Transcript Chapter 7 - kuroski.net

Mastering Windows Network
Forensics and Investigation
Chapter 7: Windows File
Systems
Chapter Topics:
• File Systems vs Operating
Systems
• Understanding FAT File Systems
• Understanding NTFS File
Systems
• Understanding exFAT File
Systems
• Dealing with Alternate Data
Streams
File Systems vs Operating
Systems
• Operating
system
responsible for
carrying out the
basic tasks of
the computer
• O/S types:
– Microsoft
Windows
– Unix
– Linux
– Mac OS X
File Systems vs Operating
Systems
• File system is
the system or
method of
storing &
retrieving data
on a computer
• File system
types:
–
–
–
–
–
–
–
–
–
–
FAT (12, 16, 32)
NTFS
exFAT
HFS
HFS+
Ext2
Ext3
ISO 9660
UDF
UFS
Windows Operating System
• Uses FAT, exFAT and NTFS file
systems
• FAT is ideal cross-platform file
system as nearly all operating
systems can reliably read it and
write to it
Minimal Functions of any File System
• Track the name of the file (or directory).
• Track the starting point where the file starts.
• Track the length of the file along with other
file metadata, such as timestamps.
• Track the clusters used by the file (cluster
runs).
• Track which allocations units (clusters) are
allocated and which ones are not.
FAT File System
• Major components
– FAT (File Allocation Table)
• Tracks clusters used by the file
• Tracks which allocation units (clusters) are
allocated and which are not
– 32 byte FAT directory entry
• Tracks the name of the file (or directory)
• Track the starting point where the file starts
• Track the length of the file along with other file
metadata, such as timestamps
FAT 32 Directory Entry
BYTE OFFSET
(DECIMAL)
0
DESCRIPTION
1-7
Characters 2 - 8 of Filename
8 -10
3 Characters of File Extension
11
Attributes (Detailed in Table 7.6)
12 -13
Reserved
14 -17
Created time and date of file. Stored as MS-DOS 32-bit
date / time stamp
Last Accessed date—no time!
18 -19
20 - 21
22 - 25
26 - 27
28 - 31
First Character of Filename or Status Byte
Two high bytes of FAT32 starting cluster.FAT12/16 will
have zeros
Last Written time and date of file. Stored as MS-DOS 32bit date / time stamp
Starting cluster for FAT12/16—two low bytes of starting
cluster for FAT32
Size in bytes of file (32-bit integer). Note: Will be 0 for
directories!
NTFS File System
• Major Components
– Cluster bitmap ($Bitmap)
• Tracks allocation status of all clusters in
partition
– Master File Table ($MFT)
•
•
•
•
Tracks clusters used by the file
Tracks the name of the file (or directory)
Track the starting point where the file starts
Track the length of the file along with other file
metadata, such as timestamps
NTFS System Files
MFT RECORD FILENAME
#
0
$MFT
DESCRIPTION
1
$MFTMirr
Contains a backup copy of the first four entries of the MFT
2
$LogFile
3
$Volume
Journal file that contains file metadata transactions used for
system recovery and file integrity
NTFS Version and Volume Label and Identifier
4
$AttrDef
Attribute Information
5
$.
Root directory of file system
6
$Bitmap
Tracks allocation status of all clusters in partition
7
$Boot
Contains partition boot sector and boot code
8
$BadClus
Bad clusters on partition are tracked with this file
9
$Secure
10
$UpCase
11
$Extend
Contains file permissions and access control settings for file
security
Converts lower case characters in Unicode by storing an
uppercase version of all Unicode characters in this file
A directory reserved for options extensions
Master File Table – Each MFT record is 1,024 bytes in length
Alternate Data Streams (ADS)
• MFT entry can have more than one
$DATA attribute
• If more than one $DATA attribute
exists, they are called ADS
• Invisible to user, even to administrator
• Can hold hidden data / malicious code
• Always examine for ADS using tools
such as streams.exe, EnCase, etc
exFAT File System
•
•
•
•
•
Most recently supported file system
Theoretical volume size of 64 ZB
Uses a file allocation table
Incorporates a cluster bitmap
Times recorded for modified, accessed
and created timestamps with UTC
support