File System Forensics THINK BIG WE DO U R I http://www.forensics.cs.uri.edu Digital Forensics Center Department of Computer Science and Statics NTFS Directory Management NTFS Directory Management Directory Management NTFS Uses B-Trees to store sorted attributes - File Name - Security Information - Quotas aaa.txt bbb.txt fff.txt eee.txt ggg.txt hhh.txt mmm.txt ppp.txt rrr.txt ttt.txt vvv.txt zzz.txt aaa.txt bbb.txt eee.txt fff.txt ggg.txt hhh.txt mmm.txt ppp.txt rrr.txt vvv.txt zzz.txt Node Holds up to 3 values ppp.txt? Children Number of values + 1 Directory Management NTFS Uses B-Trees to store sorted attributes - File Name - Security Information - Quotas aaa.txt bbb.txt fff.txt eee.txt hhh.txt mmm.txt ppp.txt rrr.txt ttt.txt vvv.txt zzz.txt jjj.txt Node Holds up to 3 values Children Number of values + 1 ggg.txt T his scenario resulted in: 5 new nodes 2 deleted nodes NTFS Uses B-Trees to store sorted attributes - File Name - Security Information - Quotas Directory Management aaa.txt bbb.txt fff.txt eee.txt hhh.txt mmm.txt ppp.txt rrr.txt ttt.txt vvv.txt zzz.txt jjj.txt Node Holds up to 3 values Children Number of values + 1 ggg.txt T his scenario resulted in: 2 entries marked as deleted fff.txt and bbb.txt $MFT Directory Entries Two types of $MFT Records for Folders (directories) - B-Tree of files and subfolders is resident in $INDEX_ROOT attribute (0x90) MFT Directory Record MFT Header $STANDARD_INFORMATION $BITMAP $INDEX_ROOT Content Attr Header $I30 Loc/Siz Node Header $FILE_NAME MyDirectory MyDirectory --- file1 --- file2 --- file3 file1 file2 file3 Node Entry Node Entry Node Entry $FILE NAME ATTR Entry Header $FILE NAME ATTR Entry Header $FILE NAME ATTR Entry Header MFT Directory Record $INDEX_ALLOCATION $MFT Directory Entries Two types of $MFT Records for Folders (directories) - B-Tree of files and subfolders is resident in $INDEX_ROOT attribute (0x90) - B-Tree of files and subfolders is external to $MFT Record - $INDEX_ROOT attribute contains basic information (0x90) - $INDEX_ALLOCATION attribute stores data runs for file containing B-Tree (0xA0) MFT Header $STANDARD_INFORMATION $BITMAP $INDEX_ROOT Content Content Attr Header $I30 Data Runs Similar to $DATA Attribute Loc/Siz Node Header $FILE_NAME Attr Header $I30 Loc/Siz
Transcript
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFS Directory
Management
NTFS Directory
Management
Directory ManagementNTFS Uses B-Trees to store sorted attributes- File Name
Entry Header MFT Directory Record $INDEX_ALLOCATION
$MFT Directory EntriesTwo types of $MFT Records for Folders (directories)- B-Tree of files and subfolders is resident in $INDEX_ROOT attribute (0x90)
- B-Tree of files and subfolders is external to $MFT Record- $INDEX_ROOT attribute contains basic information (0x90)- $INDEX_ALLOCATION attribute stores data runs for file containing B-Tree (0xA0)
INDX RecordsFile containing B-Tree Nodes is the Index Buffer file- Comprised of INDX Records - one per node- Each record is typically one cluster- Record contains $FILE_HEADER attributes for files and subfolders
Directory Structures$INDEX_ROOT attribute- 0x90- $MFT record of a folder
- Always resident
Hex Dec Bytes Description16 bytes16 bytes16 bytes Attribute Header
0x10 16 byte
4 Length of Attribute Content
0x14 20 2 Offset to Attribute Content
0x16 22 2 Padding
0x00 0 4 Type of Attribute Stored in Index
0x04 4 4 Collation Sorting Rule
0x08 8 4 Size of each index record in bytes
0x0C 12 1 Size of each index record in clusters
0x0D 13 3 Padding
0x00 0 4 Relative offset to the Index Node
0x04 4 4 Index Node length
0x08 8 4 Index Node allocation length
0x0C 12 4 Flags
Directory Structures$INDEX_ALLOCATION attribute- 0xA0- $MFT record of a folder
- Used when the number of directory entries is toogreat to fit in $MFT record
- Layout similar to $DATA attribute
Hex Dec Bytes Description16 bytes16 bytes16 bytes Attribute Header
0x00 0 8 Starting Virtual Cluster Number (VCN) of Runlist
0x08 8 8 Ending Virtual Cluster Number (VNC) of Runlist
0x10 16 2 Offset of the Runlist
0x12 18 2 Compression Unit Size
0x14 20 4 Padding
0x18 24 8 Allocated Size of the Content in Bytes
0x20 32 8 Actual Size of the Content in Bytes
0x28 40 8 Initialized Size of the Content in Bytes
0x30 48 8 Stream Name ($I30)
-- -- -- Start of Index Buffer Data Runs (varies)
Node Header
Directory StructuresIndex Node (INDX)- Contains references to
directory entries in sorted order
- INDX record header contains node header
Hex Dec Bytes Description0x00 0 4 Signature [49 4E 44 58] INDX
0x04 4 2 Offset to Fix-up Array
0x06 6 2 Number of Entries in Fix-Up Array (9)
0x08 8 8 Update Sequence Number
0x10 16 8 VCN Index Allocation
0x00 0 4 Relative offset to the Index Node
0x04 4 4 Index Node length
0x08 8 4 Index Node allocation length
0x0C 12 4 Flags
Index Buffer File
INDX Record
INDX Record
INDX Record
INDX Header
INDX Header
INDX Header
Node Header
Node Header
Node Header
Node Entry Node Entry Node Entry
Node Entry
Node Entry Node Entry Node Entry Node Entry
$FILE_NAMEEntry Header $FILE_NAMEEntry
Header $FILE_NAMEEntry Header
$FILE_NAMEEntry Header
$FILE_NAMEEntry Header $FILE_NAMEEntry
Header $FILE_NAMEEntry Header $FILE_NAMEEntry
Header
Directory StructuresNode Entries- Can appear in Resident$INDEX_ROOT Attribute
- INDX Record of Index Buffer File
- If Node Entry has a child- Last 8 bytes of entry has VCN in Index
Buffer File of child record
Hex Dec Bytes Description0x00 0 8 $MFT Reference Number0x08 8 2 Index Entry Length0x0A 10 2 Index Data ($FILE_NAME Attr) Length0x0C 12 2 Flags 0x0E 14 2 Padding
Index Buffer File
INDX Record
INDX Record
INDX Record
INDX Header
INDX Header
INDX Header
Node Header
Node Header
Node Header
Node Entry Node Entry Node Entry
Node Entry
Node Entry Node Entry Node Entry Node Entry
$FILE_NAMEEntry Header $FILE_NAMEEntry
Header $FILE_NAMEEntry Header
$FILE_NAMEEntry Header
$FILE_NAMEEntry Header $FILE_NAMEEntry
Header $FILE_NAMEEntry Header $FILE_NAMEEntry
Header
Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Date and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace (0=POSIX 1=Win32 2=DOS)
0x01 Has Child Node
0x02 List Terminator (Dummy Entry)
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
