Ntfs assignment by dannyoleary1

COMPUTER FORENSICS ASSIGNMENT 2 NTFS

Danny Oâ&#x20AC;&#x2122;Leary - 20067817

Q1.Decode the partition table supplied in the image Byte Range 0-2 3-10

11-12

Description Assembly Instruction to jump to boot code OEM Name

Bytes per Sector

Essential No (Unless itâ&#x20AC;&#x2122;s the bootable file system) No

Yes

13-13

Sectors per cluster

Yes

14-15

Reserved sectors

16-20 21-21 22-23 24-31 32-35 36-39 40-47

Unused Media Descriptor Unused Unused Unused Unused Total Sectors in file system

No No No No No No Yes

EB 52 90 NTFS 4E 54 46 53 20 20 20 20 512 bytes per sector 00 02 08 8 00 00

15624 sectors 08 3D 00 00 00 00 00 00 4 04 00 00 00 00 00 00 00

48-55

Starting cluster address of MFT

Yes

56-63

3 03 00 00 00 00 00 00

Yes

65-67 68-68

Starting cluster address of MFT Mirror $DATA attribute Size of file record (MFT entry) Unused Size of index record

69-71 72-79

Unused Serial Number

No No

80 - 83 84-509 510-511

Unused Boot code Signature (0xaa55)

No No No

64-64

No Yes

1 01 41 B2 CF CC 39 42 3D B1 41

AA55

Q.2 Explain the concept of the MFT on an NTFS File System. Locate and manually decode the hex of the $MFT entry.

Byte Range 0-3

Description Signature(â&#x20AC;&#x153;FILEâ&#x20AC;?)

Essential No

46 49 4C 45

4-5

Offset to fixup array

Yes

FILE 30 00

6-7

Number of entries in fixup array

Yes

48 03 00

8-15

3 0

16-17

$LogFile Sequence Number(LFSN) Sequence Value

01 00

18-19

Link Count

1 01 00

20-21

Offset to first attribute

Yes

1 38 00 56 01 00

22-23

Flags

Yes

24-27

Used size of MFT Entry

Yes

28-31

Allocated size of MFT Entry

Yes

98 01 00 00 38,913 00 04 00 00

32-39

File referenced to base record Next attribute id

1024 0

Attributes and fixup value

Yes

40-41

42-1023

04 00 40

The basic concept of the MFT (Master File Table) in an NTFS file type system is that it stores all the information about all the files that are contained on the file system, as well as every directory that they are contained in. The size of the entries in the MFT are 1KB, but only the first 42 bytes are important and have a purpose. The rest of the entry stores attribute data, which are small data structures that have a specific purpose.

This is a picture of an MFT Entry Every entry that goes into the Master File Table is given an address based on where it is located in the table. The MFT is also itself, a file, and thus contains an entry for itself. This file describes the ondisk location of the MFT. To find out where the MFT is located, you can go to the boot sector to find it which is always located in the first sector of the file system.

Here is an image of how you would use the boot sector to locate the MFT, from reading the boot sector here, we can see that the MFT is located in clusters 32-34, and then the rest of the cluster chain is stored in 56-58. Using this type of system, it is easy to see that the MFT can grow quite big, but will start quite small, and it will expand with each entry into the file system. The first field in the MFT entry is always the signature, and with a normal entry it will usually have the string “FILE”. If something has gone wrong with the entry, and it has an error, you may see a string with “BAAD”. Then there’s a flag field, the purpose of the flag field is that it identifies if the entry is actually being used, and if it is a directory. If the file in question cannot put all its attributes in an entry, then it will use multiple entries to achieve this, and each will point back to the original entry which is known as the base entry.

Q3. Using TSK decode another two MFT Entries of your choice. How big is the file and what data units does it occupy. Explain the attribute types and attribute values associated with these entries.

Note: I presumed that this question meant that using the sleuth kit to get two more MFT Entries, and then using it to find the information about the file. I wasn’t 100% sure what it meant though.

The files I used were both picture 10, and picture 9. The command I used to find this came from the sleuth kit, “fsstat”.

From this I found the inode numbers for both of the pictures. I then used icat to cut out the pictures to view them: Picture 10:

Picture 9:

Now I used istat on both these pictures to find out the relevant information about them. Picture 10:

Picture 9:

From this we can answer the question on what size both files are, and what data units they occupy. Picture 10: 92,853 bits (92.853 kb) and occupies sectors 350 – 372 Picture 9: 187035 bits (187.035 kb) and occupies sectors 373-418

Attribute types, and values Picture 10: In picture 10 from using the istat command we can see that it has 4 attributes: 1. 2. 3. 4.

$STANDARD_INFORMATION $FILE_NAME $SECURITY_DESCRIPTOR $DATA

There’s also 2 attribute values given using istat: 1. $STANDARD_INFORMATION 2. $FILE_NAME

Standard Information: This gives us information about the flags which tells us it does have a flag which is “Archive”. It gives the Owner ID, and Security ID which are both in this case 0. The Security ID is given so that you can look up the information in $Secure. It also gives us information about the creation time, and the accessed time:    

Created: 2012-01-24 22:01:02(GMT) File Modified: 2012-01-24 22:00:17(GMT) MFT Modified: 2012-01-24 22:01:02(GMT) Accessed: 2012-01-24 22:01:02(GMT)

From this information we can see when the file was created, and see that it probably hasn’t been changed since the time it was made judging by the time stamps.

File Name: This gives us information about the flags which tells us it does have a flag which is “Archive”. It gives us the name of the file in the field “Name:” which tells us the name of the file is “picture9.jpg”. It shows us that the Parent MFT Entry is 5 which is the root directory. It also shows the Allocated Size, and the Actual Size which are both 0 bytes. It also gives us information about the creation time, and the accessed time:    

Created: 2012-01-24 22:01:02(GMT) File Modified: 2012-01-24 22:01:02(GMT) MFT Modified: 2012-01-24 22:01:02(GMT) Accessed: 2012-01-24 22:01:02(GMT)

From this, you can see that the file name has not been changed since it was created.

Picture 9: In picture 9 from using the istat command we can see that it also has 4 attributes: 1. 2. 3. 4.

$STANDARD_INFORMATION $FILE_NAME $SECURITY_DESCRIPTOR $DATA

There’s also 2 attribute values given using istat: 3. $STANDARD_INFORMATION 4. $FILE_NAME Standard Information: This gives us information about the flags which tells us it does have a flag which is “Archive”. It gives the Owner ID, and Security ID which are both in this case 0. The Security ID is given so that you can

look up the information in $Secure. It also gives us information about the creation time, and the accessed time:    

Created: 2012-01-24 22:01:02(GMT) File Modified: 2012-01-24 22:00:17(GMT) MFT Modified: 2012-01-24 22:01:02(GMT) Accessed: 2012-01-24 22:01:02(GMT)

From this information we can see when the file was created, and see that it probably hasn’t been changed since the time it was made judging by the time stamps.

Created: 2012-01-24 22:01:02(GMT) File Modified: 2012-01-24 22:01:02(GMT) MFT Modified: 2012-01-24 22:01:02(GMT) Accessed: 2012-01-24 22:01:02(GMT)

From this, you can see that the file name has not been changed since it was created.

Standard Information: This contains general information about the file. This includes stuff like flags, last accessed, modified and created times that go along with the file. It also includes the Owner and Security ID. File Name: This includes the file name written in Unicode. It include the last accessed, modified and created times for the file also. Security Descriptor: This includes the access control and the security properties of the file. Data: This includes the files contents.

Q4. Explain the five categories of data associated with a file systems. File System The File System category contains all the general file system information. Information that is found in the File System category can tell you where to find certain files or how big a data structure is. The File System category is basically a map that tells you where everything is, and where to find the data you are looking for. The data found in this category doesnâ&#x20AC;&#x2122;t typically correspond to a specific user file because NTFS stores that type of file in system metadata files which are located in the root directory. The location of the data that is found in this type of category can be located anywhere in the file system except the boot code which as a fixed location at sector 0. These types of files have dates and time stamps with them because they are similar to normal files.

Content The Content category contains all the actual content of the files in a file system. Generally most of the data will be found in here rather than in the other categories. Usually the data is stored into a collection of standard-sized containers. Every file system assigns a name to each of the containers e.g. clusters.

Metadata The Metadata category contains data that describes a file. Basically it is data that is used to describe data. All Metadata is stored in one of the file attributes.

File Name The File Name category contains the data that is responsible for assigning a name to a file. Most of the time these files are located in directories that contain a list of the file names, and the corresponding metadata address.

Application The application category contains data the provides special features. The data contained in the Application category isnâ&#x20AC;&#x2122;t required to read or write the file that it belongs to. The reason that they are included in the specification is because a lot of the time it is more efficient them there rather than a normal file. An example of data that would be found in the Application category is File System Journals.

This image shows how the categories interact with each other.

Q5 In terms of NTFS identify the major data structures associated with each category and their function. How do these compare with a FAT file system.

File System Category: 1. $MFT: This is one of the most important data structures in the file system because this is what contains the Master File Table which you need to locate all of the files and directories in the file system. The starting address for the MFT is given in the boot sector which is found at sector 0. The first entry in the MFT is called $MFT and it has a $DATA attribute that contains the clusters that are being used by the MFT. It has a $BITMAP attribute, this is responsible for managing the allocation status of the MFT entries. Another attribute it has is $FILE_NAME, and also $STANDARD_INFORMATION. The way that this data structure works in Windows is that the $MFT file starts off extremely small, but as more files and directories the $MFT file becomes larger with each entry. 2. $MFTMirr: This is a copy of the $MFT in case something goes wrong with it or it becomes corrupt. The $MFTMirr stores important MFT entries the can then be used in recovery. In the $DATA of the $MFTMirr allocates clusters in the middle of the file system, and saves copies of $MFT, $MFTMirr, $LogFile, and $Volume. When trying a recovery, if there has been problems determining the way that the MFT is laid out then recovery tools can use the volume size to calculate the middle sector, and verify if it’s an MFT Entry. Every MFT entry contains a signature which can be used to verify that it’s an MFT Entry. 3. $Boot: This is located in MFT entry 7, and is what contains the boot sector for the file system in question. It is the only metadata file that has a static location, and it’s $DATA is always located in the first sector of the file system since it is needed to boot the system in question. Usually 16 bytes are allocated for $Boot on Windows systems. The boot sector is responsible for giving you basic information about the size of each cluster, number of sectors in the file system, the starting address of the MFT. It also gives the size of each MFT entry, and also the serial number for the file system. The remaining code is boot code that is used to boot the system. 4. $Volume This metadata file is located at MFT entry 3, and it contains the volume label and other version information. The $VOLUME_NAME attribute stores Unicode that corresponds to the name of the volume. The $VOLUME_INFORMATION attribute contains the version of the NTFS. Content Category: 1. Clusters Any NTFS file is made up of different attributes put together, some of these are resident and others that are non-resident who’s data is stored in clusters. A cluster is basically a group of consecutive sectors. Each of the clusters in the NTFS file system have an address which starts at 0. 2. $Bitmap This is entry 6 in the MFT. In the $DATA it has one bit that corresponds with every cluster to tell which files are allocated, and which are not.

3. $BadClus This is the section that keeps track of any of the damaged clusters by allocating them here. Metadata Category: 1. $STANDARD_INFORMATION This exists for all files and is responsible for all the files and directories. It includes time stamps, Ownership ID, Security ID, and Quota information. The timestamps that it is responsible for are Creation time, Modified time, MFT Modified Time, and Accessed Time. 2. $FILE_NAME Every file and directory in a file system has to have at least one $FILE_NAME attribute in its MFT entry. It includes the file name in Unicode. 3. $DATA This attribute is used to store any form of data, and stores the actual content of the file. 4. $ATTRIBUTE_LIST This is used when a file needs more space to store all its attributes. Any file or directory can have up to 65,536 attributes, but after that an additional MFT entry is needed 5. $SECURITY_DESCRIPTOR This is primarily found in Windows file systems. It is used to describe the access control policy that should be applied to a file or directory. 6. $SECURE This is also used to store security descriptors. File Name Category: 1. Root Directory This is needed to find a file based on its path, it is located at MFT entry 5. The attributes that it has are $INDEX_ROOT, $INDEX_ALLOCATION, and $BITMAP. This section is responsible for the allocation and indexing of files Application Category 1. Disk Quotas In NTFS disk space quotas are supported. The reason for the Quotas is so that an administrator can set it up so that it limits the amount of space each user allocates. 2. Logging â&#x20AC;&#x201C; File System Journaling Microsoft added a journaling system to NTFS to improve its readability. A file system journal allows an operating system to bring back a file more quickly to a clean state. The journal records information about metadata updates before they happen, and then will also record when the updates are actually performed. In NTFS the log journal file is located in MFT 2. The log data itself is then stored in $DATA.

Some of the noticeable differences I found from doing this to compare NTFS and FAT is that the FAT file system doesnâ&#x20AC;&#x2122;t have any data at all that would fall into the application category. I found out that the NTFS file system and the FAT file system have very similar boot sectors, and even share the same signature: 0xAA55.