusters to the entire disk partition  These assigned clusters are called logical cluster numbers (LCNs)
o Become the addresses that allow the MFT to link to nonresident files on the disk’s partition  When data is first written to nonresident files, an LCN address is assigned to the file o This LCN becomes the file’s virtual cluster number (VCN) MFT Structures for File Data  For the header of all MFT records, the record fields of interest are as follows: o At offset 0x00 - the MFT record identifier FILE o At offset 0x1C to 0x1F - size of the MFT record o At offset 0x14 - length of the header (indicates where the next attribute starts) o At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of the first sector of the MFT record NTFS Alternate Data Streams  Alternate data streams o Ways data can be appended to existing files o Can obscure valuable evidentiary data, intentionally or by coincidence  In NTFS, an alternate data stream becomes an additional file attribute o Allows the file to be associated with different applications  You can only tell whether a file has a data stream attached by examining that file’s MFT entry NTFS Compressed Files  NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98 compression utility)  Under NTFS, files, folders, or entire volumes can be compressed  Most computer forensics tools can uncompress and analyze compressed Windows data
NTFS Encrypting File System (EFS)  Encrypting File System (EFS) o Introduced with Windows 2000 o Implements a public key and private key method of encrypting files, folders, or disk volumes  When EFS is used in Windows 2000 and later o A recovery certificate is generated and sent to the local Windows administrator account  Users can apply EFS to files stored on their local workstations or a remote server EFS Recovery Key Agent  Recovery Key Agent implements the recovery certificate o Which is in the Windows administrator account  Windows administrators can recover a key in two ways: through Windows or from an MS-DOS command prompt  MS-DOS commands o cipher o copy o efsrecvr (used to decrypt EFS files) Deleting NTFS Files  When a file is deleted in Windows NT and later o The OS renames it and moves it to the Recycle Bin  Can use the Del (delete) MS-DOS command o Eliminates the file from the MFT listing in the same way FAT does Resilient File System  Resilient File System (ReFS) - designed to address very large data storage needs o Such as the cloud  Features incorporated into ReFS’s design: o Maximized data availability o Improved data integrity o Designed for scalability  ReFS uses disk structures similar to the MFT in NTFS

Recommended

Fat File Systems
Fat File SystemsFat File Systems
Fat File SystemsArthyR3
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file systemkeshav546
 
Windows 7
Windows 7Windows 7
Windows 7Mumbere Joab
 
File System and File allocation tables
File System and File allocation tablesFile System and File allocation tables
File System and File allocation tablesshashikant pabari
 
Fat and ntfs
Fat and ntfsFat and ntfs
Fat and ntfsLucky Ali
 
File Systems
File SystemsFile Systems
File Systemskendersec
 
How to convert file system without data loss
How to convert file system without data lossHow to convert file system without data loss
How to convert file system without data lossLisa Liao
 
File and fat 2
File and fat 2File and fat 2
File and fat 2Vimal Madhale
 

Recommended

Fat File Systems
Fat File SystemsFat File Systems
Fat File SystemsArthyR3
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file systemkeshav546
 
Windows 7
Windows 7Windows 7
Windows 7Mumbere Joab
 
File System and File allocation tables
File System and File allocation tablesFile System and File allocation tables
File System and File allocation tablesshashikant pabari
 
Fat and ntfs
Fat and ntfsFat and ntfs
Fat and ntfsLucky Ali
 
File Systems
File SystemsFile Systems
File Systemskendersec
 
How to convert file system without data loss
How to convert file system without data lossHow to convert file system without data loss
How to convert file system without data lossLisa Liao
 
File and fat 2
File and fat 2File and fat 2
File and fat 2Vimal Madhale
 
FAT vs NTFS
FAT vs NTFSFAT vs NTFS
FAT vs NTFSArshad Qureshi
 
File and fat
File and fatFile and fat
File and fatVimal Madhale
 
File system
File systemFile system
File systemMohammad Noman
 
Alternate Data Streams
Alternate Data StreamsAlternate Data Streams
Alternate Data Streamsnephijohnson
 
File System
File SystemFile System
File SystemThayalan Danusan
 
Disk structure & File Handling
Disk structure & File HandlingDisk structure & File Handling
Disk structure & File HandlingMomina Idrees
 
Chapter 11 - File System Implementation
Chapter 11 - File System ImplementationChapter 11 - File System Implementation
Chapter 11 - File System ImplementationWayne Jones Jnr
 
File System Implementation
File System ImplementationFile System Implementation
File System ImplementationAbhishek Pachisia
 
Advances in File Carving
Advances in File CarvingAdvances in File Carving
Advances in File CarvingRob Zirnstein
 
OSCh12
OSCh12OSCh12
OSCh12Joe Christensen
 
Working with Files
Working with FilesWorking with Files
Working with Filesselcukca84
 
File Management
File ManagementFile Management
File ManagementDiane Coyle
 
DBMS
DBMSDBMS
DBMSMannat Gill
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating systemtittuajay
 
Files
FilesFiles
Fileskirtidhamija16
 
File management
File managementFile management
File managementsumathiv9
 
File management
File managementFile management
File managementMohd Arif
 
File system of windows xp
File system of windows xpFile system of windows xp
File system of windows xpashubhardwaj03
 
NTFS.ppt
NTFS.pptNTFS.ppt
NTFS.pptjlmansilla
 
NTFSFS.ppt
NTFSFS.pptNTFSFS.ppt
NTFSFS.pptjlmansilla
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
File system
File systemFile system
File systemharleen_johal
 

More Related Content

What's hot

Alternate Data Streams
Alternate Data StreamsAlternate Data Streams
Alternate Data Streamsnephijohnson
 
Disk structure & File Handling
Disk structure & File HandlingDisk structure & File Handling
Disk structure & File HandlingMomina Idrees
 
Chapter 11 - File System Implementation
Chapter 11 - File System ImplementationChapter 11 - File System Implementation
Chapter 11 - File System ImplementationWayne Jones Jnr
 
Advances in File Carving
Advances in File CarvingAdvances in File Carving
Advances in File CarvingRob Zirnstein
 
Working with Files
Working with FilesWorking with Files
Working with Filesselcukca84
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating systemtittuajay
 
File management
File managementFile management
File managementsumathiv9
 
File management
File managementFile management
File managementMohd Arif
 
File system of windows xp
File system of windows xpFile system of windows xp
File system of windows xpashubhardwaj03
 

What's hot (18)

FAT vs NTFS
FAT vs NTFSFAT vs NTFS
FAT vs NTFS
 
File and fat
File and fatFile and fat
File and fat
 
File system
File systemFile system
File system
 
Alternate Data Streams
Alternate Data StreamsAlternate Data Streams
Alternate Data Streams
 
File System
File SystemFile System
File System
 
Disk structure & File Handling
Disk structure & File HandlingDisk structure & File Handling
Disk structure & File Handling
 
Chapter 11 - File System Implementation
Chapter 11 - File System ImplementationChapter 11 - File System Implementation
Chapter 11 - File System Implementation
 
File System Implementation
File System ImplementationFile System Implementation
File System Implementation
 
Advances in File Carving
Advances in File CarvingAdvances in File Carving
Advances in File Carving
 
OSCh12
OSCh12OSCh12
OSCh12
 
Working with Files
Working with FilesWorking with Files
Working with Files
 
File Management
File ManagementFile Management
File Management
 
DBMS
DBMSDBMS
DBMS
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating system
 
Files
FilesFiles
Files
 
File management
File managementFile management
File management
 
File management
File managementFile management
File management
 
File system of windows xp
File system of windows xpFile system of windows xp
File system of windows xp
 

Similar to NTFS

NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file systemkeshav546
 
File system, dual boot, addon components, create user
File system, dual boot, addon components, create userFile system, dual boot, addon components, create user
File system, dual boot, addon components, create userHarman Gahir
 
File System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserFile System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserHarman Gahir
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
File Access & File System & File Allocation Table
File Access & File System & File Allocation TableFile Access & File System & File Allocation Table
File Access & File System & File Allocation TableChinmaya M. N
 
Comparative Study of Windows And Linux.pptx
Comparative Study of Windows And Linux.pptxComparative Study of Windows And Linux.pptx
Comparative Study of Windows And Linux.pptxBibus Poudel
 
File system of windows xp
File system of windows xpFile system of windows xp
File system of windows xpEhtisham Ali
 

Similar to NTFS (20)

NTFS.ppt
NTFS.pptNTFS.ppt
NTFS.ppt
 
NTFSFS.ppt
NTFSFS.pptNTFSFS.ppt
NTFSFS.ppt
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
NTFS Forensics.pptx
NTFS Forensics.pptxNTFS Forensics.pptx
NTFS Forensics.pptx
 
File system
File systemFile system
File system
 
NTFS vs FAT
NTFS vs FATNTFS vs FAT
NTFS vs FAT
 
File System FAT And NTFS
File System FAT And NTFSFile System FAT And NTFS
File System FAT And NTFS
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File Systems
 
Os
OsOs
Os
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file system
 
File system, dual boot, addon components, create user
File system, dual boot, addon components, create userFile system, dual boot, addon components, create user
File system, dual boot, addon components, create user
 
File System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserFile System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create User
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
File Access & File System & File Allocation Table
File Access & File System & File Allocation TableFile Access & File System & File Allocation Table
File Access & File System & File Allocation Table
 
Comparative Study of Windows And Linux.pptx
Comparative Study of Windows And Linux.pptxComparative Study of Windows And Linux.pptx
Comparative Study of Windows And Linux.pptx
 
File system of windows xp
File system of windows xpFile system of windows xp
File system of windows xp
 

More from ArthyR3

Unit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfUnit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfArthyR3
 
VIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfVIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfArthyR3
 
OOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfOOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfArthyR3
 
NodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfArthyR3
 
MongoDB.pdf
MongoDB.pdfMongoDB.pdf
MongoDB.pdfArthyR3
 
REACTJS.pdf
REACTJS.pdfREACTJS.pdf
REACTJS.pdfArthyR3
 
ANGULARJS.pdf
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdfArthyR3
 
JQUERY.pdf
JQUERY.pdfJQUERY.pdf
JQUERY.pdfArthyR3
 
Qb it1301
Qb it1301Qb it1301
Qb it1301ArthyR3
 
CNS - Unit v
CNS - Unit vCNS - Unit v
CNS - Unit vArthyR3
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit vArthyR3
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit iArthyR3
 
Java quick reference
Java quick referenceJava quick reference
Java quick referenceArthyR3
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
Cryptography Workbook
Cryptography WorkbookCryptography Workbook
Cryptography WorkbookArthyR3
 
Cs6701 cryptography and network security
Cs6701 cryptography and network securityCs6701 cryptography and network security
Cs6701 cryptography and network securityArthyR3
 
Compiler question bank
Compiler question bankCompiler question bank
Compiler question bankArthyR3
 

More from ArthyR3 (20)

Unit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdfUnit IV Knowledge and Hybrid Recommendation System.pdf
Unit IV Knowledge and Hybrid Recommendation System.pdf
 
VIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdfVIT336 – Recommender System - Unit 3.pdf
VIT336 – Recommender System - Unit 3.pdf
 
OOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdfOOPs - JAVA Quick Reference.pdf
OOPs - JAVA Quick Reference.pdf
 
NodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdf
 
MongoDB.pdf
MongoDB.pdfMongoDB.pdf
MongoDB.pdf
 
REACTJS.pdf
REACTJS.pdfREACTJS.pdf
REACTJS.pdf
 
ANGULARJS.pdf
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdf
 
JQUERY.pdf
JQUERY.pdfJQUERY.pdf
JQUERY.pdf
 
Qb it1301
Qb it1301Qb it1301
Qb it1301
 
CNS - Unit v
CNS - Unit vCNS - Unit v
CNS - Unit v
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit i
Cs8792 cns - unit iCs8792 cns - unit i
Cs8792 cns - unit i
 
Java quick reference
Java quick referenceJava quick reference
Java quick reference
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
 
Cryptography Workbook
Cryptography WorkbookCryptography Workbook
Cryptography Workbook
 
Cns
CnsCns
Cns
 
Cs6701 cryptography and network security
Cs6701 cryptography and network securityCs6701 cryptography and network security
Cs6701 cryptography and network security
 
Compiler question bank
Compiler question bankCompiler question bank
Compiler question bank
 

Recently uploaded

247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 

Recently uploaded (20)

247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 

NTFS

  • 1. DEPARTMENT OF INFORMATION TECHNOLOGY Subject Code : CS6004 Staff Name : R. Arthy, AP/IT Subject Name: Cyber Forensics Class : IV IT NT FILE SYSTEM (NTFS) NTFS Disks  NT File System (NTFS) o Introduced with Windows NT o Primary file system for Windows 8  Improvements over FAT file systems o NTFS provides more information about a file o NTFS gives more control over files and folders  NTFS was Microsoft’s move toward a journaling file system o It records a transaction before the system carries it out  In NTFS, everything written to the disk is considered a file  On an NTFS disk o First data set is the Partition Boot Sector o Next is Master File Table (MFT)  NTFS results in much less file slack space  Clusters are smaller for smaller disk drives  NTFS also uses Unicode o An international data format
  • 2. NTFS System Files  MFT contains information about all files on the disk o Including the system files the OS uses  In the MFT, the first 15 records are reserved for system files o Records in the MFT are called metadata MFT and File Attributes  In the NTFS MFT o All files and folders are stored in separate records of 1024 bytes each  Each record contains file or folder information o This information is divided into record fields containing metadata  A record field is referred to as an attribute ID  File or folder information is typically stored in one of two ways in an MFT record: o Fields in Resident file format  All MFT records start with Field
  • 3.  Start of attribute 0x10  Length of attribute 0x10 (value 60)  Start of attribute 0x30  Length of attribute 0x30 (value 70)  Start of attribute 0x40  Length of attribute 0x40 (value 28)  Start of attribute 0x80  Length of attribute 0x80 (value 70)  Attribute 0x80 resident flag  Starting position of resident data o Data for a nonresident file - Attribute 0x30 o Fields in Nonresident file format  Start of nonresident attribute 0x80  Length of nonresident attribute 0x80  Attribute 0x80 nonresident flag  Starting point of data run  End-of-record marker (FF FF FF FF) for the MFT record o Data for a nonresident file - Attribute 0x80  Files larger than 512 bytes are stored outside the MFT o MFT record provides cluster addresses where the file is stored on the drive’s partition  Referred to as data runs
  • 4.  Each MFT record starts with a header identifying it as a resident or nonresident attribute  When a disk is created as an NTFS file structure o OS assigns logical clusters to the entire disk partition  These assigned clusters are called logical cluster numbers (LCNs)
  • 5. o Become the addresses that allow the MFT to link to nonresident files on the disk’s partition  When data is first written to nonresident files, an LCN address is assigned to the file o This LCN becomes the file’s virtual cluster number (VCN) MFT Structures for File Data  For the header of all MFT records, the record fields of interest are as follows: o At offset 0x00 - the MFT record identifier FILE o At offset 0x1C to 0x1F - size of the MFT record o At offset 0x14 - length of the header (indicates where the next attribute starts) o At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of the first sector of the MFT record NTFS Alternate Data Streams  Alternate data streams o Ways data can be appended to existing files o Can obscure valuable evidentiary data, intentionally or by coincidence  In NTFS, an alternate data stream becomes an additional file attribute o Allows the file to be associated with different applications  You can only tell whether a file has a data stream attached by examining that file’s MFT entry NTFS Compressed Files  NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98 compression utility)  Under NTFS, files, folders, or entire volumes can be compressed  Most computer forensics tools can uncompress and analyze compressed Windows data
  • 6. NTFS Encrypting File System (EFS)  Encrypting File System (EFS) o Introduced with Windows 2000 o Implements a public key and private key method of encrypting files, folders, or disk volumes  When EFS is used in Windows 2000 and later o A recovery certificate is generated and sent to the local Windows administrator account  Users can apply EFS to files stored on their local workstations or a remote server EFS Recovery Key Agent  Recovery Key Agent implements the recovery certificate o Which is in the Windows administrator account  Windows administrators can recover a key in two ways: through Windows or from an MS-DOS command prompt  MS-DOS commands o cipher o copy o efsrecvr (used to decrypt EFS files) Deleting NTFS Files  When a file is deleted in Windows NT and later o The OS renames it and moves it to the Recycle Bin  Can use the Del (delete) MS-DOS command o Eliminates the file from the MFT listing in the same way FAT does Resilient File System  Resilient File System (ReFS) - designed to address very large data storage needs o Such as the cloud  Features incorporated into ReFS’s design: o Maximized data availability o Improved data integrity o Designed for scalability  ReFS uses disk structures similar to the MFT in NTFS