Professional Documents
Culture Documents
Day 1.2b - FileSystem
Day 1.2b - FileSystem
UNLEASH
SYSTEM
Digital Forensics
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and Forensics
Society
The Basics
What is a File System?
The Basics
• There are many different kinds of file systems and they behave
very differently. Each has its own structure or organization.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
3
Security and Forensics Society
The Basics
• There must be data or files that describe the layout and size of
the file system.
• To understand how files are stored, deleted and recovered from
the disk, a forensic examiner needs to understand the file
system from the raw level.
• When a partition is formatted, among other things, the data
structures needed for its specific file system are created.
• The boundaries and type of the partition are set forth in a
partition table.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
4
Security and Forensics Society
The Basics
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
5
Security and Forensics Society
The Basics
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
6
Security and Forensics Society
FAT
A basic understanding FAT system
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
8
Security and Forensics Society
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
9
Security and Forensics Society
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
10
Security and Forensics Society
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information
11
Security and Forensics Society
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and
Forensics Society
12
FAT
Functions
1) Track the fragmentation of the object
2) Tracks the allocation status of clusters
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
13
FAT
Unused 0000
The next Cluster in use by the # (any other value)
current object
Last cluster in a file/ EOF FFFF
Bad cluster FFF7
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
14
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society 16
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
17
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
18
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
19
FAT
1) Format Disk
• From scratch : Create (1) Root Directory; and (2) File Allocation Table
• Quick format: Clear the Root Directory and FAT
2) Create an object:
File.txt MACTime 2500 2
• A 32-byte directory entry is created.
2 0000 2 0003
• FAT is updated to reflect the allocation of the file data.
3 0000 3 0004
4 0000 4 FFFF
• Data is written to the disk.
5 0000 5 0000
6 0000 6 0000
7 0000 7 0000
8 0000 8 0000
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
20
FAT
3) Delete an object:
• The first byte of the directory entry will be changed to 0xE5
• The relevant record in FAT will be zeroed out to release the space.
• Data remains. Recovery is simple if the file data stream is contiguous
• Fragmented file recovery is not guaranteed.
File.txt MACTime 2500 2
2 0003 2 0000
3 0004 3 0000
4 FFFF 4 0000
5 0000 5 0000
6 0000 6 0000
7 0000 7 0000
8 0000 8 0000
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
21
FAT
File Fragmentation
• File fragmentation refers to the situation that file data stream
cannot be kept contiguous.
• Leads to system performance degradation in spinning hard disk
but not in SSD. That’s why you should have heard of the process
of “defrag”
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
22
FAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
23
FAT
File Slack
• If a new file is written to the clusters
where a deleted file reside, and the
new file is not occupying the whole
space, file slack exists
• File Slack: data between the end of
logical file and end of physical file.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
24
ExFAT
A basic understanding of ExFAT system
ExFAT
• Extended FAT
• Introduced with Windows CE 6.0 in November 2006
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
27
ExFAT
dfr-05-nest-xfat.dd
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
28
ExFAT
exFAT FAT
Max size 64 ZB theoretical max 2 TB
File size 64 ZB 4 GB
File per directory 2,796,202 65,536
Access control lists Yes No
Support TFAT Yes No
Support UTC Yes No (Local time)
Timestamp 10ms Mtime:2s,
granularity Ctime:10ms, Atime:1
day
Supported by WinXP SP2, Win2k03 Win95, Win98, Win2k,
SP2, Vista SP1, WinXP, Win2k03,
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society Win2k08, Vista, Win7
29
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
30
ExFAT
Data Region
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
31
ExFAT
Byte Definition
0-2 Jump Code
3-7 OEM Name
11-63 Zeros
64-67 Partition Sector Offset
72-79 Total Sectors on the Volume
80-83 FAT Location in sectors
84-87 Physical Size of FAT in sectors
88-91 Physical Sector Location of the Bitmap (Cluster Heap)
92-95 Number of Clusters
96-99 First Cluster of the Root Directory
100-103 Volume Serial Number
104-105 File System Revision Number
106Ivan Chow, Karson
Copyright © 2022 Volume Flags
Chan & Ricci IEONG Information Security
and Forensics Society
32
ExFAT
Byte Definition
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
33
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
34
ExFAT
• Tracks size and starting extent of the file, and also tracks the size
of filename.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
35
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
36
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
38
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
39
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
40
ExFAT
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
41
NTFS
A basic understanding of NTFS system
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
43
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
44
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
45
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
46
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
47
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
48
NTFS
• The files are listed under the root directory but hidden from
most users.
• With the exception of the boot code, the on-disk location of
these data could be anywhere in the file system.
• The date and time stamps are set to the time that the file system
was created.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
49
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
50
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
51
NTFS
Overview
Example
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
54
NTFS
Header
Flags
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
55
NTFS
Attributes
Every MFT record composes of multiple attributes. All attributes
have two parts: the header and the data.
• Header: identifies the type of attribute, its size, and its name.
• Data: The content is specific to the type of attribute and can be
of any size.
➢ Data can be resident or non-resident. Small files and directories (typically
600 bytes or smaller) are entirely contained within the file's MFT record
(known as resident file).
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
57
NTFS
Attributes
Three main file attributes:
• Standard Information Attributes (SIA)
• Filename Attributes (FNA)
• two or more attributes may exist, one for short file name, and the other one
for LFN and other namespace
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
58
NTFS
Attribute: $STANDARD_INFORMATION
• It exists for every file and directory.
• Contains temporal, ownership, and security information.
• A flag for general properties of the file, such as read only,
system or archive.
• It also tells whether the file is compressed, sparse, or encrypted.
• Four temporal values:
1) Creation Time: The time that the file was created.
2) Modified Time: The time that the content of the $DATA or $INDEX
attributes was last modified.
3) MFT Modified Time: The time that the metadata of the file was last
modified. Note that this value is not shown in Windows when you select the
properties of a file.
4) Accessed Time: The time that the content of the file was last accessed.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
59
NTFS
Attribute: $STANDARD_INFORMATION
There are at least 2 sets of temporal values stored in every single MFT record,
namely inside SIA and FNA.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
60
NTFS
Attribute: $FILE_NAME
• It exists for every file and directory.
• Contains the file name, size, temporal information, and the file
reference for the parent directory
• File name is stored in Unicode
• Some files may have $FILE_NAME attributes for both the LFN
and the short file name.
• Four temporal values (not always the same as to SIA)
• A flag field that can identify if the record is for a directory, read-
only, a system file, compressed, encrypted, and so on.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
61
NTFS
Attribute: $DATA
• It can be of any size, including 0 bytes.
• If the file size is small (~<600bytes) when created, the data will
be stored in the $MFT record, the file is called resident file.
• When the file grows larger that no longer be able to fit in the $MFT record,
it becomes non-resident and data will be written to clusters. A non-resident
will never become resident file.
• When a file has more than one $DATA attribute, the additional
attributes are sometimes referred to as alternate data streams
(ADS).
• Additional $DATA attributes must have names and can also be used to hide
data.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
62
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
63
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
64
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
66
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
67
NTFS
244 bytes - 64 KB
(Implementation)
Max Volume Size 4 GB 32 GB or 127.53 264 allocation units
GB (On disk format),
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
68
NTFS
1) Quick Format
• The $Bitmap is cleared
• A new $MFT is written down to the same location of the previous $MFT if
the volume size and cluster size remains the same.
• Most of the old $MFT records still there and clusters were not cleared out.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
69
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
70
NTFS
Condition 1
If it is in the recycle bin
• The file technically is not deleted.
• Windows and other OS usually wont display deleted files.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
71
NTFS
Condition 2:
If the pointer is still there
• FAT:
1) assume the file is contiguous,
2) jump according to the FAT allocation.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
72
NTFS
Condition 3:
If the file entry is still there, but the first cluster is used by another
existing file
• It’s also called overwritten files, normally not recoverable.
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
73
NTFS
Condition 4:
If the file entry is lost
• You don’t have any clues to find the location of the file.
• File Carving…….
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
74
NTFS
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security
and Forensics Society
75
References
NTFS.com
Copyright © 2022 Ivan Chow, Karson Chan & Ricci IEONG Information Security and Forensics
Society
76