View
244
Download
0
Category
Preview:
Citation preview
NTFS File System and Data Security
Yanhui TuKingSoft
Index
1 File System kernel analysis2 Stream and Data security3 Data recover4 Date overwrite
NTFS File System Analysis• File• There are 2 different kinds• Metafiles: user can’t access• User files: User data
NTFS File System Analysis• NTFS meta file
Metadata Function$MFT MFT itself
Part image of MFT $MFTMirr$LogFile Log file$Volume Volume file$AttrDef Attribute definition list$Root root directory$Bitmap Bitmap file $Boot Boot file
$BadClus Bad cluster file$Quota(NTFS4) Quota file
$Secure Secure file$UpCase Capitalized file$Extend Metadata directory
Extended Metadata directory
$Extend\$Reparse Reparse Points file$Extend\$UsnJrnl Log changing file$Extend\$Quota Quota management file $Extend\$ObjId Object ID file
NTFS File System Analysis
• $MFT(Master File Table )• Includes all information about files, and these
information called attributes
• The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself
Normal file MFTMFT header10H $STANDARD_INFORMATION
30H $FILE_NAME
80H $DATA and $BITMAP
MFT End
NTFS File System Analysis
Resident attribute and non-resident attributeResident attribute save data in file data areaNon-resident attributes saved in MFT
NTFS File System Analysis
Directory’s MFTMFT header10H(STANDARD INFORMATION)
30H(File Name)90H(Index Root )
A0H( Index Allocation)B0H(BitMapMFT END
NTFS File System Analysis
NTFS File System AnalysisStructure of file
index• Index header
(every 4KB index block has a file index header.)
• Index item(every item record a file’s filename,MFT number, parent directory MFT number etc. )
NTFS File System Analysis• $LogFile’s
MFTlog file’s structure is very complicated and it’s structures details are still unknown
NTFS File System Analysis• $LogFile log
filelog file’s
structure is very complicated and it’s structures details are still unknown, we only know it’s separated into many 4k blocks and each block start with RCRD
NTFS File System Analysis• $LogFile log
file recorded a example of file rename
NTFS File System Analysis• Volume
file• Label in
offset 60H
NTFS File System Analysis• $AttrDef
file• List of record all
attributes
NTFS File System Analysis
• Content of $AttrDef
• Records all attributes definition
NTFS File System Analysis• “.” file(root)
• Root of directory tree
NTFS File System Analysis• 90H
attribute of root directory
NTFS File System Analysis
• $Bitmapfile
NTFS File System Analysis
• Content of $Bitmapfile
NTFS File System Analysis
• $Boot file MFT
NTFS File System Analysis• Content of
$Boot
NTFS File System Analysis• Content of
$Boot
NTFS File System Analysis
• $UpCasefile MFT
NTFS File System Analysis• Content of
$UpCasefile
NTFS File System Analysis
• $BadClusfile MFT
• It maintains a list of bad clusters on the drive.
Stream and Data Security• Put file in
stream
Stream and Data Security
• 29A released a stream based virus at 2000
• Currently no Anti-virus support stream scaning in China
Stream and Data Security
• Stream in disk
Stream and Data Security
• Stream in disk
and Data Security Stream
• Stream can put in directory
Stream and Data Security• API designed for stream
programing• 1、Travel :
– FindFirstStreamW and FindNextStreamW(Win2003server)
– BackupRead 和BackupSeek(Win2000)
• 2、Delete:– DeleteFile
• And if you can access stream without above APIs with knowledge of NTFS data structure
Data Recover• Normally, user access
files by using file system, these files store on user’s hard disk and organized by file system and supply files to users.
• What users see are only files, users don’t care about how these file stored in disk, they can use commands supplied by OS to read and write files, but if one of data or file system is corrupted user can’t access files anymore.
Data Recover• When file system is corrupt, we have 2
methods to recover data.• First method: Rebuild this file
system ,fix corrupt part, and system can access this file system normally and recover the lost data. For example: When hard disk’s partition table is corrupt, we can rebuild partition table to recovery data; If some partitions can’t access normally, we can rebuild BPB to fix that. This method is suitable for repairing some of key data, only need very small data of rebuild.
• Second method: Rebuild lost data to files from source devices. When try to rebuild some extremely unstable file system, like file data unsure before corrupted, or need large mount of data writing. This method is suitable for recovering deleted files, partition format scenarios.
File Recover
• Scenario:When files deleted or format but not destroyed file data just deleted some file information on file system and release file spaces.
File Deleting Processing
• Deleting file in FAT• 1、Replace first byte of directory’s
filename area to E5H• 2、Mark this directory to unused
File Deleting Processing• Deleting file in NTFS• When deleting a file in NTFS need 3
changes:– 1. There is a byte at offset 16H of this
file’s MFT header. If 0 means this file is deleted, 1 means this file is using, 2 means this is a directory, 3 means this directory is deleted;
– 2. Parent directory attribute INDEX_ROOT(90H)or attribute INDEX_ALLOCATION(A0H);
– 3. Set 0 to file’s corresponding bits in $Bitmap.
Recover Demo
• FAT recover demo• 1、Locate file directory items• 2、Analysis directory items• 3、Locate data area• 4、Save recovered file
Recover Demo
• NTFS label recover• 1、locate file MFT• 2、MFT attribute analysis• 3、locate date erea• 4、Save recovered file
Data Overwrite• (DoD )5220.22-M• a. Degauss with a Type I degausser• b. Degauss with a Type II degausser.• c. Overwrite all addressable locations with a single character.• d. Overwrite all addressable locations with a character, its
complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.
• e. Overwrite all addressable locations with a character, its complement, then a random character.
• f. Each overwrite must reside in memory for a period longer thanthe classified data resided.
• g. Remove all power to include battery power.• h. Overwrite all locations with a random pattern, all locations with
binary zeros, all locations with binary ones.• i. Perform a full chip erase as per manufacturer's data sheets.• j. Perform i above, then c above, a total of three times.• k. Perform an ultraviolet erase according to manufacturer's
recommendation.• l. Perform k above, but increase time by a factor of three.• m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt.• n. Destruction required only if classified information is contained.
Data Overwrite
m, nWrite Once, Read Many (Worm)
m, nRead Only
mcRead Many, Write Many
Optical Disk
a, b, d , or ma, b, or cRemovabel Rigid Disk
a, b, d , or mcNon-Removable Rigid Disk
ma, b, or cFloppies
ma, b, or cBernoullis
Magnetic Disk
ma or bType III
b or ma or bType II
a, b, or ma or bType I
Magnetic Tape1
SanitizeClearMedia
Data Overwrite
c and f, g, or mc or gStatic Random Access Memory (SRAM)
mRead Only Memory ROM
c, g, or mc or gNonvolatile RAM (NOVRAM)
mcMagnetic Resistive Memory
c and f, or mcMagnetic Plated Wire
a, b, e, or mcMagnetic Core Memory
a, b, c, or mcMagnetic Bubble Memory
mcProgrammable ROM (PROM)
c then i, or miFlash EPROM (FEPROM)
l, then c, or mkErasable Programmable (ROM (EPROM)
h or miElectronically Erasabel PROM (EEPROM)
j or miElectronically Alterable PROM (EAPROM)
c, g, or mc or gDynamic Random Access memory (DRAM)
Memory
SanitizeClearMedia
• http://www.zdelete.com/dod.htm
D or E level of Overwrite
• Method 1:• 1、Open file• 2、Write file• 3、Close file• Features:Simple but not safe
D or E level of Overwrite• Method 2:• 1、Locate file’s MFT or Index in file
system • 2、Locate file’s physical address in
disk3、Write disk• Features:Complex(need very deep
knowledge in file system and disk structure)、Safe(can make sure overwrite on same place of file)
References
• 涂彦晖 戴士剑. 《数据安全与编程技术》.北京:清华大学出版社,2005
• 戴士剑 涂彦晖. 《数据恢复技术》(第2版).北京:电子工业出版社,2005
Thank YOU!
Recommended