Uploaded bynullowaspmumbai
PDF, PPTX2,287 views

NTFS Forensics

The document discusses NTFS forensics. It begins with introducing the speaker and their background in information security and computer forensics. It then provides an overview of NTFS, including that it is the default file system for Windows NT-based operating systems and some of its key features. The document discusses some of the internals of NTFS like the master file table ($MFT), timestamps, alternate data streams, extended attributes, and the $UsnJrnl journal file that can contain forensic artifacts. It notes how understanding these NTFS artifacts can aid in file recovery, finding hidden data, and malware analysis.

Technology
In this document
Powered by AI

Introduction to NTFS forensics.

Details about the speaker, Malla Reddy Donapati, a security consultant with expertise in forensics.

Overview of the presentation contents including introduction, NTFS features, and a demo.

Explanation of NTFS (New Technology File System), its introduction year and features.

Reasons for NTFS forensics, focusing on data recovery and identifying useful artifacts.

Introduction to the structure of NTFS, emphasizing that everything is treated as a file.

Description of hidden internal files in NTFS like Master File Table ($MFT) and others.

An overview of the physical layout of an NTFS volume.

An in-depth look at the $MFT, its record structure, and its attributes.

Explanation of how to read an MFT entry.

Description of file storage methods in NTFS.

Discussion on various timestamps used by NTFS and their significance.

Information on Alternate Data Streams (ADS) and their use in NTFS.

Explanation of Extended Attributes and their function in storing additional file info.

Details about the $UsnJrnl, its functions, and the information it logs.

Concluding remarks or queries related to NTFS.

Citations and references for further reading on NTFS forensics.

Embed presentation

Download as PDF, PPTX
NTFS Forensics
Speaker’s profile MALLA REDDY DONAPATI Security Enthusiast, Consultant & Forensicator Chapter Moderator – null Mumbai https://null.co.in/ M.Sc Information Security & Computer Forensics (University of East London ) dmred1
Agenda • Introduction • NTFS internals • Alternate Data streams • Extended Attributes • Malware artifacts in UsnJrnl • Demo
NTFS – New Technology File System • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, …) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points.
Why NTFS forensics ? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like Existence of hidden timestamps, Logs and Deleted / Leftover Metadata • Leverage NTFS artifacts in memory for efficient malware analysis
NTFS Basics • Everything is a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
Physical Layout of NTFS Volume
Master File Table - $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $STANDARD_INFORAMTION • $FILE_NAME • $DATA
Reading an MFT Entry
Understanding File Storage
Timestamps on NTFS • 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ? • caution: • The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access. (Source: msdn.microsoft.com )
Alternate Data Stream • Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
Extended Attributes • Extended Attributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system • EA • EA_INFORMATION • ZeroAccess rootkit uses this feature to hide a whole PE file as well as shellcode in services.exe that loads the PE file
$UsnJrnl • Is a change journal file • Records when changes were made to the files and directories • Located at $Extend$UsnJrnl and the actual entries are located at $UsnJrnl:$J alterante data stream • Information contained in each entry : • Time of change • Reason for change • File/Directory’s name • File/Directory MFT record number • File record number of the file’s parent directory • Security ID • Update Sequence Number of the record • Information about the source of change
NTFS ..??
references • http://www.slideshare.net/null0x00/ntfs-forensics • http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html • https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter- 11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf

More Related Content

PDF
Ntfs forensics
byn|u - The Open Security Community
 
PPT
Windowsforensics
bySantosh Khadsare
 
PPTX
Ntfs and computer forensics
byGaurav Ragtah
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
PPTX
Autopsy Digital forensics tool
bySreekanth Narendran
 
PPTX
Introduction to filesystems and computer forensics
byMayank Chaudhari
 
PPTX
Windows Forensic 101
byDigit Oktavianto
 
PPT
Linux forensics
bySantosh Khadsare
 
Ntfs forensics
byn|u - The Open Security Community
 
Windowsforensics
bySantosh Khadsare
 
Ntfs and computer forensics
byGaurav Ragtah
 
Authentication Authorization-Lesson-2-Slides.ppt
byMuhammadAbdullah311866
 
Autopsy Digital forensics tool
bySreekanth Narendran
 
Introduction to filesystems and computer forensics
byMayank Chaudhari
 
Windows Forensic 101
byDigit Oktavianto
 
Linux forensics
bySantosh Khadsare
 

What's hot

PDF
Course 102: Lecture 27: FileSystems in Linux (Part 2)
byAhmed El-Arabawy
 
PPTX
Windows File Systems
byprimeteacher32
 
PPTX
Memory forensics.pptx
by9905234521
 
PPTX
Windows forensic
byMD SAQUIB KHAN
 
PPTX
Data Acquisition
byprimeteacher32
 
PPTX
Linux file system
byMd. Tanvir Hossain
 
PDF
Forensics Analysis and Validation
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
file system in operating system
bytittuajay
 
PPTX
Windows Registry
byprimeteacher32
 
PDF
NTFS file system
byRavi Yasas
 
PPTX
File System and File allocation tables
byshashikant pabari
 
PDF
Course 102: Lecture 14: Users and Permissions
byAhmed El-Arabawy
 
PPT
Disk structure
byShareb Ismaeel
 
PPTX
Linux.ppt
byonu9
 
PPT
Registry forensics
byPrince Boonlia
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PPT
Network forensics1
bySantosh Khadsare
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PPTX
Mobile Forensics
byabdullah roomi
 
PPT
Mobile forensics
bynoorashams
 
Course 102: Lecture 27: FileSystems in Linux (Part 2)
byAhmed El-Arabawy
 
Windows File Systems
byprimeteacher32
 
Memory forensics.pptx
by9905234521
 
Windows forensic
byMD SAQUIB KHAN
 
Data Acquisition
byprimeteacher32
 
Linux file system
byMd. Tanvir Hossain
 
Forensics Analysis and Validation
byJyothishmathi Institute of Technology and Science Karimnagar
 
file system in operating system
bytittuajay
 
Windows Registry
byprimeteacher32
 
NTFS file system
byRavi Yasas
 
File System and File allocation tables
byshashikant pabari
 
Course 102: Lecture 14: Users and Permissions
byAhmed El-Arabawy
 
Disk structure
byShareb Ismaeel
 
Linux.ppt
byonu9
 
Registry forensics
byPrince Boonlia
 
Computer forensics toolkit
byMilap Oza
 
Network forensics1
bySantosh Khadsare
 
Malware Classification and Analysis
byPrashant Chopra
 
Mobile Forensics
byabdullah roomi
 
Mobile forensics
bynoorashams
 

Viewers also liked

PDF
Disk forensics
byChiawei Wang
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PPTX
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
PPTX
Facebook Forensics Toolkit(FFT)
byShuvo Sarker
 
PDF
Digital forensic upload
bySetia Juli Irzal Ismail
 
PDF
The Future of Digital Forensics
by00heights
 
PPTX
Files and Folders in Windows 7
byRIAH ENCARNACION
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PDF
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
PPTX
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
byBasis Technology
 
PDF
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
byOWASP Turkiye
 
PPTX
Capturing forensics image
byChris Harrington
 
PPTX
Windows nt istallation
byHarleen Johal
 
PPTX
Citrix
byYansi Keim
 
PDF
Social Media for Investigations Tools
byMandy Jenkins
 
PPT
July132000
byCTIN
 
PPT
G Infomgnt
byCTIN
 
PPT
Nra
byCTIN
 
PPT
Part6 Private Sector Concerns
byCTIN
 
PPT
Level1 Part8 End Of The Day
byCTIN
 
Disk forensics
byChiawei Wang
 
Forensics of a Windows System
byConferencias FIST
 
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
Facebook Forensics Toolkit(FFT)
byShuvo Sarker
 
Digital forensic upload
bySetia Juli Irzal Ismail
 
The Future of Digital Forensics
by00heights
 
Files and Folders in Windows 7
byRIAH ENCARNACION
 
Windows logging cheat sheet
byMichael Gough
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
byBasis Technology
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
byOWASP Turkiye
 
Capturing forensics image
byChris Harrington
 
Windows nt istallation
byHarleen Johal
 
Citrix
byYansi Keim
 
Social Media for Investigations Tools
byMandy Jenkins
 
July132000
byCTIN
 
G Infomgnt
byCTIN
 
Nra
byCTIN
 
Part6 Private Sector Concerns
byCTIN
 
Level1 Part8 End Of The Day
byCTIN
 

Similar to NTFS Forensics

PPT
Windows Forensics- Introduction and Analysis
byDon Caeiro
 
PPTX
Windows File Systems
byprimeteacher32
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
PPT
NTFS.ppt
byjlmansilla
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
PPT
Alternate Data Streams
bynephijohnson
 
PDF
AntiForensics - Leveraging OS and File System Artifacts.pdf
byekobelasting
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
ODP
NTFS and Inode
byAmit Seal Ami
 
PPTX
Digital Information Forensics Lecture on the topic of Partion Table
bymuhammadqasim586302
 
PPTX
NTFS Forensics.pptx
byAndreMeneghin1
 
PDF
windows-forensics-analysis-v-1.0-4_2.pdf
byAmineBesrour
 
PPTX
Disk forensics for the lazy and the smart
byJeff Beley
 
PPTX
NTFS_vs_exFAT_Forensics_Presentation.pptx
byfarahshaikh45
 
PPTX
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 
PPTX
Digital Information Forensics Lecture on the topic of MFT
bymuhammadqasim586302
 
PPT
Working with Windows and DOS Systems.ppt
byChSamson2
 
PDF
NTFS
byArthyR3
 
PPT
NTFSFS.ppt
byjlmansilla
 
PPTX
Fresh Prints of Malware- NTFS INDX BUFFERS
byacesleipnir
 
Windows Forensics- Introduction and Analysis
byDon Caeiro
 
Windows File Systems
byprimeteacher32
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
NTFS.ppt
byjlmansilla
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
bySam Bowne
 
Alternate Data Streams
bynephijohnson
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
byekobelasting
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
NTFS and Inode
byAmit Seal Ami
 
Digital Information Forensics Lecture on the topic of Partion Table
bymuhammadqasim586302
 
NTFS Forensics.pptx
byAndreMeneghin1
 
windows-forensics-analysis-v-1.0-4_2.pdf
byAmineBesrour
 
Disk forensics for the lazy and the smart
byJeff Beley
 
NTFS_vs_exFAT_Forensics_Presentation.pptx
byfarahshaikh45
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 
Digital Information Forensics Lecture on the topic of MFT
bymuhammadqasim586302
 
Working with Windows and DOS Systems.ppt
byChSamson2
 
NTFS
byArthyR3
 
NTFSFS.ppt
byjlmansilla
 
Fresh Prints of Malware- NTFS INDX BUFFERS
byacesleipnir
 

More from nullowaspmumbai

PDF
ELK in Security Analytics
bynullowaspmumbai
 
PPTX
Switch security
bynullowaspmumbai
 
PPTX
Power forensics
bynullowaspmumbai
 
PPTX
Adversarial machine learning
bynullowaspmumbai
 
PPTX
Dll Hijacking
bynullowaspmumbai
 
PPTX
Commix
bynullowaspmumbai
 
PPTX
Radio hacking - Part 1
bynullowaspmumbai
 
PPTX
How i got my first cve
bynullowaspmumbai
 
PPTX
Internet censorship circumvention techniques
bynullowaspmumbai
 
PPTX
Middleware hacking
bynullowaspmumbai
 
PPTX
Drozer - An Android Application Security Tool
bynullowaspmumbai
 
PPTX
How I got my First CVE
bynullowaspmumbai
 
PPTX
Adversarial machine learning updated
bynullowaspmumbai
 
PDF
Ganesh naik linux_kernel_internals
bynullowaspmumbai
 
PPTX
Xxe
bynullowaspmumbai
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
PPTX
Infrastructure security & Incident Management
bynullowaspmumbai
 
PPTX
Middleware hacking
bynullowaspmumbai
 
PDF
Buffer overflow null
bynullowaspmumbai
 
PPTX
Abusing Target
bynullowaspmumbai
 
ELK in Security Analytics
bynullowaspmumbai
 
Switch security
bynullowaspmumbai
 
Power forensics
bynullowaspmumbai
 
Adversarial machine learning
bynullowaspmumbai
 
Dll Hijacking
bynullowaspmumbai
 
Commix
bynullowaspmumbai
 
Radio hacking - Part 1
bynullowaspmumbai
 
How i got my first cve
bynullowaspmumbai
 
Internet censorship circumvention techniques
bynullowaspmumbai
 
Middleware hacking
bynullowaspmumbai
 
Drozer - An Android Application Security Tool
bynullowaspmumbai
 
How I got my First CVE
bynullowaspmumbai
 
Adversarial machine learning updated
bynullowaspmumbai
 
Ganesh naik linux_kernel_internals
bynullowaspmumbai
 
Xxe
bynullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
bynullowaspmumbai
 
Infrastructure security & Incident Management
bynullowaspmumbai
 
Middleware hacking
bynullowaspmumbai
 
Buffer overflow null
bynullowaspmumbai
 
Abusing Target
bynullowaspmumbai
 

Recently uploaded

DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
AI Technology important knowledge ......
byutkarshj2007
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

NTFS Forensics

  • 1.
  • 2.
    Speaker’s profile MALLA REDDYDONAPATI Security Enthusiast, Consultant & Forensicator Chapter Moderator – null Mumbai https://null.co.in/ M.Sc Information Security & Computer Forensics (University of East London ) dmred1
  • 3.
    Agenda • Introduction • NTFSinternals • Alternate Data streams • Extended Attributes • Malware artifacts in UsnJrnl • Demo
  • 4.
    NTFS – NewTechnology File System • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, …) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points.
  • 5.
    Why NTFS forensics? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like Existence of hidden timestamps, Logs and Deleted / Leftover Metadata • Leverage NTFS artifacts in memory for efficient malware analysis
  • 6.
    NTFS Basics • Everythingis a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
  • 7.
    Hidden Internal Files FilenameDescription $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
  • 8.
    Physical Layout ofNTFS Volume
  • 9.
    Master File Table- $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $STANDARD_INFORAMTION • $FILE_NAME • $DATA
  • 10.
  • 11.
  • 12.
    Timestamps on NTFS •64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ? • caution: • The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access. (Source: msdn.microsoft.com )
  • 13.
    Alternate Data Stream •Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
  • 14.
    Extended Attributes • ExtendedAttributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system • EA • EA_INFORMATION • ZeroAccess rootkit uses this feature to hide a whole PE file as well as shellcode in services.exe that loads the PE file
  • 15.
    $UsnJrnl • Is achange journal file • Records when changes were made to the files and directories • Located at $Extend$UsnJrnl and the actual entries are located at $UsnJrnl:$J alterante data stream • Information contained in each entry : • Time of change • Reason for change • File/Directory’s name • File/Directory MFT record number • File record number of the file’s parent directory • Security ID • Update Sequence Number of the record • Information about the source of change
  • 16.
  • 18.
    references • http://www.slideshare.net/null0x00/ntfs-forensics • http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html •https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter- 11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf