Upload
dinhdien
View
243
Download
1
Embed Size (px)
Citation preview
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFS Master File Table
Attributes
NTFS Master File Table
Attributes
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes- Each attribute has - a header (16 bytes)
- location and size of content (8 or 56 bytes)- and content (size varies) - details of attribute
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
Content
Content
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
MFT File AttributesHex Dec Attribute Description
0x10 16 $STANDARD_INFORMATION Timestamps, link counts, file type flags, owner
0x20 32 $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in this MFT record
0x30 48 $FILE_NAME File name (repeatable)
0x40 60 $OBJECT_ID Unique Identifier for the file (not common)
0x50 80 $SECURITY_DESCRIPTOR Who owns the file and who can access it
0x80 128 $DATA Contains file data (repeatable)
MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused
SpaceContentContentAttrHeader
AttrHeader
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
MFT File Attributes MFT File AttributesHex Dec Attribute Description0x60 96 $VOLUME_NAME Used in $VOLUME metafile. Volume label
0x70 112 $VOLUME_INFORMATION Used in $VOLUME metafile. NTFS version & dirty flag
0x90 144 $INDEX_ROOT INDX Record - used to implement folders and indexes
0xA0 160 $INDEX_ALLOCATION INDX Record - used to implement folders and indexes
0xB0 176 $BITMAP Directory content mapping
0xC0 192 $REPARSE_POINT Used for volume mount points and shortcuts
0xD0 208 $EA_INFORMATION OS/2 compatibility extended attributes
0xE0 224 $EA OS/2 compatibility extended attributes
0x100 256 $EFS Logged utility data stream (used for EFS/encryption)
MFT File RecordMFT Header AttributeAttribute Attribute Attribute Unused
SpaceContentContentAttrHeader
AttrHeader
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContent
Loc/
Siz
Loc/
Siz
Loc/
Siz
Loc/
SizAttr
HeaderAttr
HeaderAttr
HeaderAttr
Header
NTFS Attribute Header
Hex Dec Bytes Description0x00 0 4 Attribute Type Identifier
0x04 4 4 Length of Attribute (includes header)
0x08 8 1 Non-Resident Flag
0x09 9 1 Length of Name (only for ADS)
0x0A 10 2 Offset to Name (only for ADS)
0x0C 12 2 Flags(Compressed, Encrypted, Sparse)
0x1E 14 2 Attribute Identifier
NTFS Attribute Header00 Content is Resident01 Content is Non-Resident
$STANDARD_INFORMATIONAlternate Data Stream Name
Size Length and OffsetAttribute Flags 0x0001 Compressed0x4000 Encrypted0x8000 Sparse
Attribute ID(Counter)
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContent
Loc/
Siz
Loc/
Siz
Loc/
Siz
Loc/
SizAttr
HeaderAttr
HeaderAttr
HeaderAttr
Header
NTFS Attribute Header
Hex Dec Bytes Description0x00 0 4 Attribute Type Identifier
0x04 4 4 Length of Attribute (includes header)
0x08 8 1 Non-Resident Flag
0x09 9 1 Length of Name (only for ADS)
0x0A 10 2 Offset to Name (only for ADS)
0x0C 12 2 Flags(Compressed, Encrypted, Sparse)
0x1E 14 2 Attribute Identifier
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
HeaderAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
Loc/
Siz
Loc/
Siz
Attribute Location & SizeResident AttributeResident AttributeResident AttributeResident Attribute
Hex Dec Bytes Description0x10 16 4 Length of Attribute Content
0x14 20 2 Offset to Attribute Content
0x16 22 1 Indexed
0x17 23 1 Padding
Attribute Location & Size $STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number
Hex Description0x0001 Read Only
0x0002 Hidden
0x0004 System File
0x0020 Archive
0x0040 Device File
0x0100 Temporary File
0x0200 Sparse
0x0400 Reparse Point
0x0800 Compressed
0x1000 Offline
0x2000 Not Indexed
0x4000 Encrypted
0x8000 Virtual
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
Hex Description0x0001 Read Only
0x0002 Hidden
0x0004 System File
0x0020 Archive
0x0040 Device File
0x0100 Temporary File
0x0200 Sparse
0x0400 Reparse Point
0x0800 Compressed
0x1000 Offline
0x2000 Not Indexed
0x4000 Encrypted
0x8000 Virtual
$STANDARD_ATTRIBUTE (0x10)$STANDARD_ATTRIBUTE (0x10)Hex Dec Bytes Description0x00 0 8 Creation Data and Time (UTC)0x08 8 8 Last Modified Date and Time (UTC)0x10 16 8 $MFT Modified Date and Time (UTC)0x18 24 8 Last Accessed Date and Time (UTC)0x20 32 4 Flags0x24 36 4 Maximum Number of Versions0x28 40 4 Version Number0x2C 44 4 Class ID0x30 48 4 Owner ID0x34 52 4 Security ID0x38 56 4 Quota Charged0x40 64 8 Update Sequence Number
Hex Description0x0001 Read Only
0x0002 Hidden
0x0004 System File
0x0020 Archive
0x0040 Device File
0x0100 Temporary File
0x0200 Sparse
0x0400 Reparse Point
0x0800 Compressed
0x1000 Offline
0x2000 Not Indexed
0x4000 Encrypted
0x8000 Virtual
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace (0=POSIX 1=Win32 2=DOS)
Hex Description0x0001 Read Only
0x0002 Hidden
0x0004 System File
0x0020 Archive
0x0040 Device File
0x0100 Temporary File
0x0200 Sparse
0x0400 Reparse Point
0x0800 Compressed
0x1000 Offline
0x2000 Not Indexed
0x4000 Encrypted
0x8000 Virtual
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
MAINQU~2.QUEMainQueueOnline1.que
$FILE_NAME (0x30)$FILE_NAME (0x30)Hex Dec Bytes Description0x00 0 6 $MFT Record Number of Parent Directory0x06 6 2 Sequence Number of the Parent Directory0x08 8 8 Creation Data and Time (UTC)0x10 16 8 Last Modified Date and Time (UTC)0x18 24 8 $MFT Modified Date and Time (UTC)0x20 32 8 Last Accessed Date and Time (UTC)0x28 40 8 Allocated Size of the Index0x30 48 8 Actual Size of the Index0x38 56 4 Flags0x3C 60 4 Reparse Value0x40 64 1 Filename Length in Characters0x41 65 1 Filename Namespace
Hex Description0x0001 Read Only
0x0002 Hidden
0x0004 System File
0x0020 Archive
0x0040 Device File
0x0100 Temporary File
0x0200 Sparse
0x0400 Reparse Point
0x0800 Compressed
0x1000 Offline
0x2000 Not Indexed
0x4000 Encrypted
0x8000 Virtual
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFSMaster File Table
Attributes
NTFSMaster File Table
Attributes