11

Chapter Two – File Systems

CIS 4000

Intro. to Forensic Computing David McDonald, Ph.D.

2

Learning Objectives

At the end of this section, you will be able to:

Explain the purpose and structure of file systems

Describe Microsoft file structures

Explain the structure of New Technology File

System (NTFS) disks

List some options for decrypting drives encrypted

with whole disk encryption

Explain how the Windows Registry works

3

File Systems File system or file management systems are systems that the

OS uses to organize and locate data stored on a hard disk.

Gives OS a road map to data on a disk

File system is a set of data types, which is employed for

storage, hierarchical categorization, management, navigation,

access, and recovering the data

File system can use storage devices like hard disks, CD-ROM

or floppy disk

Command line or graphical user interface can be used to

access the files

When you need to access a suspect’s computer to acquire or

inspect data

You should be familiar with the computer’s platform

4

Clusters – Preliminary Discussion

Exploring Microsoft File Structures

Cluster is defined as the smallest amount of

space allocated by the operating system to

hold a file

Cluster is more efficient if size of the cluster

is small

There is no default size for the cluster

The cluster address allocated by the

operating system is called logical address

The physical addresses are the addresses

that exists at firmware or hardware level

5

System Partitioning(revisited)

A system partition stores files that are used to boot

(start) the computer

The OS is installed on the system partition

A boot partition is a volume of the computer that

contains the system files used to start the OS

The information regarding the files on the disk, their

location, size and other important data is stored in

the Master Boot Record (MBR) file

Every disk has Master Boot Record that contains

the information about partitions on the disk

(partition table)

6

Partitioning Concerns

Partitioning of hard disk drive is done for effective storage management of

data

Partition is logical part of the disk that holds data. It can be divided into

Primary Partition

on which an OS can be installed

Used when computer starts to load the OS

Extended Partition

Can be divided into additional logical drives

Windows look for primary partition to start the computer. This active

partition contains the boot files used to start an operating system

Inter-partition gap is unused or void space between the primary and first

logical partition (later)

7

File System Functions

Tracks files on across storage

Keeps track of allocated/unallocated sectors

Keeps track of bad sectors

Stores metadata (e.g. date & time stamp)

7

8

File Systems – Focus on Microsoft

Windows file systems

FAT (File Allocation Table)

16 bit file system developed for MS-DOS

Used in consumer versions of Microsoft

Windows till Windows Me

Considered relatively uncomplicated and

became popular format for devices like

floppy disks, USB devices, Digital cameras,

flash disks

FAT32

32 bit version of FAT file system with

storage capacity up to 2 GB

9

File Allocation Table (FAT)

9

FAT was originally developed for floppy disks (written to the outermost track)

Filenames, directory names, date and time stamps, starting cluster, attributes (e.g. hidden, read-only, system)

Evolution

FAT 12: for floppy disks

FAT 16: MS-DOS, Windows 95 (early), WinNT 4.0, maximum capacity = 2.02 GB

FAT 32: Windows 95 ~ XP, maximum capacity = 2 terabytes

10

Examining FAT Disks

10

Sectors and Bytes per Cluster

11

Boot Sector

Boot Sector

Boot Sector is the

first sector (512

bytes) of a FAT

file system

12

Examining FAT Disks

12

File slack space

13

Deleting FAT Files

13

■ Filename in FAT database starts with HEX E5

■ FAT chain for that file is set to zero

■ Free (unallocated) disk space is incremented

■ Actual data remains on disk

■ Can be recovered with computer forensics tools

14

File Systems – Focus on

Microsoft

14

■ NTFS (New Technology File System)

■ First introduced with Windows NT

■ Provides improvements over FAT file system

■ Stores more information about a file

■ In NTFS, anything such as file name, creation date, access permissions and even contents is written down as metadata

■ Stored in Master File Table (MFT ) = meta data

■ Reduces slack space

■ NTFS uses Unicode

15

NTFS Partition Boot Sector When you format an

NTFS volume, the

format program

allocates the first 16

sectors for the boot

sector and the

bootstrap code

Used to store

information:

about the file

system

On the location of

the MFT

MFT mirror file

is stored in the

boot sector

16

Each file on an NTFS volume is represented by a record in a

special file called the master file table (MFT).

NTFS reserves the first 16 records of the table for special

information.

The first record of this table describes the master file table itself,

followed by a MFT mirror record.

If the first MFT record is corrupted, NTFS reads the second record

to find the MFT mirror file, whose first record is identical to the first

record of the MFT.

The locations of the data segments for both the MFT and MFT

mirror file are recorded in the boot sector. A duplicate of the boot

sector is located at the logical center of the disk.

The third record of the MFT is the log file, used for file recovery.

The seventeenth and following records of the master file table are

for each file and directory

NTFS Master File Table (MFT)

17

MFT Structure

18

NTFS Attributes

Every file has a unique identities

like:

Name

Security information and

It can also contain metadata of

file system in the file.

19

NTFS Attributes

20

NTFS Compressed Files

20

■ Improve data storage

■ File, folders, or an entire volume can be compressed

■ Need to decompress it when analyzing

■ Advanced tools (e.g. EnCase) do it automatically

21

Deleting NTFS Files

On deletion from Windows Explorer the file is

moved into the recycle bin

If the file is deleted from command prompt then

recycle bin is bypassed. It can be recovered only by

using the forensic tools

When a file is deleted the following tasks are

performed by the operating system in the NTFS:

The clusters are made available for the new data

File attribute of the MFT is marked available

The list of links to the cluster locations is deleted

22

File SystemsExploring Microsoft File Structures: FAT vs. NTFS

File Allocation Table (FAT) New Technology File System (NTFS)

A table, which tracks all the system

storage changes.

A latest file system developed specially

for Windows 2000.

Versions available are FAT12, FAT16,

FAT32.

NTFS is the only version.

Supported in all versions of windows

operating system.

Supports all the operating systems after

windows 2000.

Doesn’t support large file names. Supports large file names.

Doesn’t support extremely large storage

media.

Supports extremely large storage media.

23

File Systems - Other

MacOS X file systems

HFS (Hierarchical File System) Developed by Apple Computer to support Mac Operating System

Traditionally used by floppy and hard disks but now also used by

CD-ROMs

UFS (UNIX file system) Derived from the Berkeley Fast File System (FFS) that was originally

developed at Bell Laboratories from first version of UNIX FS

All BSD UNIX derivatives including FreeBSD, NetBSD, OpenBSD,

NeXTStep, and Solaris use a variant of UFS

Acts as a substitute for HFS in Mac OS X