Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics NTFS File System.

Published byМаксимилијан Алексић Modified over 5 years ago

Similar presentations

Presentation on theme: "Computer Forensics NTFS File System."— Presentation transcript:

1 Computer Forensics NTFS File System

2 MBR and GPT Disks MBR disks for 32b 86x-compatibles
GPT disks for 64b Itanium processors Start with a MBR in order to maintain compatibility MBR has a single partition with a partition table entry of 0xEE

3 NTFS Architecture

4 NTFS Architecture

5 NTFS Boot Sector

6 NTFS Boot Sector 0x00 3B Jump Instruction 0x03 8B OEM ID 0x0B 25B BPB
0x24 48B Extended BPB 0x B Bootstrap Code. 0x1FE 2B End of Sector Marker

7 NTSF Boot Sector

8 NTSF Boot Sector Many fields are not important, but:
0x0B, Bytes per sector. 0x0D Sectors per Cluster 0x15 Media descriptor. F8: HD; F0: HD Floppy 0x28 Total sectors. 0x30 Logical cluster number for the MFT 0x38 Logical cluster number copy of the MFT 0x Clusters per MFT Record. 0x48 Volume serial

9 NTFS Boot Sector WinHex allows access to an interpreted NTFS Boot Sector. Use the Access Tab.

10 NTFS BPB 8 sectors per cluster Total number of sectors 0x94EAFF7
MFT starts at 0xC7E9 = LBA within partition, add 80,325 to find physical address

11 NTFS Master File Table First four entries are replicated, so that MFT can be repaired First 16 records are reserved for metadata files, their name begins with a dollar sign ($)

12 NTFS Master File Table Master file table $MFT.
Master file table mirror $MftMirr. Log file $LogFile. Volume $Volume Attribute definitions $AttrDef. The root folder “.” Cluster bitmap $Bitmap Boot sector $Boot, Bad cluster file $BadClus Security file $Secure Upcase table $Upcase NTFS extension file $Extend, that is used for future use.

13 NTFS Master File Table

14 MFT Records Entries are 1KB each Entries contain File Attributes
Location Data

15 MFT Records Small Files (<900B) are contained completely in the MFT entry.

16 MFT Records Folders contain index data.
Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure.

17 NTFS Versions File system improves. Disk Layout changes.

Download ppt "Computer Forensics NTFS File System."

Similar presentations

BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.

BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
File System Implementation Yejin Choi

File System Implementation Yejin Choi
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Metadata Files Excellent reference:

Metadata Files Excellent reference:
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10

Implementing Hard Drives Chapter 10
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.

Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
New Technologies File System

New Technologies File System
Unix File System Internal Structures By C. Shing ITEC Dept Radford University.

Unix File System Internal Structures By C. Shing ITEC Dept Radford University.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Similar presentations

Ads by Google