The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.
File System Analysis (Win) NTFS
Digital Forensic
Developers:
J. Rolnik
T. Willkomm
A. Kühn
concept behind NTFS
The New Technologies File System (NTFS) was designed by Microsoft and is the default file system for Microsoft Windows NT, Windows 2000, Windows XP, and Windows Server.
NTFS is a much more complex file system than FAT because it has many features and is very scalable.
FAT will still exist in mobile and small storage devices, but NTFS will likely be the most common file system for Windows investigations.
Unfortunately, there is no published specification from Microsoft that describes the on-disk layout.
00.00.2010 |
2 |
Fußzeile - Titelthema |
Everything in NTFS is a file. |
Konzept hinter NTFS |
|
The entire file system is considered a data area, and any sector can be allocated to a file.
One of the most important concepts in understanding the design of NTFS is that important data are allocated to files.
This includes the basic file system administrative data that are typically hidden by other file systems.
The only consistent layout is that the first sectors of the volume contain the boot sector and boot code. = Cluster 0.
00.00.2010 |
3 |
Fußzeile - Titelthema |
Every file and directory has at least oneKonzeptentry in thehintertable $NTFSMFT=Master File Table.
filecontents are stored in Clusters or in the $MFT itself
clusters are managed in a bitmapfile ($Bitmap).
To prevent the $MFT to become fragmentet, Microsoft reserves part of the file system for the MFT. (MFT Zone =12,5 % of the filesystem).
00.00.2010 |
4 |
Fußzeile - Titelthema |
Physical position of the systemfiles
FAT-System |
NTFS-System |
Boot area
1 sector (FAT12/16) 32++ bei FAT 32
FAT 1 und 2
Root
Data area
Boot area 1 sector NT-Loader
Data area
MFT
Data area
Bootblock
The sectornumber of the bootblock is stored in the partitiontable of the MBR (relative Sektoren)
The bootblock contains a pointer in the BPB (Bios Parameter Block) at offset 0x30 to the
Master File Table ($MFT)
And another Pointer (at Offset 0x38) to the
Master File Table 2 ($MFTMIRR)
Bootblock
important!!
A copy of the bootblocks is stored in the last sector of the partition which is described in the MBR.
This sector is not part of the volume and cannot be deleted or overwritten by the filesystem.
block parameter Bios
parameter Bios Extended
Structure of the bootblock
|
Offset |
Length |
meaning |
|
|
|
|
|
0 |
3 |
Jump to boot loader |
|
|
|
|
|
3 |
8 |
System ID: "NTFS " |
|
|
|
|
|
B |
2 |
bytes/sSector |
|
|
|
|
|
D |
1 |
sector per Cluster |
|
|
|
|
|
E |
7 |
unused |
|
|
|
|
|
15 |
1 |
Media descriptor |
|
|
|
|
|
16 |
2 |
unused |
|
|
|
|
|
18 |
2 |
Sectors/track |
|
|
|
|
|
1A |
2 |
heads |
|
|
|
|
|
1C |
4 |
Hidden sectors |
|
|
|
|
|
20 |
4 |
unused |
|
|
|
|
|
24 |
4 |
always 80 00 80 00? |
|
|
|
|
|
28 |
8 |
Sectors in Volume |
|
|
|
|
|
30 |
8 |
Startcluster Master File Table ($MFT) |
|
|
|
|
|
38 |
8 |
Startcluster of copy of the Master File Table ($MFTMirr) |
|
|
|
|
|
40 |
4 |
Cluster per FILE record |
|
|
|
|
|
44 |
4 |
Cluster per Index buffer |
|
|
|
|
|
48 |
8 |
Serialnumber |
|
|
|
|
|
50 |
4 |
Checksum |
|
|
|
|
|
54 |
|
Bootcode |
|
|
|
|
|
1FE |
2 |
Magic boot sector ID: AA 55 |
|
|
|
|
Number of sectors
|
|
|
|
|
|
|
|
Clusternumber of the MFT |
|
Clusternumber of the MFTMirr |
|
|
|
|
|
Cluster/record |
|
||||||||
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Cluster/INDX-record |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
Offset |
|
|
Length |
|
description |
|
|
|
||||
|
|
|
|
|
|
|||||||
40 dec |
|
8 |
|
|
|
number of sectors in volume |
|
|
|
|||
48 dec |
|
8 |
|
|
|
starting cluster of the Master File Table ($MFT) |
||||||
56 dec |
|
8 |
|
|
|
starting cluster of the copy of the Master File Table ($MFTMirr) |
||||||
64 dec |
|
1 |
|
|
|
number of cluster per FILE record (if the value is>0 it means the number of clusters for this |
||||||
|
|
|
|
|
|
structure; if the value is<0 this is a byte value and must be calculated with a special formula; |
||||||
|
|
|
|
|
|
2^(-1*cluster/MFT- or Indexrecord)) |
|
|
|
|||
65 dec |
|
3 |
|
|
|
Not used |
|
|
|
|||
68 dec |
|
4 |
|
|
|
number of clusters per Index record |
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
BIOS-Signatur
exersize
Image of NTFS
Note from the MBR:
number of sectors in the partition go to the bootblock
Note or calculate the following values:
number of sectors in this volume
startcluster of the $MFT
startcluster of the $MFTMirr
physical and logical sector of the MFT
physical sectornumber of the copy of the bootblock
MFT
central structure of the NTFS-Partition
Database containing records for each file and folder on an NTFS volume and so on information about the content of the disk
each record describes a file or a directory with all ist details
The record size is 1024 bytes and comprises
A header
And a number of attributes
$MFT – Master File Table
$MFT
Every file and directory has at least one record in the MFT including the MFT itself
Files and directories can have more than one MFT entry
Data can be resident or non resident
Each record is identified by a 64 bit File reference number
12