BACS 371 Computer Forensics File Systems 2 NTFS File Systems File Systems (See http://www.ntfs.com) A method for storing and organizing computer files and the data they contain to make it easy to find and access them File System Types FAT (File Allocation Table) FAT12 FAT16 FAT32 exFAT NTFS (New Technology File System) Functions Manage “free space” Allocate clusters to file Track time (MAC – Modify, Access, Create) NTFS Characteristics File Size 16 exabytes minus 1 KB (264 minus 1KB) Reality 16 terabytes minus 64 KB (244 minus 64KB) Theoretically Volume Size Theoretically 256 terabytes minus 64 KB (232 clusters minus 1 cluster) Reality 16 terabytes Files per Volume 4,294,967,295 (232 minus 1 file) NTFS Architecture Always at cluster 0 MFT can be anywhere after boot sector File attributes are stored here. No fixed structure MFT copy can be anywhere after boot sector Notice that the end of sector marker is 55 AA. You can look for this to find boot sectors for NTFS and DOS. NTFS Boot Sector 00 10 3B Jump Instruction 03 10 11 10 36 10 84 10 510 10 8B 25B 48B 426B 2B OEM ID Bios Parameter Block (BPB) Extended BPB Bootstrap Code. End of Sector Marker (55AA) Boot sector always located a cluster 0 of partition NTFS BIOS Parameter Block NTFS Boot Sector Many fields are not important, but these are the key ones to know about. 11 10 13 10 21 10 40 10 48 10 56 10 64 10 72 10 Bytes per sector (2 bytes) Sectors per Cluster (1 byte) Media descriptor. F8: HD; F0: HD Floppy (1B) Total sectors (8 bytes) Logical cluster number for the MFT (8 bytes) Logical cluster number copy of the MFT (8 bytes) Clusters per MFT Record (1 byte) Volume serial (8 bytes) NTFS Boot Sector WinHex allows access to an interpreted NTFS Boot Sector. Use the Access Tab. NTFS Bios Parameter Block 11 10 Bytes per sector: 00 02 020016 = 51210 13 10 Sectors per cluster: Don’t forget – Little Endian! 0816 = 810 NTFS Bios Parameter Block 21 10: Media Descriptor: F8 is hard drive, F0 is floppy. 40 10 Total number of sectors: F7AF4E0900000000 000000094EAFF7 156,151,799 sectors, i.e., ~80GB NTFS Bios Parameter Block 48 10: Logical cluster number for MFT copy 1: cluster C7FE9 (File $MFT) 56 10: Logical cluster number for MFT copy 2: cluster 40029D NTFS Bios Parameter Block 64 10: Clusters per MFT record: F6 72 10: Volume Serial Number Master File Table (MFT) Is itself a file! An array of records constituting a database of all files in system (including a record of the MFT itself) Each record is usually 1024 bytes First 16 records contain volume-specific information NTFS Metadata Files Remaining records are related to specific files found in the file system NTFS Metadata Entries System File File Name MFT Record Master file table $Mft 0 Contains one base file record for each file and folder on an NTFS volume. If the allocation information for a file or folder is too large to fit within a single record, other file records are allocated as well. Master file table 2 $MftMirr 1 A duplicate image of the first four records of the MFT. This file guarantees access to the MFT in case of a single-sector failure. Log file $LogFile 2 Contains a list of transaction steps used for NTFS recoverability. Log file size depends on the volume size and can be as large as 4 MB. It is used by Windows NT/2000 to restore consistency to NTFS after a system failure. Volume $Volume 3 Contains information about the volume, such as the volume label and the volume version. Attribute definitions $AttrDef 4 A table of attribute names, numbers, and descriptions. Root file name index $ 5 The root folder. Cluster bitmap $Bitmap 6 A representation of the volume showing which clusters are in use. Boot sector $Boot 7 Includes the BPB used to mount the volume and additional bootstrap loader code used if the volume is bootable. Bad cluster file $BadClus 8 Contains bad clusters for the volume. Security file $Secure 9 Contains unique security descriptors for all files within a volume. Upcase table $Upcase 10 Converts lowercase characters to matching Unicode uppercase characters. NTFS extension file $Extend 11 Used for various optional extensions such as quotas, reparse point data, and object identifiers. 12–15 Reserved for future use. Purpose of the File MFT Record MFT Record entries are associated with each file and directory in the system. A single file/directory can occupy from 1 to 4 MFT records (usually just 1) An MFT entry is made up of a header, and a series of attributes. MFT entry attributes are loosely defined. Each attribute is preceded by the attribute header. The attribute header identifies Type of attribute. Size. Name. MFT Record Structure The attribute header gives basic information about the attribute. A resident attribute is stored in the MFT entry. A non-resident entry is stored in a cluster outside the MFT. This example shows 3 attributes. MFT Record Structure Some attributes are actually stored in the MFT, others are pointed to from the MFT Resident attributes are stored in MFT record. Non-resident attributes are stored in cluster runs. A cluster run consists of consecutive clusters and are identified by starting cluster and run length. NTFS distinguishes between Virtual Cluster Numbers and Logical Cluster Numbers. LCN * (#sectors in cluster) = sector number LCN 0 is first cluster in the volume (boot sector). VCN 0 refers to the first cluster in a cluster run. MFT Record Structure Each attribute type within an MFT record is identified by a code number. A single MFT entry can have multiple attributes of the same type. The attribute content sizes of attributes can be of different sizes (depending on what type they are). Resident attributes (such as Standard Information, File Name, and Data) are stored locally. Non-Resident attributes are stored as a starting cluster number and a run length. NTFS File Attributes Attribute Type Description Standard Information Includes information such as timestamp and link count. Attribute List Lists the location of all attribute records that do not fit in the MFT record. File Name A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes. Security Descriptor Describes who owns the file and who can access it. Data Contains file data. NTFS allows multiple data attributes per file. Each file typically has one unnamed data attribute. A file can also have one or more named data attributes, each using a particular syntax. Object ID A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers. Logged Tool Stream Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS. Reparse Point Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver. Index Root Used to implement folders and other indexes. Index Allocation Used to implement folders and other indexes. Bitmap Used to implement folders and other indexes. Volume Information Used only in the $Volume system file. Contains the volume version. Volume Name Used only in the $Volume system file. Contains the volume label. $MFT Template MFT Records for directories Folders contain index data. Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure. MFT Small File Entry The master file table allocates a certain amount of space for each file record. The attributes of a file are written to the allocated space in the MFT. Small files and directories (typically < 800 bytes), such as the file illustrated in next figure, can entirely be contained within the master file table record. NTFS Multiple Data Streams For compatibility with Mac OS Fork Executable In NTFS, unlimited number of streams A data stream is not displayed when you open a text file in a text editor Must examine the MFT for the file to see if there is a ‘:’ following the file name Copy to FAT includes only 1st Stream Example Innocuousfile.txt Innocuousfile.txt:hiddenporn ADS Example File System Comparisons Criteria Operating System NTFS v.5 exFat FAT32 FAT16 Windows 2000 Windows XP Vista, Win 7 Windows XP Vista, Win 7 Mac OSX Windows 98 Windows ME Windows 2000 Windows XP Vista, Win 7, Mac OSX DOS All versions of Microsoft Windows Limitations Max Volume Size 2TB 128 PetaByte 2TB 2GB Nearly Unlimited Nearly Unlimited Nearly Unlimited ~65000 Limit Only by Volume Size 16 Exabytes 4GB 2GB Max Clusters Number Nearly Unlimited Nearly Unlimited 268435456 65535 Max File Name Length Up to 255 Up to 255 Up to 255 Standard - 8.3 Extended - up to 255 Max Files on Volume Max File Size File System Features Criteria Unicode File Names NTFS5 NTFS FAT32 FAT16 Unicode Character Set Unicode Character Set System Character Set System Character Set MFT Mirror File MFT Mirror File Second Copy of FAT Second Copy of FAT Boot Sector Location First and Last Sectors First and Last Sectors First Sector First Sector File Attributes Standard and Custom Standard and Custom Standard Set Standard Set Alternate Streams Yes Yes No No Compression Yes Yes No No Encryption Yes No No No Object Permissions Yes Yes No No Disk Quotas Yes No No No Sparse Files Yes No No No Reparse Points Yes No No No Volume Mount Points Yes No No No 256 Char 256 Char 256 Char 8.3 Names System Records Mirror File Names Overall Performance Criteria NTFS5 NTFS FAT32 FAT16 Built-In Security Yes Yes No No Recoverability Yes Yes No No Performance Low on small volumes High on Large Low on small volumes High on Large High on small volumes Low on large Highest on small volumes Low on large Disk Space Economy Max Max Average Minimal on large volumes Fault Tolerance Max Max Minimal Average