1. BACS 371 Computer Forensics
File Systems within Partitions II

2. File Systems (See http://www.ntfs.com)
A method for storing and organizing computer files and the data they contain to make it easy to find and access them
File System Types
FAT (File Allocation Table)
FAT12
FAT16
FAT32
exFAT
NTFS (New Technology File System)
Functions
Manage “free space”
Allocate clusters to file
Track time (MAC – Modify, Access, Create)

3. FAT File System Partition Boot Sector FAT 1 FAT 2 (Duplicate)
Directory
Other folders and all files
This is all contained within a partition.

4. Directory to FAT interaction

5. File Allocation Table (FAT)

6. Partition Boot Record (PBR)
BIOS Parameter Block
Executable Code
Machine Language Code
Processor Specific
Decodes BPB
Searches for OS
PBR “Signature”
0x55AA

7. Decoding a Partition Boot Record (BIOS Parameter Block – BPB)
Jump Instruction
Offset 0x00
3 bytes
OEM Name
Offset 0x03
8 bytes
Decode as ASCII
“MSDOS5.0”
Bytes Per Sector
Offset 0x0B
2 bytes
Decode as Number
(Swap “endian”)
0x0200 = 512
Sectors Per Cluster
Offset 0x0D
1 byte
Decode as Number
0x08 = 8
8 * 512 = 4096 bytes/cluster
Media Type
Offset 0x15
1 byte
Decode from Table
0xF8 means HD
Heads
Offset 0x1A
2 bytes
Decode as Number
(Swap “endian”)
0x00FF = 255
Sectors per Track
Offset 0x18
2 bytes
Decode as Number
(Swap “endian”)
0x003F = 63
Total Sectors
Offset 0x20
4 bytes
Decode as Number
(Swap “endian”)
0x000E37BA = 931,770
477,066,240 Bytes
FAT Size (Sectors)
Offset 0x24
4 bytes
Decode as Number
(Swap “endian”)
0x D = 909
465,408 Bytes (*512)
58,176 Entries (/4)
238,288,896 bytes addressed
(*4096)
File System Type
Offset 0x52
8 bytes
Decode as ASCII
“FAT32 ”

8. FAT32 32-bit Cluster Numbers Only 28 bits actually used
Addresses 228 Clusters (~ 268,435,438)
Drive sizes ~ 1TB (228 clusters * 4096 Bytes per cluster ~ 1.1TB)
WinXP limited to 32GB using FAT32
Max file size in FAT32 is bytes ~ 4GB

9. Advantages of FAT32 over FAT16
FAT32 offers smaller cluster sizes -> less wasted space
FAT32 systems can reallocate and change the size of the root directory
FAT32 drives can contain a copy of the boot record(s) –> less prone to failure
Allow for long file names

10. Long File Names “Trick”
Phony entries are added to the Directory Tables
Entries are marked with a volume label attribute
Each phony entry can contain up to 13 UTF-16 characters (26 bytes)

11. Long File Names Entries
Red entries are short file name entries. Blue are for a long file name. Read the long filename entries from the bottom to the top. Note that first byte in each group of long filenames are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the last segment). Filename entries have 0F in 12th byte. Directory entries have a 10 in this position (indicating a directory).

12. FAT Root Directory Volume ID Directory Entry
Single Directory Entry for a file with a “short” filename.
Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name.
Designates Attribute Bits
0x08 = Volume Label
0x20 = Archive
0x0F = Long File Name

13. NTFS File System Partition Boot Sector Master File Table System Files
File Area

14. NTFS Capacities Maximum Volume Size Max File Size Files per Volume
16 exabytes theoretically
16 terabytes actually
Max File Size
Apx. 256 terabytes theoretically
Files per Volume
4,294,967,295

15. NTFS Partition Boot Sector
Byte Offset
Field Length
Field Name
0x00
3 Bytes
Jump Inst
0x03
8 Bytes
OEM ID
0x0B
25 Bytes
BIOS parameter Block (BPB)
0x24
48 Bytes
Extended BPB
0x54
426 Bytes
Bootstrap Code
0x01FE
2 Bytes
End of Sector Marker
(55 AA)

16. NTFS Partition Boot Sector

17. NTFS BPB and Extended BPB
Byte Offset
Field Length
Sample Value1
Field Name
0x0B
WORD
0x0002
Bytes Per Sector
0x0D
BYTE
0x08
Sectors Per Cluster
0x0E
0x0000
Reserved Sectors
0x10
3 BYTES
0x000000
always 0
0x13
not used by NTFS
0x15
0xF8
Media Descriptor
0x16
0x18
0x3F00
Sectors Per Track
0x1A
0xFF00
Number Of Heads
0x1C
DWORD
0x3F000000
Hidden Sectors
0x20 0x
0x24 0x
0x28
LONGLONG
0x4AF57F
Total Sectors
0x30 0x
Logical Cluster Number for the file $MFT
0x38
0x54FF
Logical Cluster Number for the file $MFTMirr
0x40
0xF
Clusters Per File Record Segment
0x44 0x
Clusters Per Index Block
0x48
0x14A51B74C91B741C
Volume Serial Number
0x50
Checksum
1Don’t forget – Little Endian!

18. Master File Table Is itself a file
An array of records constituting a database of all files in system
Each record is usually 1024 bytes
First 16 records contain volume-specific information
NTFS Metadata Files

19. NTFS Metadata System File File Name MFT Record Purpose of the File
Master file table
$Mft
Contains one base file record for each file and folder on an NTFS volume. If the allocation information for a file or folder is too large to fit within a single record, other file records are allocated as well.
Master file table 2
$MftMirr 1
A duplicate image of the first four records of the MFT. This file guarantees access to the MFT in case of a single-sector failure.
Log file
$LogFile 2
Contains a list of transaction steps used for NTFS recoverability. Log file size depends on the volume size and can be as large as 4 MB. It is used by Windows NT/2000 to restore consistency to NTFS after a system failure.
Volume
$Volume 3
Contains information about the volume, such as the volume label and the volume version.
Attribute definitions
$AttrDef 4
A table of attribute names, numbers, and descriptions.
Root file name index $ 5
The root folder.
Cluster bitmap
$Bitmap 6
A representation of the volume showing which clusters are in use.
Boot sector
$Boot 7
Includes the BPB used to mount the volume and additional bootstrap loader code used if the volume is bootable.
Bad cluster file
$BadClus 8
Contains bad clusters for the volume.
Security file
$Secure 9
Contains unique security descriptors for all files within a volume.
Upcase table
$Upcase 10
Converts lowercase characters to matching Unicode uppercase characters.
NTFS extension file
$Extend 11
Used for various optional extensions such as quotas, reparse point data, and object identifiers.
12–15
Reserved for future use.

20. NTFS Master File Table (MFT)

21. NTFS File Attributes Attribute Type Description Standard Information
Includes information such as timestamp and link count.
Attribute List
Lists the location of all attribute records that do not fit in the MFT record.
File Name
A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes.
Security Descriptor
Describes who owns the file and who can access it.
Data
Contains file data. NTFS allows multiple data attributes per file. Each file typically has one unnamed data attribute. A file can also have one or more named data attributes, each using a particular syntax.
Object ID
A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.
Logged Tool Stream
Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS.
Reparse Point
Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver.
Index Root
Used to implement folders and other indexes.
Index Allocation
Bitmap
Volume Information
Used only in the $Volume system file. Contains the volume version.
Volume Name
Used only in the $Volume system file. Contains the volume label.

22. $MFT Template

23. NTFS Files
An NTFS file is actually a collection of attribute/value pairs
They are structured in an object-oriented fashion
The attributes of the file are stored in its MFT record(s).
The standard information ($STANDARD_INFORMATION) is:
Timestamps (modified, accessed, created, MFT change)
File attributes (read only, hidden, archive…
Hard link count (number of directories that point to)
File Name ($FILE_NAME) is in Unicode
Data ($DATA) holds actual data of the file

24. MFT Small File Entry
The master file table allocates a certain amount of space for each file record. The attributes of a file are written to the allocated space in the MFT. Small files and directories (typically 1500 bytes or smaller), such as the file illustrated in next figure, can entirely be contained within the master file table record.

25. NTFS Multiple Data Streams
For compatibility with Mac OS
Fork
Executable
In NTFS, unlimited number of streams
A data stream is not displayed when you open a text file in a text editor
Must examine the MFT for the file to see if there is a ‘:’ following the file name
Copy to FAT includes only 1st Stream
Example
Innocuousfile.txt
Innocuousfile.txt:hiddenporn

26. ADS Example

27. Criteria NTFS5 NTFS FAT32 FAT16
File System Features
Criteria NTFS5 NTFS FAT32 FAT16
Unicode File Names
Unicode Character Set
System Character Set
System Records Mirror
MFT Mirror File
Second Copy of  FAT
Boot Sector Location
First and Last Sectors
First Sector
File Attributes
Standard and Custom
Standard and Custom
Standard Set
Alternate Streams
Yes No
Compression
Encryption
Object Permissions
Disk Quotas
Sparse Files
Reparse Points
Volume Mount Points
File Names
256 Char
8.3 Names

28. Overall Performance Criteria NTFS5 NTFS FAT32 FAT16 Built-In Security
Yes No
Recoverability
Performance
Low on small volumes High on Large
Low on small volumes  High on Large
High on small volumes Low on large
Highest on small volumes Low on large
Disk Space Economy
Max
Average
Minimal on large volumes
Fault Tolerance
Minimal