Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

Mastering Windows Network Forensics and Investigation

Mastering Windows Network
Forensics and Investigation
Chapter 7: Windows File
Systems
Chapter Topics:
• File Systems vs Operating
Systems
• Understanding FAT File Systems
• Understanding NTFS File
Systems
• Dealing with Alternate Data
Streams
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
2
File Systems vs Operating
Systems
• Operating
system
responsible for
carrying out the
basic tasks of
the computer
• O/S types:
March 22, 2016
– Microsoft DOS
– Microsoft
Windows
– Unix
– Linux
– Mac OS X
© Wiley Inc. 2007. All Rights Reserved
3
File Systems vs Operating
Systems
• File system is
the system or
method of
storing &
retrieving data
on a computer
• File system
types:
March 22, 2016
–
–
–
–
–
–
–
–
–
–
FAT (12, 16, 32)
NTFS
HFS
HFS+
ZFS
Ext2
Ext3
ISO 9660
UDF
UFS
© Wiley Inc. 2007. All Rights Reserved
4
Windows Operating System
• Uses FAT and NTFS file systems
• FAT is ideal cross-platform file
system as nearly all operating
systems can reliably read it and
write to it
• Each version of Windows has a
directory structure usually
indicative of version
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
5
Default System & Profile Folder
Names for Windows Versions
OPERATING
SYSTEM
Windows 9x/Me
USER PROFILE FOLDERS
Windows 2000
No Documents and Settings
Folder
No Documents and Settings
Folder
C:\WINNT\Profiles
C:\Documents and Settings
Windows XP
C:\Documents and Settings
Windows NT
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
DEFAULT SYSTEM
FOLDER
C:\Windows
C:\WINNT
C:\WINNT
C:\Windows
6
Minimal Functions of any File System
• Track the name of the file (or directory).
• Track the starting point where the file starts.
• Track the length of the file along with other
file metadata, such as timestamps.
• Track the clusters used by the file (cluster
runs).
• Track which allocations units (clusters) are
allocated and which ones are not.
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
7
FAT File System
• Major components
– FAT (File Allocation Table)
• Tracks clusters used by the file
• Tracks which allocation units (clusters) are
allocated and which are not
– 32 byte FAT directory entry
• Tracks the name of the file (or directory)
• Track the starting point where the file starts
• Track the length of the file along with other file
metadata, such as timestamps
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
8
FAT 32 Directory Entry
BYTE OFFSET
(DECIMAL)
0
DESCRIPTION
1-7
Characters 2 - 8 of Filename
8 -10
3 Characters of File Extension
11
Attributes (Detailed in Table 7.6)
12 -13
Reserved
14 -17
Created time and date of file. Stored as MS-DOS 32-bit
date / time stamp
Last Accessed date—no time!
18 -19
20 - 21
22 - 25
26 - 27
28 - 31
March 22, 2016
First Character of Filename or Status Byte
Two high bytes of FAT32 starting cluster.FAT12/16 will
have zeros
Last Written time and date of file. Stored as MS-DOS 32bit date / time stamp
Starting cluster for FAT12/16—two low bytes of starting
cluster for FAT32
Size in bytes of file (32-bit integer). Note: Will be 0 for
directories!
© Wiley Inc. 2007. All Rights Reserved
9
NTFS File System
• Major Components
– Cluster bitmap ($Bitmap)
• Tracks allocation status of all clusters in
partition
– Master File Table ($MFT)
•
•
•
•
March 22, 2016
Tracks clusters used by the file
Tracks the name of the file (or directory)
Track the starting point where the file starts
Track the length of the file along with other file
metadata, such as timestamps
© Wiley Inc. 2007. All Rights Reserved
10
NTFS System Files
MFT RECORD FILENAME
#
0
$MFT
DESCRIPTION
1
$MFTMirr
Contains a backup copy of the first four entries of the MFT
2
$LogFile
3
$Volume
Journal file that contains file metadata transactions used for
system recovery and file integrity
NTFS Version and Volume Label and Identifier
4
$AttrDef
Attribute Information
5
$.
Root directory of file system
6
$Bitmap
Tracks allocation status of all clusters in partition
7
$Boot
Contains partition boot sector and boot code
8
$BadClus
Bad clusters on partition are tracked with this file
9
$Secure
10
$UpCase
11
$Extend
Contains file permissions and access control settings for file
security
Converts lower case characters in Unicode by storing an
uppercase version of all Unicode characters in this file
A directory reserved for options extensions
March 22, 2016
Master File Table – Each MFT record is 1,024 bytes in length
© Wiley Inc. 2007. All Rights Reserved
11
Alternate Data Streams (ADS)
• MFT entry can have more than one
$DATA attribute
• If more than one $DATA attribute
exists, they are called ADS
• Invisible to user, even to administrator
• Can hold hidden data / malicious code
• Always examine for ADS using tools
such as streams.exe, EnCase, etc
March 22, 2016
© Wiley Inc. 2007. All Rights Reserved
12
Related documents
Probability Theory
Probability Theory
Wiley - 高雄第一科技大學圖書資訊館
Wiley - 高雄第一科技大學圖書資訊館
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Math 160A - Winter 2016 - Homework #4
Math 160A - Winter 2016 - Homework #4
Download