Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Published byAntonia Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems

2 Chapter Topics: File Systems vs Operating Systems Understanding FAT File Systems Understanding NTFS File Systems Understanding exFAT File Systems Dealing with Alternate Data Streams

3 File Systems vs Operating Systems Operating system responsible for carrying out the basic tasks of the computer O/S types: –Microsoft Windows –Unix –Linux –Mac OS X

4 File Systems vs Operating Systems File system is the system or method of storing & retrieving data on a computer File system types: –FAT (12, 16, 32) –NTFS –exFAT –HFS –HFS+ –Ext2 –Ext3 –ISO 9660 –UDF –UFS

5 Windows Operating System Uses FAT, exFAT and NTFS file systems FAT is ideal cross-platform file system as nearly all operating systems can reliably read it and write to it

6 Minimal Functions of any File System Track the name of the file (or directory). Track the starting point where the file starts. Track the length of the file along with other file metadata, such as timestamps. Track the clusters used by the file (cluster runs). Track which allocations units (clusters) are allocated and which ones are not.

7 FAT File System Major components –FAT (File Allocation Table) Tracks clusters used by the file Tracks which allocation units (clusters) are allocated and which are not –32 byte FAT directory entry Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps

8 FAT 32 Directory Entry B YTE O FFSET (D ECIMAL ) D ESCRIPTION 0First Character of Filename or Status Byte 1 - 7Characters 2 - 8 of Filename 8 -103 Characters of File Extension 11Attributes (Detailed in Table 7.6) 12 -13Reserved 14 -17Created time and date of file. Stored as MS-DOS 32-bit date / time stamp 18 -19Last Accessed date—no time! 20 - 21Two high bytes of FAT32 starting cluster.FAT12/16 will have zeros 22 - 25Last Written time and date of file. Stored as MS-DOS 32- bit date / time stamp 26 - 27Starting cluster for FAT12/16—two low bytes of starting cluster for FAT32 28 - 31Size in bytes of file (32-bit integer). Note: Will be 0 for directories!

9 NTFS File System Major Components –Cluster bitmap ($Bitmap) Tracks allocation status of all clusters in partition –Master File Table ($MFT) Tracks clusters used by the file Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps

10 NTFS System Files MFT R ECORD # F ILENAME D ESCRIPTION 0$MFTMaster File Table – Each MFT record is 1,024 bytes in length 1$MFTMirrContains a backup copy of the first four entries of the MFT 2$LogFileJournal file that contains file metadata transactions used for system recovery and file integrity 3$VolumeNTFS Version and Volume Label and Identifier 4$AttrDefAttribute Information 5$.Root directory of file system 6$BitmapTracks allocation status of all clusters in partition 7$BootContains partition boot sector and boot code 8$BadClusBad clusters on partition are tracked with this file 9$SecureContains file permissions and access control settings for file security 10$UpCaseConverts lower case characters in Unicode by storing an uppercase version of all Unicode characters in this file 11$ExtendA directory reserved for options extensions

11 Alternate Data Streams (ADS) MFT entry can have more than one $DATA attribute If more than one $DATA attribute exists, they are called ADS Invisible to user, even to administrator Can hold hidden data / malicious code Always examine for ADS using tools such as streams.exe, EnCase, etc

12 exFAT File System Most recently supported file system Theoretical volume size of 64 ZB Uses a file allocation table Incorporates a cluster bitmap Times recorded for modified, accessed and created timestamps with UTC support

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems."

Similar presentations

NTFS - The workhorse file system for the Windows Platform

NTFS - The workhorse file system for the Windows Platform
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.

NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.

File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Operating Systems File systems

Operating Systems File systems
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Metadata Files Excellent reference:

Metadata Files Excellent reference:
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.

Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
MCSE Guide to Microsoft Windows 7 Chapter 5 Managing File Systems.

MCSE Guide to Microsoft Windows 7 Chapter 5 Managing File Systems.
New Technologies File System

New Technologies File System

Similar presentations

Ads by Google