1 / 20

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 25, 2013

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 25, 2013. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. NTFS. New Technologies File System Default File System for: Windows NT, Windows 2000, Windows XP Also used for some implementations of Unix

nara
Download Presentation

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 25, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 25, 2013 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. NTFS • New Technologies File System • Default File System for: • Windows NT, Windows 2000, Windows XP • Also used for some implementations of Unix • Primary Data Structure is Master File Table (MFT)

  3. Master File Table • Primary Data Structure for NTFS • Consists of Entries for Every File in System • Including self • Location of MFT is described in Volume Boot Record • Size of MFT is dynamic. Changes based on number of files in file system.

  4. Relationship between boot sector and $MFT Boot Sector Cluster 0 $MFT – Clusters: 32-34; 56-58 Cluster 32 Cluster 33 Cluster 34 Cluster 56 Cluster 57 Cluster 58 Carrier, Figure 11.2

  5. MFT Entries • Every File has at least one entry. • Once created, entries are never deleted. • Size of Entry is defined in the boot sector, but normally 1K in size. • Entries contain up to 65,536 Attributes MFT EntryHeader Unused Space Attributes MFT Entry Carrier, Figure 11.1

  6. File System Metadata Files • File System Administrative Data is stored in the first 16 entries of the MFT. • 24 Entries are normally allocated, but only 16 are predefined. • First few entries are listed in Table 11.1 0 $MFT Entry for MFT • $MFT Mirr Backup of the MFT • $Logfile Journal that contains metadata transactions

  7. MFT Entry Attributes • MFT Entries consist of mostly attributes. • Each attribute has a header. • Attribute content can be resident or non-resident. Attribute Headers Attribute Content MFT EntryHeader Unused Space MFT Entry Carrier, Figure 11.4

  8. Attribute Headers • Each Attribute Contains a Header • Headers identify the type of the attribute and tell where the attribute content is stored. • Resident – contents stored immediately after header. • Non-Resident – contents stored outside MFT in allocated space. Attribute Headers Attribute Content MFT EntryHeader Unused Space MFT Entry Cluster 829 Carrier, Figure 11.5

  9. Cluster Runs for Non-Resident Data Attributes 48 49 50 51 52 Start: 48 Len: 5 Runs Start: 80 Len: 2 1 Start: 56 Len: 4 56 57 58 59 2 3 80 81 Carrier, Figure 11.6

  10. Attribute Information • Attributes can be sparse • Attributes can be compressed. • Attributes can be encrypted. • Attributes can be stored in sorted order as indexes. • Example: Directory entries contain $FILE_NAME attributes in sorted order. • Indexes stored as trees, specifically B-Trees.

  11. Example Index Tree A eee.txt jjj.txt ttt.txt aaa.txt bbb.txt ooo.txt rrr.txt vvv.txt zzz.txt B D E fff.txt ggg.txt iii.txt C Carrier, Figure 11.14

  12. NTFS Analysis • Five Categories of Data • File System • Content • Metadata • File Name • Application

  13. File System Category • $Boot (Boot Record) • $MFT (Master File Table) • $MFTMirr (Backup of MFT) • $Volume (Partition Information) • $AttrDef (Definitions of Attributes)

  14. $Boot • MFT Entry 7 • Contains File System Boot Sector • Only metadata file with a static location • $Data attribute content is located in the first sectors of the file system. • Sector 0 is the boot sector • Remainder of the boot content is boot code. • Similar to the FAT Boot Sector • Same signature in the last two bytes of the sector: 0xAA55

  15. $MFT • Starting address of the MFT given in the boot sector. In most cases, follows the boot sectors. • $Data attribute contains the clusters allocated to the MFT. • MFT starts as small as possible and grows as needed. 1/8 of file system allocated to the MFT to begin with.

  16. $MFTMirr • Backup of the MFT • Because the MFT represents a single point of failure to the file system. • $Data attribute is non-resident and contains a backup of at least the first four MFT entries. • Almost always in the middle of the file system. • If there are 10000 clusters in the file system, the MFT Backup will start in Cluster 5000. • This is so that if the file system becomes corrupted, a recovery tool can calculate the middle of the file system and find the backup.

  17. $Volume • MFT Entry 3 • Contains volume name and version information for the volume. • Two unique attributes: • $VOLUME_NAME • $VOLUME_INFORMATION

  18. $AttrDef • MFT Entry 4 • $Data attribute is non-resident and provides attribute name and type definitions for the MFT. • Author talks about the fact that if you can’t find the attribute definitions, how do you know to look at the $Data attribute, since it is not defined until you get to this entry.

  19. Analysis Considerations • Start with $MFT • Then $Volume and $AttrDef • According to the author, there are certain fields in the boot sector that must be zero, or Windows XP will not mount the file system.

  20. Questions?

More Related