NTFS FORENSICSYogesh Khatri

yogesh@swiftforensics.com

NTFS Trivia

• Introduced in 1993 for Win NT 3.1

• Default file system for NT based OS (Win NT, 2K, 2K3, XP, .)

• Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points, .

Why NTFS forensics?

• To understand its format and inner-working

• To device effective file recovery strategies for deleted / lost data

• To find forensically useful artifacts like• Existence of hidden timestamps

• Logs

• Deleted / Leftover Metadata

NTFS Basics

• Everything is a file, even the core file system internals

• The internal files are always hidden from user view

Hidden files and folders in

NTFS

Hidden Internal Files

Filename Description

$MFT Master File Table

$MFTMirr Backup of first 4 records of MFT

$LogFile Transaction log file

$Volume Volume related information, usually empty

$AttrDef Table listing MFT attribute names and numbers

. Root folder on NTFS

$Bitmap Map showing which clusters on volume are in use

$Boot Boot code used during bootstrap

$BadClus Map of bad clusters

$Secure Security descriptors and ACLs are listed here

$Upcase Keeps all lowercase to uppercase character mappings

$Extend Optional extensions listed here (This is a folder)

Physical Layout of NTFS Volume

$Boot

$MFT $Bitmap .

Logical Sector 0 (Cluster 0) -Boot Manager Internal Files

Internal Files usually start at Cluster 2

Allocated ClusterFree Cluster

Master File Table - $MFT

• Consists of 1024 byte records

• Has an entry for every file and folder including itself

• Records can be identified by header “FILE”

• A record consists of header and attributes• All metadata is stored in attributes

• Common attributes:

• $Standard_Information

• $File_Name

• $Data

Reading an MFT Entry

Understanding File Storage

$MFTMFT Entry for “Hello.txt”

$DATA Attribute

Start

Cluster

Length

52 3

72 2

Illustration: NTFS concept of Data Runs

Cluster view of NTFS Volume

Allocated ClusterFree Cluster

Timestamps on NTFS

• 64 bit Timestamp• Number of 100 Nanosecond

intervals since 1st January 1601

• 1 second = 0x989680

• 4 Timestamps• Created

• Modified

• Accessed

• MFT Entry Modified - ?

Concept of Initialized Data

• NTFS has 3 size fields for each file• Logical

• Initialized

• Physical

Physical Size

Logical Size

Initialized Size

File ‘Properties’ snippet

File ‘on disk’ view

Alternate Data Stream

• Every file has single $Data stream, but NTFS allows multiple data streams

• A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view.

• Intended to store extra file metadata• Used by IE, Outlook Express, AV programs

• Exploited by malware to hide malicious tools

Alternate Data Streams Demonstration

USN Journal - USNJRNL

• USN = Update Sequence Number

• As files, directories, and other NTFS file system objects are added, deleted, modified, the NTFS file system makes entries here.

• $UsnJrnl:$J

• This is a system management feature used for recovering quickly from a computer or volume failure

$UsnJrnl:$J record

Record Length

Reason

FileAttributes

TimeStamp

File name

USNJRNL Record Format

INDX Records

• NTFS indexes directory metadata and stores it in a B+ tree

Explorer view Hex view of INDX directory structure

INDX Records

• This indexed data is stored in $I30 attributes in MFT

• Non-Resident vs. Resident• “INDX” header if non-resident

• Forensic Value?• Find Deleted file metadata (MACE times, file name, logical &

physical size, etc..)

Attribute ID Description Name

0x90 $INDEX_ROOT $I30

0xA0 $INDEX_ALLOCATION $I30

0xB0 $BITMAP $I30

$LogFile

• Contains information used by NTFS for faster recoverability

• Used to restore metadata consistency to NTFS after a system failure

• Format not reverse engineered completely

• It is common to find INDX records, MFT records and LNK records here

File Recovery on NTFS

• “FILE”• “FILE”Search

Unallocated for $MFT entries

• Start Cluster=54• Number of

Clusters = 10

• Start Cluster=54• Number of

Clusters = 10

Get Data Runs from $MFT entry • ......

• ......• ......• ......

Read Data from Disk

Questions

• More forensic stuff on my Blog – www.swiftforensics.com

• Email me at yogesh@swiftforensics.com

• Thanks

References

• Books• File System Forensic Analysis – Brian Carrier

• Online Resources• MSDN