Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Slides:



Advertisements
Similar presentations
COMP091 – Operating Systems 1
Advertisements

Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e
Operating Systems File systems
1 File Management in Representative Operating Systems.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Operating Systems.
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
MCSE Guide to Microsoft Windows 7 Chapter 5 Managing File Systems.
New Technologies File System
Objectives Learn what a file system does
IT Essentials: PC Hardware and Software 1 Chapter 7 Windows NT/2000/XP Operating Systems.
FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
LIS508 lecture 5: storage devices Thomas Krichel
Chapter 8 File Management
Presented to: Sir Ahmad Karim
®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.
Disk Structures. CTEC 1102 Formatting a Disk Two parts to formatting a disk:  Low-level (physical) formatting  High level (logical) formatting Low-level.
BACS 371 Computer Forensics
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Window NT File System JianJing Cao (#98284).
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.
1 File Systems Guide to Operating Systems Second Edition.
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows NTFS Introduction to Operating Systems: Module 15.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
10/22/2015CST Operating Systems1 Operating Systems CST 352 File Systems.
MCSE GUIDE TO MICROSOFT WINDOWS 7 Chapter 5 Managing File Systems.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
File Systems in Real-Time Embedded Applications March 5th Eric Julien Understanding How the File Allocation Table (FAT) Operates 1.
Lecture 11: The FAT, VFAT, and NTFS Filesystems 6/19/2003 CSCE 590 Summer 2003.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
MCSE Guide to Microsoft Windows Vista Professional Chapter 5 Managing File Systems.
Operating System Concepts and Techniques Lecture 18 Information management-2* FFS, UFS2, NTFS M. Naghibzadeh Reference M. Naghibzadeh, Operating System.
University of Pennsylvania 10/31/00CSE 3801 Windows File System - FAT originally invented as a method for storing data on floppy disks. later used by MS-DOS.
NTFS 5.0 By Jeffrey Richter and Luis Felipe Cabrera From the Microsoft Systems Journal Presented by Stylianos Paparizos.
FILE SYSTEMS. Presented to: Sir. Ahmad Kareem Presented by: Sadia Rasheed Bsit
HFS+. Linus Torvlads [smh.com.au] When asked about which is better Windows or Mac OS: I don't think they're equally flawed. I think Leopard is a much.
Web File System Meeting Presentation October 06. NTFS New Technology File System Muhammad Talha Ekram 2185.
MCSE GUIDE TO MICROSOFT WINDOWS 7 Chapter 5 Managing File Systems.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
File system and file structures
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
BACS 371 Computer Forensics
BITS Pilani Pilani Campus Pawan Sharma Lecture ES C263 INSTR/CS/EEE F241 Microprocessor Programming and Interfacing.
Day 28 File System.
Advanced Computer Forensics
EXT in Detail High-Performance Database Research Center
Computer Forensics NTFS File System.
Working with Disks Lesson 4.
Windows XP File Systems
FILE SYSTEM ANALYSIS Dr Fudong Li
Partitioning & Formatting
FAT File System.
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems

September 20, 2015 © Wiley Inc All Rights Reserved 2 Chapter Topics: File Systems vs Operating Systems Understanding FAT File Systems Understanding NTFS File Systems Dealing with Alternate Data Streams

File Systems vs Operating Systems Operating system responsible for carrying out the basic tasks of the computer O/S types: –Microsoft DOS –Microsoft Windows –Unix –Linux –Mac OS X September 20, 2015 © Wiley Inc All Rights Reserved 3

File Systems vs Operating Systems File system is the system or method of storing & retrieving data on a computer File system types: –FAT (12, 16, 32) –NTFS –HFS –HFS+ –ZFS –Ext2 –Ext3 –ISO 9660 –UDF –UFS September 20, 2015 © Wiley Inc All Rights Reserved 4

Windows Operating System Uses FAT and NTFS file systems FAT is ideal cross-platform file system as nearly all operating systems can reliably read it and write to it Each version of Windows has a directory structure usually indicative of version September 20, 2015 © Wiley Inc All Rights Reserved 5

Default System & Profile Folder Names for Windows Versions September 20, 2015 © Wiley Inc All Rights Reserved 6 O PERATING S YSTEM U SER P ROFILE F OLDERS D EFAULT S YSTEM F OLDER Windows 9x/MeNo Documents and Settings Folder C:\Windows Windows NTNo Documents and Settings Folder C:\WINNT\Profiles C:\WINNT Windows 2000C:\Documents and SettingsC:\WINNT Windows XPC:\Documents and SettingsC:\Windows

Minimal Functions of any File System Track the name of the file (or directory). Track the starting point where the file starts. Track the length of the file along with other file metadata, such as timestamps. Track the clusters used by the file (cluster runs). Track which allocations units (clusters) are allocated and which ones are not. September 20, 2015 © Wiley Inc All Rights Reserved 7

FAT File System Major components –FAT (File Allocation Table) Tracks clusters used by the file Tracks which allocation units (clusters) are allocated and which are not –32 byte FAT directory entry Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps September 20, 2015 © Wiley Inc All Rights Reserved 8

FAT 32 Directory Entry September 20, 2015 © Wiley Inc All Rights Reserved 9 B YTE O FFSET (D ECIMAL ) D ESCRIPTION 0First Character of Filename or Status Byte 1 - 7Characters of Filename Characters of File Extension 11Attributes (Detailed in Table 7.6) Reserved Created time and date of file. Stored as MS-DOS 32-bit date / time stamp Last Accessed date—no time! Two high bytes of FAT32 starting cluster.FAT12/16 will have zeros Last Written time and date of file. Stored as MS-DOS 32- bit date / time stamp Starting cluster for FAT12/16—two low bytes of starting cluster for FAT Size in bytes of file (32-bit integer). Note: Will be 0 for directories!

NTFS File System Major Components –Cluster bitmap ($Bitmap) Tracks allocation status of all clusters in partition –Master File Table ($MFT) Tracks clusters used by the file Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps September 20, 2015 © Wiley Inc All Rights Reserved 10

NTFS System Files September 20, 2015 © Wiley Inc All Rights Reserved 11 MFT R ECORD # F ILENAME D ESCRIPTION 0$MFTMaster File Table – Each MFT record is 1,024 bytes in length 1$MFTMirrContains a backup copy of the first four entries of the MFT 2$LogFileJournal file that contains file metadata transactions used for system recovery and file integrity 3$VolumeNTFS Version and Volume Label and Identifier 4$AttrDefAttribute Information 5$.Root directory of file system 6$BitmapTracks allocation status of all clusters in partition 7$BootContains partition boot sector and boot code 8$BadClusBad clusters on partition are tracked with this file 9$SecureContains file permissions and access control settings for file security 10$UpCaseConverts lower case characters in Unicode by storing an uppercase version of all Unicode characters in this file 11$ExtendA directory reserved for options extensions

Alternate Data Streams (ADS) MFT entry can have more than one $DATA attribute If more than one $DATA attribute exists, they are called ADS Invisible to user, even to administrator Can hold hidden data / malicious code Always examine for ADS using tools such as streams.exe, EnCase, etc September 20, 2015 © Wiley Inc All Rights Reserved 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.