1 / 20

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 5, 2011

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 5, 2011. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Content Category. Clusters Allocation Status $Bitmap (Allocation Status of Files) $BadClus (List of Bad Clusters) Allocation Algorithm. Clusters.

palila
Download Presentation

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 5, 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 5, 2011 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Content Category • Clusters • Allocation Status • $Bitmap (Allocation Status of Files) • $BadClus (List of Bad Clusters) • Allocation Algorithm

  3. Clusters • Obviously, some multiple of sectors. • Cluster 0 is the first cluster of the file system and starts after the boot sectors. • To get a sector address, multiply the cluster address by the number of sectors per cluster.

  4. $Bitmap • MFT Entry 6 • $Data attribute contains one bit for every cluster in the file system. • A zero in the bit means the cluster is unallocated. • A one in the bit means the cluster is allocated.

  5. $BadClus • MFT Entry 8 • Keeps track of damaged clusters in a sparse file. • $Data attribute named $Data is a non-resident attribute equal to the entire file system. • $Data attribute named $Bad is a resident attribute that contains the address of the bad clusters.

  6. Allocation Algorithms • Allocation algorithm is implementation dependent, but the author observes that Windows XP always uses Best Fit Strategy.

  7. Metadata Category • Attributes • $STANDARD_INFORMATION • $FILE_NAME • $DATA • $ATTRIBUTE_LIST • Allocation Algorithms

  8. $STANDARD_INFORMATION • Standard for all files and directories. • Contains time and date stamps, ownership, security, and quota information. • Four date and time stamps: • Creation time: When file created. • Modified Time: When $Data or $Index attribute modified. • MFT Modified Time: When metadata last modified. • Accessed Time: When last accessed.

  9. $FILE_NAME • Every file or directory has one of these. • Additionally, an instance of that appears in the $INDEX of the parent directory.

  10. $DATA • Used to store data associated with the file. • Can be resident if small enough to fit in MFT, or non-resident otherwise.

  11. $ATTRIBUTE_LIST • Used when a file or directory needs more than one MFT entry. • Typical when the list of attributes associated with a file becomes long or the fragmentation of a non-resident $DATA attribute requires a long list of cluster runs.

  12. Allocation Algorithms • MFT Entries allocated using a First Available Strategy starting with Entry 24. • For attributes, they are sorted by type, so they are inserted in order by type identifies. • can be moved based on the attributes added

  13. NTFS Analysis • Five Categories of Data • File System • Content • Metadata • File Name • Application

  14. File Name Category • An NTFS Index is what is used to organize directory contents. • An NTFS Index is a collection of data structures sorted by a key. • Key attributes are: • $INDEX_ROOT • Root of the index tree • $INDEX_ALLOCATION • Contains index records used to store other nodes.

  15. Directories • Normal MFT Entry with flags set to indicate it is a directory. • Index entries contain: • File reference address • $FILE_NAME attribute • Allocation is done using B-Trees, but we won’t talk any more about the specifics of that.

  16. Basic Directory Tree $INDEX_ROOT hhh.txt Entry:51 X ccc.txt Entry:58 $INDEX_ALLOCATION Index Record 1 iii.txt Entry:60 kkk.txt Entry:73 X qqq.txt Entry:29 Index Record 0 aaa.txt Entry:45 ccc.txt Entry:58 eeeeee.Txt Entry: 48 eeee~1.txt Entry:48 X Carrier, Fig. 12.9

  17. Application Category • Disk Quotas • $Quota file • MFT Entry 9 in early versions, any entry later • Uses two indexes, • $0 – correlates SID with Owner ID • $Q – correlates Owner ID with quota info • Journaling • File System Journaling • Change Journaling

  18. File System Journaling • $LogFile – MFT Entry 2 • Log info stored in $Data attribute. • Details omitted, but you can read about them.

  19. Change Journal • Stored in the \$Extend\$UsrJrnl file • Records when changes are made to files • MFT Entry contains two $Data attributes • $Max – basic information about the journal • $J – contains a list of varying sized records: • File name • Time of change • Type of change • Update Sequence Number – used to sequence changes.

  20. Questions?

More Related