Computer Forensics NTFS File System.

Slides:



Advertisements
Similar presentations
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
Advertisements

BACS 371 Computer Forensics
Computer Forensics NTFS File System.
File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
1 File Management in Representative Operating Systems.
File System Implementation Yejin Choi
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Metadata Files Excellent reference:
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
New Technologies File System
Unix File System Internal Structures By C. Shing ITEC Dept Radford University.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Presented to: Sir Ahmad Karim
®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.
Disk Structures. CTEC 1102 Formatting a Disk Two parts to formatting a disk:  Low-level (physical) formatting  High level (logical) formatting Low-level.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
NTFS Architecture NTFS Physical Structure
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
CSN08101 Digital Forensics Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
File Systems ECGR 6185 Spring 2006 Christina Warren University of North Carolina at Charlotte.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows NTFS Introduction to Operating Systems: Module 15.
Module 2 Configuring Disks and Device Drivers. Module Overview Partitioning Disks in Windows® 7 Managing Disk Volumes Maintaining Disks in Windows 7 Installing.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
COEN 152/252 Computer Forensics Apple Partitions.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
Week #3 Objectives Partition Disks in Windows® 7 Manage Disk Volumes Maintain Disks in Windows 7 Install and Configure Device Drivers.
File Systems in Real-Time Embedded Applications March 5th Eric Julien Understanding How the File Allocation Table (FAT) Operates 1.
Lecture 11: The FAT, VFAT, and NTFS Filesystems 6/19/2003 CSCE 590 Summer 2003.
Computer Forensics SEED Overview Computer Forensics Reconstructs events from digital traces on a device such as Computer Router Switch Cell-phone,
Operating System Concepts and Techniques Lecture 18 Information management-2* FFS, UFS2, NTFS M. Naghibzadeh Reference M. Naghibzadeh, Operating System.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
Computer Forensics Hard Drive Format.
Web File System Meeting Presentation October 06. NTFS New Technology File System Muhammad Talha Ekram 2185.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
GUID Partition Table Unified Extensible Firmware Interface (UEFI) GUID Partition Table (GPT)
BACS 371 Computer Forensics
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
BITS Pilani Pilani Campus Pawan Sharma Lecture ES C263 INSTR/CS/EEE F241 Microprocessor Programming and Interfacing.
Master Boot Record (MBR)
Day 28 File System.
Advanced Computer Forensics
EXT in Detail High-Performance Database Research Center
UMBC CMSC 421 Spring 2017 The FAT Filesystem.
Disks and Formatting Ch 3.
Working with Disks Lesson 4.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Windows XP File Systems
Introduction to Computers
CS-401 Computer Architecture Assembly Language Programming
File Systems and Partitioning Systems
Booting Up 15-Nov-18 boot.ppt.
File Systems Implementation
Chapter 3: Windows7 Part 3.
FILE SYSTEM ANALYSIS Dr Fudong Li
Computer Forensics NTFS File System.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
FAT File System.
Presentation transcript:

Computer Forensics NTFS File System

MBR and GPT Disks MBR disks for 32b 86x-compatibles GPT disks for 64b Itanium processors Start with a MBR in order to maintain compatibility MBR has a single partition with a partition table entry of 0xEE

NTFS Architecture

NTFS Architecture

NTFS Boot Sector

NTFS Boot Sector 0x00 3B Jump Instruction 0x03 8B OEM ID 0x0B 25B BPB 0x24 48B Extended BPB 0x54 426B Bootstrap Code. 0x1FE 2B End of Sector Marker

NTSF Boot Sector

NTSF Boot Sector Many fields are not important, but: 0x0B, Bytes per sector. 0x0D Sectors per Cluster 0x15 Media descriptor. F8: HD; F0: HD Floppy 0x28 Total sectors. 0x30 Logical cluster number for the MFT 0x38 Logical cluster number copy of the MFT 0x40 Clusters per MFT Record. 0x48 Volume serial

NTFS BPB 8 sectors per cluster Total number of sectors 0x94EAFF7 MFT starts at 0xC7E9 = 819177 LBA within partition, add 80,325 to find physical address

NTFS Master File Table First four entries are replicated, so that MFT can be repaired First 16 records are reserved for metadata files, their name begins with a dollar sign ($)

NTFS Master File Table Master file table $MFT. Master file table mirror $MftMirr. Log file $LogFile. Volume $Volume Attribute definitions $AttrDef. The root folder “.” Cluster bitmap $Bitmap Boot sector $Boot, Bad cluster file $BadClus Security file $Secure Upcase table $Upcase NTFS extension file $Extend, that is used for future use.

MFT Records Entries are 1KB each Entries contain File Attributes Location Data

MFT Records Small Files (<900B) are contained completely in the MFT entry.

MFT Records Folders contain index data. Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure.

NTFS Versions File system improves. Disk Layout changes.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.