Understanding NTFS file system internals and extracting malware related artifacts from NTFS MFT entry attributes

1. NTFS Forensics

2. Speaker’s profile
MALLA REDDY DONAPATI
Security Enthusiast, Consultant & Forensicator
Chapter Moderator – null Mumbai
https://null.co.in/
M.Sc Information Security & Computer Forensics (University
of East London )
dmred1

3. Agenda
• Introduction
• NTFS internals
• Alternate Data streams
• Extended Attributes
• Malware artifacts in UsnJrnl
• Demo

4. NTFS – New Technology File System
• Introduced in 1993 for Win NT
3.1
• Default file system for NT based
OS (Win NT, 2K, 2K3, XP, …)
• Feature list includes journaling,
encryption, compression,
sparse file support, disk quotas,
reparse points.

5. Why NTFS forensics ?
• To understand its format and inner-working
• To device effective file recovery strategies for deleted /
lost data
• To find forensically useful artifacts like Existence of
hidden timestamps, Logs and Deleted / Leftover
Metadata
• Leverage NTFS artifacts in memory for efficient malware
analysis

6. NTFS Basics
• Everything is a file, even
the core file system
internals
• The internal files are
always hidden from user
view
Hidden files and folders in NTFS

7. Hidden Internal Files
Filename Description
$MFT Master File Table
$MFTMirr Backup of first 4 records of MFT
$LogFile Transaction log file
$Volume Volume related information, usually empty
$AttrDef $AttrDef Table listing MFT attribute names and numbers
. Root folder on NTFS
$Bitmap Map showing which clusters on volume are in use
$Boot Boot code used during bootstrap
$BadClus Map of bad clusters
$Secure Security descriptors and ACLs are listed here
$Upcase Keeps all lowercase to uppercase character mappings
$Extend Optional extensions listed here (This is a folder)

8. Physical Layout of NTFS Volume

9. Master File Table - $MFT
• Consists of 1024 byte records
• Has an entry for every file and folder including itself
• Records can be identified by header “FILE”
• A record consists of header and attributes
• All metadata is stored in attributes
• Common attributes:
• $STANDARD_INFORAMTION
• $FILE_NAME
• $DATA

10. Reading an MFT Entry

11. Understanding File Storage

12. Timestamps on NTFS
• 64 bit Timestamp
• Number of 100
Nanosecond intervals since
1st January 1601
• 1 second = 0x989
• 4 Timestamps
• Created
• Modified
• Accessed
• MFT Entry Modified - ?
• caution:
• The NTFS file system delays
updates to the last access
time for a file by up to 1 hour
after the last access. (Source:
msdn.microsoft.com )

13. Alternate Data Stream
• Every file has single $Data stream, but NTFS allows
multiple data streams
• A place to store (hide) data, which is not displayed by
Windows Explorer or command line ‘dir’ view.
• Intended to store extra file metadata
• Used by IE, Outlook Express, AV programs
• Exploited by malware to hide malicious tools

14. Extended Attributes
• Extended Attributes are a feature of NTFS similar in nature to
Alternate Data Streams where extra information about the file
can be stored on the file system
• EA
• EA_INFORMATION
• ZeroAccess rootkit uses this feature to hide a whole PE file as
well as shellcode in services.exe that loads the PE file

15. $UsnJrnl
• Is a change journal file
• Records when changes were made to the files and directories
• Located at $Extend$UsnJrnl and the actual entries are
located at $UsnJrnl:$J alterante data stream
• Information contained in each entry :
• Time of change
• Reason for change
• File/Directory’s name
• File/Directory MFT record number
• File record number of the file’s parent directory
• Security ID
• Update Sequence Number of the record
• Information about the source of change

16. NTFS ..??

18. references
• http://www.slideshare.net/null0x00/ntfs-forensics
• http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html
• https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter-
11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf