Transcript Slide 1

BACS 371
Computer Forensics
File Systems within Partitions II
File Systems
(See http://www.ntfs.com)


A method for storing and organizing computer files and the
data they contain to make it easy to find and access them
File System Types

FAT (File Allocation Table)






FAT12
FAT16
FAT32
exFAT
NTFS (New Technology File System)
Functions



Manage “free space”
Allocate clusters to file
Track time (MAC – Modify, Access, Create)
FAT File System
Partition
Boot
Sector
FAT 1
FAT 2
(Duplicate)
Directory Other folders and
all files
This is all contained within a partition.
Directory to FAT interaction
File Allocation Table (FAT)
Partition Boot Record (PBR)
BIOS Parameter
Block
Executable Code
•
•
•
•
Machine Language Code
Processor Specific
Decodes BPB
Searches for OS
PBR “Signature”
• 0x55AA
Decoding a Partition Boot Record (BIOS Parameter Block – BPB)
Jump InstructionOEM Name
• Offset 0x00
• 3 bytes
• Offset 0x03
• 8 bytes
• Decode as ASCII
•“MSDOS5.0”
Bytes Per Sector Sectors Per Cluster
•
•
•
•
•
Offset 0x0B
2 bytes
Decode as Number
(Swap “endian”)
0x0200 = 512
•
•
•
•
•
Offset 0x0D
1 byte
Decode as Number
0x08 = 8
8 * 512 = 4096 bytes/cluster
Media Type
•
•
•
•
Offset 0x15
1 byte
Decode from Table
0xF8 means HD
Total Sectors
•
•
•
•
•
•
Heads
Offset 0x20
4 bytes
Decode as Number
(Swap “endian”)
0x000E37BA = 931,770
477,066,240 Bytes
•
•
•
•
•
FAT Size (Sectors)
File System Type
• Offset 0x24
• Offset 0x52
• 4 bytes
• 8 bytes
• Decode as Number
• Decode as ASCII
• (Swap “endian”)
•“FAT32 ”
• 0x0000038D = 909
• 465,408 Bytes (*512)
• 58,176 Entries (/4)
• 238,288,896 bytes addressed
(*4096)
Offset 0x1A
2 bytes
Decode as Number
(Swap “endian”)
0x00FF = 255
Sectors per Track
•
•
•
•
•
Offset 0x18
2 bytes
Decode as Number
(Swap “endian”)
0x003F = 63
FAT32

32-bit Cluster Numbers
 Only
28 bits actually used
 Addresses 228 Clusters (~ 268,435,438)
 Drive sizes ~ 1TB (228 clusters * 4096 Bytes per cluster ~
1.1TB)
 WinXP limited to 32GB using FAT32
 Max file size in FAT32 is 232-1 bytes ~ 4GB
Advantages of FAT32 over FAT16




FAT32 offers smaller cluster sizes -> less wasted
space
FAT32 systems can reallocate and change the size
of the root directory
FAT32 drives can contain a copy of the boot
record(s) –> less prone to failure
Allow for long file names
Long File Names “Trick”



Phony entries are added to the Directory Tables
Entries are marked with a volume label attribute
Each phony entry can contain up to 13 UTF-16
characters (26 bytes)
Long File Names Entries
Red entries are short file name entries. Blue are for a long
file name. Read the long filename entries from the bottom to
the top. Note that first byte in each group of long filenames
are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the
last segment). Filename entries have 0F in 12th byte.
Directory entries have a 10 in this position (indicating a
directory).
FAT Root Directory
Volume ID Directory Entry
Single Directory Entry for a
file with a “short” filename.
Multiple Directory Entries for
a file with a “long” filename.
There are 4 entries to
contain the long file name,
and 1 entry to contain the
complete set of file
information including the
“short” file name.
Designates Attribute Bits
• 0x08 = Volume Label
• 0x20 = Archive
• 0x0F = Long File Name
NTFS File System
Partition
Boot
Sector
Master File Table
System Files
File Area
NTFS Capacities

Maximum Volume Size
 16
exabytes theoretically
 16 terabytes actually

Max File Size
 Apx.
256 terabytes theoretically
 16 terabytes actually

Files per Volume
 4,294,967,295
NTFS Partition Boot Sector
Byte
Offset
Field
Length
Field Name
0x00
3 Bytes
Jump Inst
0x03
8 Bytes
OEM ID
0x0B
25 Bytes
BIOS parameter Block (BPB)
0x24
48 Bytes
Extended BPB
0x54
426 Bytes
Bootstrap Code
2 Bytes
End of Sector Marker
(55 AA)
0x01FE
NTFS Partition Boot Sector
NTFS BPB and Extended BPB
Byte Offset
Field Length
Field Name
Sample Value1
0x0B
WORD
0x0002
Bytes Per Sector
0x0D
BYTE
0x08
Sectors Per Cluster
0x0E
WORD
0x0000
Reserved Sectors
0x10
3 BYTES
0x000000
always 0
0x13
WORD
0x0000
not used by NTFS
0x15
BYTE
0xF8
Media Descriptor
0x16
WORD
0x0000
always 0
0x18
WORD
0x3F00
Sectors Per Track
0x1A
WORD
0xFF00
Number Of Heads
0x1C
DWORD
0x3F000000
Hidden Sectors
0x20
DWORD
0x00000000
not used by NTFS
0x24
DWORD
0x80008000
not used by NTFS
0x28
LONGLONG
0x4AF57F0000000000
Total Sectors
0x30
LONGLONG
0x0400000000000000
Logical Cluster Number for the file $MFT
0x38
LONGLONG
0x54FF070000000000
Logical Cluster Number for the file
$MFTMirr
0x40
DWORD
0xF6000000
Clusters Per File Record Segment
0x44
DWORD
0x01000000
Clusters Per Index Block
0x48
LONGLONG
0x14A51B74C91B741C
Volume Serial Number
0x50
DWORD
0x00000000
Checksum
1Don’t
forget – Little Endian!
Master File Table




Is itself a file
An array of records constituting a database of all
files in system
Each record is usually 1024 bytes
First 16 records contain volume-specific information
 NTFS
Metadata Files
NTFS Metadata
System
File
File
Name
MFT
Record
Master file
table
$Mft
0
Contains one base file record for each file and folder on an NTFS volume. If
the allocation information for a file or folder is too large to fit within a
single record, other file records are allocated as well.
Master file
table 2
$MftMirr
1
A duplicate image of the first four records of the MFT. This file guarantees
access to the MFT in case of a single-sector failure.
Log file
$LogFile
2
Contains a list of transaction steps used for NTFS recoverability. Log file size
depends on the volume size and can be as large as 4 MB. It is used by
Windows NT/2000 to restore consistency to NTFS after a system failure.
Volume
$Volume
3
Contains information about the volume, such as the volume label and the
volume version.
Attribute
definitions
$AttrDef
4
A table of attribute names, numbers, and descriptions.
Root file
name index
$
5
The root folder.
Cluster
bitmap
$Bitmap
6
A representation of the volume showing which clusters are in use.
Boot sector
$Boot
7
Includes the BPB used to mount the volume and additional bootstrap loader
code used if the volume is bootable.
Bad cluster
file
$BadClus
8
Contains bad clusters for the volume.
Security file
$Secure
9
Contains unique security descriptors for all files within a volume.
Upcase
table
$Upcase
10
Converts lowercase characters to matching Unicode uppercase characters.
NTFS
extension
file
$Extend
11
Used for various optional extensions such as quotas, reparse point data, and
object identifiers.
12–15
Reserved for future use.
Purpose of the File
NTFS Master File Table (MFT)
NTFS File Attributes
Attribute Type
Description
Standard
Information
Includes information such as timestamp and link count.
Attribute List
Lists the location of all attribute records that do not fit in the MFT record.
File Name
A repeatable attribute for both long and short file names. The long name of the file
can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive
name for the file. Additional names, or hard links, required by POSIX can be
included as additional file name attributes.
Security
Descriptor
Describes who owns the file and who can access it.
Data
Contains file data. NTFS allows multiple data attributes per file. Each file typically has
one unnamed data attribute. A file can also have one or more named data
attributes, each using a particular syntax.
Object ID
A volume-unique file identifier. Used by the distributed link tracking service. Not all
files have object identifiers.
Logged Tool
Stream
Similar to a data stream, but operations are logged to the NTFS log file just like NTFS
metadata changes. This is used by EFS.
Reparse Point
Used for volume mount points. They are also used by Installable File System (IFS)
filter drivers to mark certain files as special to that driver.
Index Root
Used to implement folders and other indexes.
Index Allocation
Used to implement folders and other indexes.
Bitmap
Used to implement folders and other indexes.
Volume
Information
Used only in the $Volume system file. Contains the volume version.
Volume Name
Used only in the $Volume system file. Contains the volume label.
$MFT Template
NTFS Files




An NTFS file is actually a collection of attribute/value
pairs
They are structured in an object-oriented fashion
The attributes of the file are stored in its MFT record(s).
The standard information ($STANDARD_INFORMATION)
is:





Timestamps (modified, accessed, created, MFT change)
File attributes (read only, hidden, archive…
Hard link count (number of directories that point to)
File Name ($FILE_NAME) is in Unicode
Data ($DATA) holds actual data of the file
MFT Small File Entry
The master file table allocates a certain amount of space for each file record.
The attributes of a file are written to the allocated space in the MFT. Small files
and directories (typically 1500 bytes or smaller), such as the file illustrated in
next figure, can entirely be contained within the master file table record.
NTFS Multiple Data Streams

For compatibility with Mac OS







Fork
Executable
In NTFS, unlimited number of streams
A data stream is not displayed when you open a text file in a
text editor
Must examine the MFT for the file to see if there is a ‘:’
following the file name
Copy to FAT includes only 1st Stream
Example


Innocuousfile.txt
Innocuousfile.txt:hiddenporn
ADS Example
File System Features
Criteria
Unicode File Names
NTFS5 NTFS FAT32
FAT16
Unicode Character Set
Unicode Character Set
System Character Set
System Character Set
MFT Mirror File
MFT Mirror File
Second Copy of FAT
Second Copy of FAT
Boot Sector Location
First and Last Sectors
First and Last Sectors
First Sector
First Sector
File Attributes
Standard and Custom
Standard and Custom
Standard Set
Standard Set
Alternate Streams
Yes
Yes
No
No
Compression
Yes
Yes
No
No
Encryption
Yes
No
No
No
Object Permissions
Yes
Yes
No
No
Disk Quotas
Yes
No
No
No
Sparse Files
Yes
No
No
No
Reparse Points
Yes
No
No
No
Volume Mount Points
Yes
No
No
No
256 Char
256 Char
256 Char
8.3 Names
System Records Mirror
File Names
Overall Performance
Criteria
NTFS5
NTFS
FAT32
FAT16
Built-In Security
Yes
Yes
No
No
Recoverability
Yes
Yes
No
No
Performance
Low on small
volumes
High on Large
Low on small
volumes
High on Large
High on small
volumes
Low on large
Highest on small
volumes
Low on large
Disk Space
Economy
Max
Max
Average
Minimal on large
volumes
Fault Tolerance
Max
Max
Minimal
Average