FILE SYSTEM ANALYSIS Dr Fudong Li School of Computing, Electronics & Mathematics Plymouth University United Kingdom
Introduction to File Systems New Technology File System (NTFS) Session Content Introduction to File Systems New Technology File System (NTFS) Conclusions
Introduction to File Systems
File Systems A file system is the underlying structure that a computer uses to organise data on a hard disk. Provides data storage and retrieval Associates names with data files Organises files into parent directories Stores files attributes (metadata), such as Modify, Access, Creation (MAC) times, size, permissions Maintains lists of unallocated data unit Examples: FAT32, NTFS, HFS+, ext2… Different file systems have various features (e.g. maximum file size, security controls)
File System Behaviours File operations: create, delete, open, close, read, write, rename, and change attributes File (directories) attributes Name, content, size, file type, permissions, MAC times, author information, encryption, EXIF… The relationship between file systems and digital forensics File content: most reliable evidence Name: provides indication on what the file is about MAC times: timeline analysis File operations: slack space analysis, data carving
File Creation When a new file is created or an existing file is made larger, the Operating System searches for an unallocated data unit and allocates it to the file. A data unit (data block): sectors and clusters The state of a data unit: allocated or unallocated Allocation strategies: first available, next available, or best fit.
Data Unit A sector is the smallest addressable storage unit on the hard disk and typically 512 bytes The optimal method of storing a file is in a contiguous series A 600-byte file requires 2 sectors. A cluster is the smallest unit at the operating system level and can consist of one or more consecutive sectors. The number of sectors in one cluster is always an exponent of 2. hence, 1, 2, 4, 8… Is used for protecting the stored data from being over-written.
Bitmap A bitmap is a data structure that has a bit for each cluster on the hard disc. 1: the cluster is allocated 0: the cluster is unallocated Pros: Simple, Fast allocation check, Fast deletion, Fix cost, Low storage overhead (0.003% for NTFS) Cons: Wasteful on larger disks, Poor Scalability, Disk fragmentation
Content Allocation Strategies A first available strategy searches for an available cluster starting with the first cluster in the file system. A similar strategy is next available, which starts its search with the cluster that was most recently allocated instead of at the beginning. A Best fit strategy, which searches for consecutive clusters that fit the needed amount of data.
Content Allocation Scenario Creating a file: size: 2 clusters; last allocated cluster ID is 2. What are the cluster IDs for the file content when using first available, next available and best fit? First available: Clusters 1 and 3 Next available: Clusters 3 and 5 Best fit: Clusters 5 and 6 Causing file fragmentation
Content Allocation Scenario Creating a file: size: 2 clusters; last allocated cluster ID is 2.
Slack Space (1) Slack space occurs when the size of a file is not a multiple of a cluster size. RAM slack is the area from the end of the file to the end of that sector. Under DOS and early versions of Windows the data used for this comes directly from RAM More typically this is filled with zeros File slack is the area from the end of RAM Slack to the end of the cluster – it is typically not changed, leaving the prior contents still present Clusters: fixed length blocks of data (1-128 sectors) in which DOS/Windows computers store files. Clusters are made up of sectors Sectors: smallest unit of storage. Sectors are composed of bits. A regular disk sector is 512 bytes File RAM Slack File Slack
Slack Space (2) The default value for NTFS is 8 sectors for 1 cluster. What happens when this setting is changed? Allocation unit 512 – 1 cluster contains 1 sector Allocation unit 64k – 1 cluster contains 128 sectors
NTFS
NTFS – Overview NFTS is a proprietary file system developed by Microsoft in 1993; default file system of Windows NT family. Notable features of NTFS Security: by using an Access Control List (ACL), an administrator controls who can access specific files. B-tree: Faster file look up times Support large file sizes: up to 16-billion-byte files. Journaling: records metadata changes to the partition. Encryption: Encrypting File System (EFS) provides strong and user-transparent encryption of any file or folder on an NTFS volume.
NTFS - Architecture Source: NTFS Technical Reference – How NTFS works https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx
Master Boot Record Hex 0x0800 = 2048 (decimal) Master Boot Record is a special type of boot sector at the very beginning of partitioned computer storage devices; It contains executable code that the system BIOS loads into memory. The code scans the MBR to find the partition table to determine which partition is the active, or bootable. Boot signature: 0x55AA In the partition table 1st byte: 80 bootable/active, 00 inactive 2-4 bytes: Cylinder-Head-Sector (CHS) of first absolute sector in partition 5th byte: partition type (07-NTFS) 6-8 bytes: CHS address of last absolute sector in partition. 9-12 bytes: Logical block addressing of first absolute sector in the partition Hex 0x0800 = 2048 (decimal)
Organization of an NTFS Partition NTFS Boot Sector Contains the BIOS parameter block that stores information about the layout of the volume and the file system structures. Master File Table Contains the information necessary to retrieve files from the NTFS partition, such as the attributes of a file. File System Data Stores data that is not contained within the Master File Table. Master File Table Copy Includes copies of the records essential for the recovery of the file system if there is a problem with the original copy.
NTFS Boot Sector OEM ID Logical Cluster Number for the file $MFT The original equipment manufacturer identification (OEM ID). Sectors Per Cluster (e.g. 8) 0x30:Logical Cluster Number for the file $MFT 0x38:Logical Cluster Number for the file $MFTMirr Sectors Per Cluster Logical Cluster Number for the file $MFTMirr
Master File Table Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT) Starting location of the MFT is given in the boot sector; 12.5% of space allocated but only used when necessary Each entry is 1024 bytes (1KB) Only first 42 bytes defined, containing 12 fields The rest are allocated to numerous/various attributes First field is the signature – standard – FILE
MFT Metadata Files Entry Filename Description $MFT $MFT The entry for the MFT itself 1 $MFTMirr Backup of the MFT 2 $LogFile Journal containing records of metadata transactions 3 $Volume Volume information 4 $AttrDef Attribute information (identifier values, name) 5 $. Root directory of the file system 6 $Bitmap Allocation status of each cluster in the file system 7 $Boot Boot sector and boot code for the file system 8 $BadClus Clusters that have bad sectors 9 $Secure Security and access control for the files 10 $Upcase Contains the uppercase version of every Unicode character 11 $Extend Directory containing files for optional extensions
MFT Entry Attribute Concepts NTFS exists to read attributes – not files – files are simply one of the attributes Attributes consist of a header and content Content: Resident and non-resident attributes MFT Entry Attribute Header Attribute Content Free Space
MFT Entry Attribute Types Type ID Name Description 16 $STANDARD_INFORMATION General – MACs; Owner, Security ID 32 $ATTRIBUTE_LIST List of attributes and locations 48 $FILE_NAME File Name 80 $SECURITY_DESCRIPTOR Access control and security properties 128 $DATA File Contents 144 $INDEX_ROOT Root node of an index tree 160 $INDEX_ALLOCATION Nodes of an index tree root in $INDEX_ROOT 176 $BITMAP A Bitmap for the MFT file/indexes
B-Tree Sorting A B-tree is a method of placing and locating files in a file system. It minimises the number of times a medium must be accessed to locate a desired record, hence speeding up the process. 20 10 30 5 11
File Allocation Creating a file – c:\dir1\file1.dat File size 4,000 bytes and each cluster is 2, 048 bytes Read first sector of the file system and the boot sector to determine the cluster size, starting address of the MFT and the size of each MFT entry Read the first entry of the MFT to determine the layout of the rest of the MFT (stored in $DATA attribute) Allocate a MFT entry for the new file. Process the $BITMAP attribute of the $MFT file. The first free entry (304) is allocated to the new file and the corresponding bit is set to 1
File Allocation Initialize MFT entry 304 by seeking its location in the MFT and clearing its contents. The $STANDARD_INFORMATION and $FILE_NAME attributes are created, and the times are set to the current time. The in-use flag is set in the MFT entry header Using the $DATA attribute of the $Bitmap file, which is MFT entry 6, allocate two consecutive clusters. The corresponding bits for the clusters are set to 1. The file content is written to the clusters and the $DATA attribute is updated with the cluster addresses. MFT entry is modified and file modified times are updated
File Allocation Add a file name entry. The root directory, in MFT entry 5, is processed to locate dir1. Read the $INDEX_ROOT and $INDEX_ALLOCATION attributes and transverse the sorted tree. The dir1 is found and its MFT entry is 200. The last accessed time of the directory is updated Seek MFT entry 200 and process its $INDEX_ROOT attribute to find the location of where file1.dat should go. A new index is created for it and the tree is resorted. The new index entry has the MFT entry 304 in its file reference address and the times and flags are set appropriately. The last written, modified and accessed times are updated for the directory.
File Allocation
Conclusions
Conclusions A forensic examiner must have an excellent working knowledge of the system and software with which s/he is examining Modern OS’s are complex with many interactions being performed for simple operations Due to these complexities it is not possible to know what value the OS might provide in terms of evidence However typically, it can be a good source of additional evidence, beyond simple file analysis
Dr Fudong Li Fudong.li@plymouth.ac.uk http://cscan.org/?page=staffprofile&id=45