Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Published byOliver Allan Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems

2 September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 2 Chapter Topics: File Systems vs Operating Systems Understanding FAT File Systems Understanding NTFS File Systems Dealing with Alternate Data Streams

3 File Systems vs Operating Systems Operating system responsible for carrying out the basic tasks of the computer O/S types: –Microsoft DOS –Microsoft Windows –Unix –Linux –Mac OS X September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 3

4 File Systems vs Operating Systems File system is the system or method of storing & retrieving data on a computer File system types: –FAT (12, 16, 32) –NTFS –HFS –HFS+ –ZFS –Ext2 –Ext3 –ISO 9660 –UDF –UFS September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 4

5 Windows Operating System Uses FAT and NTFS file systems FAT is ideal cross-platform file system as nearly all operating systems can reliably read it and write to it Each version of Windows has a directory structure usually indicative of version September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 5

6 Default System & Profile Folder Names for Windows Versions September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 6 O PERATING S YSTEM U SER P ROFILE F OLDERS D EFAULT S YSTEM F OLDER Windows 9x/MeNo Documents and Settings Folder C:\Windows Windows NTNo Documents and Settings Folder C:\WINNT\Profiles C:\WINNT Windows 2000C:\Documents and SettingsC:\WINNT Windows XPC:\Documents and SettingsC:\Windows

7 Minimal Functions of any File System Track the name of the file (or directory). Track the starting point where the file starts. Track the length of the file along with other file metadata, such as timestamps. Track the clusters used by the file (cluster runs). Track which allocations units (clusters) are allocated and which ones are not. September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 7

8 FAT File System Major components –FAT (File Allocation Table) Tracks clusters used by the file Tracks which allocation units (clusters) are allocated and which are not –32 byte FAT directory entry Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 8

9 FAT 32 Directory Entry September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 9 B YTE O FFSET (D ECIMAL ) D ESCRIPTION 0First Character of Filename or Status Byte 1 - 7Characters 2 - 8 of Filename 8 -103 Characters of File Extension 11Attributes (Detailed in Table 7.6) 12 -13Reserved 14 -17Created time and date of file. Stored as MS-DOS 32-bit date / time stamp 18 -19Last Accessed date—no time! 20 - 21Two high bytes of FAT32 starting cluster.FAT12/16 will have zeros 22 - 25Last Written time and date of file. Stored as MS-DOS 32- bit date / time stamp 26 - 27Starting cluster for FAT12/16—two low bytes of starting cluster for FAT32 28 - 31Size in bytes of file (32-bit integer). Note: Will be 0 for directories!

10 NTFS File System Major Components –Cluster bitmap ($Bitmap) Tracks allocation status of all clusters in partition –Master File Table ($MFT) Tracks clusters used by the file Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 10

11 NTFS System Files September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 11 MFT R ECORD # F ILENAME D ESCRIPTION 0$MFTMaster File Table – Each MFT record is 1,024 bytes in length 1$MFTMirrContains a backup copy of the first four entries of the MFT 2$LogFileJournal file that contains file metadata transactions used for system recovery and file integrity 3$VolumeNTFS Version and Volume Label and Identifier 4$AttrDefAttribute Information 5$.Root directory of file system 6$BitmapTracks allocation status of all clusters in partition 7$BootContains partition boot sector and boot code 8$BadClusBad clusters on partition are tracked with this file 9$SecureContains file permissions and access control settings for file security 10$UpCaseConverts lower case characters in Unicode by storing an uppercase version of all Unicode characters in this file 11$ExtendA directory reserved for options extensions

12 Alternate Data Streams (ADS) MFT entry can have more than one $DATA attribute If more than one $DATA attribute exists, they are called ADS Invisible to user, even to administrator Can hold hidden data / malicious code Always examine for ADS using tools such as streams.exe, EnCase, etc September 20, 2015 © Wiley Inc. 2007. All Rights Reserved 12

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems."

Similar presentations

COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.

NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.

File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.

© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Operating Systems File systems

Operating Systems File systems
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Operating Systems.

Operating Systems.
Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.

Chapter 4: Operating Systems and File Management 1 Operating Systems and File Management Chapter 4.
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.

Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
MCSE Guide to Microsoft Windows 7 Chapter 5 Managing File Systems.

MCSE Guide to Microsoft Windows 7 Chapter 5 Managing File Systems.

Similar presentations

Ads by Google