The NTFS File System
OVERVIEW:
This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.
In this lab, students will enumerate hosts on the network using various tools.
This lab includes the following tasks:
1 – Examining the NTFS File System 2 – Using a HEX Editor to explore an NTFS Partition 3 – Verifying and viewing the image details 4 – Analyzing an NTFS Partition With Autopsy
Key TermDescription The acronym NTFS stands for New Technology File System. The NTFS File System was originally introduced with the Windows NT. NTFS is a journaling file system which means it keeps a log of changes being written to the disk. If a computer is shutdown improperly, it will have a better NTFS chance of recovery if it has a journaling file system. Files and folder access can be restricted with the security feature of NTFS. Starting with Windows 2000, Microsoft included the Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect against unauthorized access. A Feature of the NTFS File system that allows you to encrypt files and folders. The feature EFS became available on the NTFS File system starting with Windows 2000, and is still available today on Windows 10 and Server 2016. An Alternate Data Stream, or ADS, is a feature of the NTFS file system that allowed compatibility ADS with older versions of the Mac OS. The feature can be utilized by an individual who is attempting to hide data on their system with an NTFS volume. The timestomp command allows you to change file Modified, Access, and Created times. The timestomp command can only change MAC times on an NTFS volume. $MFT The Master File Table is basically like the Table of Contents for an NTFS volume.
Reading Assignment
Introduction This lab investigates the New Technology File System (NTFS) which is one of the most commonly used file systems by the Microsoft Windows operating system. The NTFS is robust and includes many useful features such the ability to set security permissions on files and folders. Figure 1 shows the lab topology. FIGURE 1 – LAB TOPOLOGY
This lab includes the following tasks:
Examining the NTFS Using a Hex editor to explore an NTFS partition Verifying and viewing the image details Analyzing an NTFS partition with Autopsy
File Systems Digital devices store information in Random Access Memory (RAM) or on storage systems like a hard disk or a solid-state drive (SSD). We will investigate the different file systems from Windows. Normally, operating systems provide this service “behind the scenes,” but it is critical you understand how these file systems work as a digital forensic specialist. File systems that are common to Microsoft operating systems include FAT (File Allocation Table) and NTFS (New Technology File System).
Windows File Systems
FAT
File Allocation Table is a table that holds information about where files are stored on a volume. When a file is deleted from the disk, the entry or entries for those files are removed from the table and the space is marked as available. However, the file, or parts of the file, can remain on the disk until overwritten by information from new files that are written to the disk. There are many limitations to using FAT32. One is the fact that file sizes are limited to 4 GB. The other issue is that you cannot create a FAT32 volume larger than 32 GB in some versions of Windows, such as Windows XP, Windows 7, and Windows 8. However, in some much older versions of Windows such as Windows 98 and Windows ME (Millennium Edition), users can create a 127.53 GB FAT32 volume. The likely reason for this is that the Windows 98 and Windows ME operating systems cannot read NTFS.
NTFS The acronym NTFS stands for New Technology File System. The NTFS was originally introduced with the Windows NT. NTFS is a journaling file system which means it keeps a log of changes being written to the disk. If a computer is shut down improperly, it will have a better chance of recovery if it has a journaling file system. Files and folder access can be restricted with the security feature of NTFS. Starting with Windows 2000, Microsoft included the Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect against unauthorized access.
EFS is a feature of the NTFS that allows you to encrypt files and folders. The feature became available on the NTFS starting with Windows 2000 and is still available today on Windows 10 and Server 2019.
An Alternate Data Stream, or ADS, is a feature of the NTFS that allowed compatibility with older versions of the Mac OS. The feature can be used by an individual who is attempting to hide data on their system with an NTFS volume.
Figure 2 shows the differences in structure between NTFS and FAT32 file systems.
FIGURE 2 – NTFS VS. FAT32 (SOURCE: LINK)
Hex Editors A hexadecimal or hex editor can be a Graphical User Interface (GUI) or command line tool that can be used to analyze the hexadecimal output of files. File headers have hexadecimal signatures that are unique to a particular type of file. Figure 3 shows the hex editor in Windows. FIGURE 3 – HEX EDITOR
In this lab, you will review NTFS images in a hex editor.
Introduction to Hashing Hashing is the process of taking in a stream of plain text and transforms the data into a hashed text using a hashing algorithm. You can use the hash to make sure that a message was not modified during transmission. Figure 4 shows the hashing process.
In this lab, you are going to image a disk and use a hashing tool to get the hash value of that disk image. That hash can also make sure that the disk image was not tampered with. Hashed images are used in forensics investigations. Hashing is also used on files, passwords, and other pieces of data. FIGURE 4 – HASHING PROCESS (SOURCE: LINK)
A hashing algorithm is what takes the data and creates a hash. There are many hashing algorithms that exist such as MD5, SHA1, SHA-256, SHA-384, and SHA-512. Let’s look at MD5, which is one of most insecure algorithms that exist today. The message digest algorithm (MD5) is an algorithm that creates 128-bit outputs. Although they are extremely rare, collisions could occur with an MD5 hash which means that two or more different inputs can result in the same 128-bit hash. The next algorithm is the Secure Hash Algorithm, SHA1, which creates 160-bit outputs. SHA-256 has a length of 256 bits or 64 hex characters, which is 2^256 combinations. SHA-384 is 384 bits long, which is 2^384 combinations, and SHA-512 which is 512 bits and 2^512 combinations.
Let us take a closer look at hashing works. Figure 5 illustrates the hashing process.
FIGURE 5 – HASHING PROCESS
So, a hashing algorithm takes a message/data and breaks it up in blocks depending on the hashing function you are using. If the data is not a multiple of the hashing blocks (e.g., 256-bit block for SHA-256), then the last block will be padded. Each block is run through the algorithm depending on the number of blocks in the message/data. The first block runs through the algorithm, and then it runs through the algorithm with the second block, etc., until you get a hash.
Linux’s dd In Linux, you have a command called dd that copies a file or a whole disk. It can be used to create an ISO disk image, which is used by systems to mount as a CD/DVD. You can use the following commands to create a hash based on the hashing algorithm such as md5sum, sha1sum, sha256sum, sha384sum, or sha512sum. You can use properties of a file in Windows to review the hashes for the image.
Timestomp The timestomp command allows you to change file Modified, Access, and Created times. This utility can only be used to change MAC times on an NTFS volume. Figure 6 shows the timestomp command. FIGURE 6 – TIMESTOMP
Autopsy Forensic Browser Autopsy Forensic Browser, a Graphical User Interface (GUI), is open-source forensic investigation toolkit that will allow a user to collect, examine, analyze, and report digital evidence especially disk images. Figure 7 shows the Autopsy Forensic Browser. FIGURE 7 – AUTOPSY FORENSIC BROWSER
The Autopsy Forensic Browser runs on Windows, Linux, and OS X. Autopsy can be used to capture and analyze disk images, perform analysis, and create reports. One of the most important tasks an investigator performs is to produce a report of his or her findings. A built-in report generator in Autopsy reports on any tagged items.
CONCLUSION:
In this lab, you will use Autopsy Forensic Browser and a hex editor to investigate different Windows file systems (NTFS and FAT).
Examining NTFS Features The most common Windows file systems are FAT and NTFS. There are several versions of NTFS. The older version included on Windows NT did not support the Encrypted File System, or EFS. Starting with Windows 2000, NTFS versions support the EFS feature. Viewing File Systems Log on to the External Windows 7 Machine
1. Click the START button in the adjoining window.
INITIALIZING THE VIRTUAL ENVIRONMENT
2. Click on the Windows 7 machine in the topology.
Note: If the Windows 7 machine is still booting, just give it the time to fully start. WINDOWS 7 MACHINE
3. Log on to Windows 7 as student with the password of password and press
Note: The password of password will not be displayed when you type it for security purposes.
LOGGING ON TO THE WINDOWS 7 MACHINE
4. Click on the Perl (Start button) and click on the link to Computer. COMPUTER LINK
5. Right-click on the FAT 32 Drive (F:) and go to the Properties tab.
PROPERTIES OF THE FAT32 DRIVE
6. Notice that there is no Security or Quota tab on a FAT32 Volume. EXAMINING A FAT32 VOLUME
7. Close FAT32 (F:). CLOSING FAT32(F:) PROPERTIES
8. Right-click on Local Disk (C:) and go to the Properties tab. PROPERTIES OF THE DRIVE
9. Notice the flag of 999818. Click on the Challenge icon and type the flag number into the answer box. This is just to show you how to capture Challenge Flags you will see throughout this lab.
Challenge Sample # 9. View the File system type, which should be listed as NTFS. NTFS DRIVE
Note: On NTFS volumes, security permissions and quotas can be configured. Security permissions can be configured to restrict access to files or folders. Quotas are used to restrict the amount of storage for each user to prevent a disk from running out of space.
10. Click on the Security tab. This is where Access Control Lists can be configured. NTFS PERMISSION
11. Notice the flag2 user displayed in the list. Challenge # 11. Click on the Quota tab. This is where disk usage can be restricted for users. THE QUOTA TAB
12. Close all windows.
CLOSING WINDOWS
We will now examine some of the features of an NTFS disk, including the Encrypted File System (EFS), Alternate Data Streams (ADS), and timestomping of MAC (Modified Access Created) times. These features are not available on FAT file system volumes.
13. Double-click on the shortcut to the Command Prompt on the Desktop. COMMAND PROMPT SHORTCUT
14. Type the following command and press
C:\>dir
14. Type the following command and press
Challenge # 14. Type the following command and press
C:\>echo this is a regular file > regular.txt MAKING A FILE
15. Type the following command and press
C:\>more regular.txt
SHOWING THE CONTENTS OF A FILE
16. Type the following command and press
C:\>echo this file will be hidden > hidden.txt
MAKING A FILE
17. Type the following command and press
C:\>more hidden.txt
SHOWING THE CONTENTS OF A FILE
Next, we will hide the file called hidden.txt within the file regular.txt using an alternative data stream or ADS. Before doing so, we will examine the file size of regular.txt.
18. Type the following command and press
C:\>dir regular.txt VIEWING THE FILE
19. To create the ADS, type the following command and press
C:\>type hidden.txt > regular.txt:hidden.txt
CREATING AN ADS
20. Just to get rid of the evidence, we will delete our file with ‘hidden info by typing the following command and pressing
C:\>del hidden.txt
DELETING A FILE
21. Type the following command and press
C:\>dir regular.txt
VIEWING THE FILE
22. If you type the command and press
C:\>dir VIEWING FILES
23. Type the following command and press
C:\>dir /r
VIEWING ADS FILES
Note: The dir /r command is not available in operating systems prior to Windows Vista.
24. Type the following command and press
C:\>notepad regular.txt:hidden.txt VIEWING THE CONTENTS OF THE ADS
26. Close the text file when you are finished viewing it by clicking on the red X.
CLOSING THE FILE
31. Type the following command to delete the regular.txt file.
31. Type the following command and press
C:\>dir /r
32. Type the following command and press
C:\>notepad flag.txt:flag4.txt Challenge # 33. Close the text file when you are finished viewing it by clicking on the red X.
Note: The timestomp.exe utility below can be used on an NTFS volume to change MAC times.
27. Type the following command and press
C:\>timestomp
TIMESTOMP COMMAND
28. Type the following command and press
C:\>dir VIEWING FILES
29. Type the following command and press
C:\>timestomp hi.txt –f config.sys
TIMESTOMPING A FILE
30. Type the following command and press
C:\>dir
VIEWING THE TIMESTOMPED FILE 31. Type the following command and press
C:\>mkdir private
MAKING A DIRECTORY
32. Type the following command and press
C:\>dir
PRIVATE DIRECTORY
33. Type the following command and press
C:\>cd private
ENTERING THE DIRECTORY
34. Create a file called SSN.txt that says 123-45-6789 by typing the following command and pressing
C:\private>echo 123-45-6789 > SSN.txt
CREATING SSN.TXT 35. Type the following command and press
C:\private>dir
DIRECTORY LISTING
36. Type the following command and press
C:\private>type SSN.txt
VIEWING THE CONTENTS OF THE FILE
37. Type the following command and press
C:\private>exit
EXITING THE COMMAND LINE
38. Click on the Start button (Pearl) and select Computer from the Start Menu. START MENU
39. Under Hard Disk Drives (5), double-click on Local Disk (C:).
THE C: DRIVE
40. Right-click on the private folder in the list and select Properties. PROPERTIES OF THE FOLDER
41. On the General tab, click the Advanced button. ADVANCED TAB
42. Check the box that states Encrypt contents to secure data. Click OK.
ENCRYPT CONTENTS
43. Click OK. Select Apply changes to this folder, subfolder and files. Click OK. APPLYING CHANGES TO THE FOLDER
44. View the private folder on the C: Drive; the color of the file changed to green.
ENCRYPTED FOLDER
45. Click the close button. CLOSING WINDOW
46. Open a Command Prompt by double-clicking on the shortcut on the Desktop.
OPENING THE COMMAND PROMPT
47. Create a user on the Windows 7 system by typing the following command and press
C:\>net user jessejames cowboy /add
CREATING A USER
55. Verify that the user exits and get information about them by typing the following command and pressing
C:\>net user jessejames
48. Type the following command and press
C:\>net localgroup administrators jessejames /add
ADDING THE USER TO ADMINISTRATORS
49. Verify that the user has been added to the administrators group by typing the following command and pressing
C:\>net localgroup administrators
VIEWING THE ADMINISTRATORS GROUP
50. Verify that the user exits and get information about them by typing the following command and pressing
C:\>net user flag5 Challenge # 50. Click on the Start Button (Pearl), click to the right of Shut down, and select Log off.
LOG OFF
51. Click on the icon with the name jessejames at the Welcome Page.
SELECTING THE USER 52. Type cowboy for the password and press
Note: The password of cowboy will not be displayed when you type it for security purposes.
TYPING THE PASSWORD
53. Click on the Start button and select Computer from the Start Menu. START MENU
54. Under Hard Disk Drives (5), double-click on Local Disk (C:).
THE C: DRIVE
55. Double-click on the private older. Try to open SSN.txt. Access is denied. ACCESS IS DENIED
56. Click on the Start Button (Pearl), click to the right of Shut down, and select Log off.
LOG OFF
57. Click on the Student icon. ACCESSING STUDENT FORM
58. Log on to Windows 7 as student with the password of password and press
Note: The password of password will not be displayed when you type it for security purposes.
LOGGING ON TO THE WINDOWS 7 MACHINE
CONCLUSION:
There are many variations of file systems that are used on operating systems. File Systems that are common to Microsoft operating systems include File Allocation Table (FAT) and New Technology File System (NTFS). Some of the features included with the NTFS file system include Alternate Data Streams (ADS) and the Encrypted File System (EFS). A hacker can also perform timestomping on an NTFS volume.
DISCUSSION QUESTIONS:
1. What is an Alternate Data Stream? 2. How is timestomping performed? 3. What is the command to display an ADS from the command line? 4. How do you encrypt a file using the EFS feature of NTFS?
Using a HEX Editor to Explore an NTFS Partition In this section, we will explore the NTFS file system with the hexadecimal (hex) editor HxD. Make sure that you are at Sector 0, Offset 00000000. You are looking at the Master Boot Record or MBR for an NTFS file system. We will begin dissecting it. Exploring an NTFS Partition 1. Double-click on the HxD icon on the Desktop.
HXD SHORCUT
2. From the Menu bar, select Extras > Open disk image.
OPENING A DISK IMAGE
3. Double-click on the 10-ntfs-disk.dd - Shortcut.lnk.
NTFS.DD SHORTCUT
4. Leave the Sector size as 512 bytes. Click OK. OPENING THE IMAGE
5. Highlight bytes 00000000 to 00000162 by clicking and dragging from the beginning bytes down to byte 00000162. If you look at the bottom of the Hex Editor, it counts the hex values for you. This is a piece of the boot code for the drive that allows it to become bootable.
BOOTABLE CODE
6. Highlight bytes 00000163 to 000001B2. This area is also part of the boot code and contains any error messages. If you look at the ASCII on the right, you see the message, Missing operating system. MISSING OPERATING SYSTEM
Note: The entire boot code spans from 00000000 to 000001BD or 0-445 in decimal. ENTIRE BOOT CODE
7. Click on Offset located in the upper left to view the decimal values. It will change from h to d. CHANGING THE OFFSET
8. The first partition of the disk begins at location 1BE to 1CD (446–461 in decimal) and is 16 bytes long.
FIRST PARTITION
9. You can have up to four primary partitions on a standard DOS based system. There are three more partitions on this image. The second partition goes from 1CE to 1DD or from 462 to 477 decimal.
SECOND PARTITION
10. The third partition is from 1DE to 1ED or from 478 to 493 in decimal. THIRD PARTITION
11. The fourth and last partition is from 1EE to 1FD or from 494 to 509 decimal.
FOURTH PARTITION
12. The entire partition table is 64 bytes in length.
PARTITION TABLE
13. Look at the first partition again and highlight 1BE to 1CD or 446–461 in decimal.
FIRST PARTITION
14. The first byte of the partition tells whether it is a bootable partition or not. Our entry is 00, which indicates a non-bootable partition. A value of 80 would indicate a bootable partition. OPENING THE IMAGE
15. The next three bytes indicate where the starting Head, Sector and Cylinder (yes, they are out of order) are located and is commonly called the CHS address for the partition. In our case, CHS is (0,1,1).
Note: Data stored by Intel processors is written with LSB (Least Significant Byte) first and MSB (most significant byte) last, so the byte order must be reversed.
CHS INFORMATION
16. The fifth byte is the Partition Type (there are many). In this case, it is 07, which indicates an NTFS partition.
PARTITION TYPE
17. The next three bytes indicate the ending CHS address.
OPENING THE IMAGE
18. The next four bytes is for Logical Block Addressing (LBA). The Operating System determines the LBA. Possible choices are either CHS or LBA mode but not both for the partition.
LBA INFORMATION 19. The last 4 bytes indicate the size in sectors of the partition.
PARTITION SIZE
Note: This same analysis applies for each partition.
20. Finally, the MBR signature is at the end of the Master Root Record as highlighted below—55 AA.
MASTER BOOT RECORD
21. From the Menu bar, select Extras > Open disk image.
OPENING A DISK IMAGE
22. Double-click on the 10-ntfs-part1.dd. OPENING THE IMAGE
23. Click Open and leave the Sector size as 512 bytes. Click OK.
OPENING THE IMAGE
24. Look at the signature for the partition. It is NTFS as identified in the MBR.
NTFS
25. Right-click the program on the taskbar and select Close window. CLOSING PROGRAM
26. Click the Windows icon and select Shutdown.
SHUTTING DOWN WINDOWS
27. Close the VM window.
CLOSING VM WINDOW
CONCLUSION:
NTFS stands for New Technology File System. A hexadecimal (hex) editor like HxD will allow you to examine the details of FAT or FAT32 Partitions and disk images. DISCUSSION QUESTIONS:
1. What is the byte range for in decimal for the first partition? 2. What number indicated that a partition is bootable? 3. What does LBA stand for and what does it do? 4. The Master Boot Record ends with what signature?
Verifying and Viewing the Image Details An image is a bit by bit copy of a disk. In this case, the NTFS file system was used on a volume where the operating system was installed. Starting with Windows Vista, NTFS had to be used on the OS drive. NTFS is also commonly utilized on data drives.
Verifying Integrity 1. Click on the Machine running Windows 10 in the topology.
WINDOWS 10
2. Click on the file explorer in Windows 10.
FILE EXPLORER 3. Click on Local Disk (C:).
LOCAL DISK
4. Double-click on the images directory.
IMAGES DIRECTOR
Note: When an investigator takes an image, they should record the SHA1 and MD5 hashes. The hashes for the disk image are usually put into a text file that accompanies the image file.
5. Double-click on the ntfsdd.txt file. HASH FILE
6. View the MD5 and SHA1 hash values as well as Flag 6. Minimize the text file with the hashes.
ACQUISITION INFORMATION
Challenge # 7. Right-click on ntfs.dd file and go to Properties. PROPERTIES
8. Click the File Hashes tab. Wait for the File Hashes to complete.
VIEWING HASHES
9. Double-click the ntfsdd.txt file. 9. Move so both windows can be displayed at the same time. Notice that the MD5 sum matches the sum from the acquisition text file. Notice that the SHA1 sum matches the sum from the acquisition text file. Close all of the windows.
NOTEPAD
CONCLUSION:
When an image is collected, the incident responder should generate a corresponding text file with the image MD5 and SHA1 hash values as well as other information such as the cyclical redundancy check (CRC value). The md5sum and sha1sum utilities can be utilized from the terminal to hash a data set to verify the integrity of the data. DISCUSSION QUESTIONS:
1. What Linux command can be used to parse information out of a txt file? 2. How many bits is the MD5 hashing algorithm? 3. How many bits is the SHA1 hashing algorithm? 4. Which hashing algorithm is more accurate, MD5 or SHA1?
Analyzing an NTFS Partition with Autopsy Forensic Analysis requires loading an image file into a forensic tool. The most widely used forensic tools are commercial tools such as EnCase and Forensic Tool Kit (FTK). EnCase is made by Guidance software and FTK is made by Access Data. Both tools require hardware dongles which helps to prevent illegal copies of the software. There are some free tools, such as Autopsy, which also can be used to perform forensic analysis.
Loading the NTFS Image into Autopsy 1. To use the Autopsy forensic browser, double-click on the shortcut to the Desktop.
AUTOPSY
2. Click Create New Case. AUTOPSY
3. For the Case Name, type Lab10. For the Base Directory, type C:\images. Verify that the Case data will be saved to C:\images\Lab10 and click Next.
AUTOPSY
4. For the Case Number, type 1. For the Examiner name, type student. Click Finish. AUTOPSY
5. Click Browse.
AUTOPSY
6. Click This PC and then double-click Local Disk (C:). AUTOPSY
7. Double-click on the images folder.
AUTOPSY 8. Click ntfs.dd and then click Open.
AUTOPSY
9. Click Next. AUTOPSY
10. Click Next.
AUTOPSY
11. Click Finish. AUTOPSY
12. Double-click on ntfs.dd. AUTOPSY
13. Scroll down using the down arrow on the left side of autopsy. Notice the NTFS system files including the Master File Table $MFT and the $MFTMirr.
AUTOPSY
14. Close the VM window.
CLOSING VM WINDOW
Note: Press the STOP button to complete the lab. LAB COMPLETE
CONCLUSION:
Autopsy is a forensic analysis tool that is free to use. Commercial forensic products, such as EnCase and FTK, are more widely used but are not free and require hardware dongles. All of these products allow you to parse fornesic images and examine files.
DISCUSSION QUESTIONS:
1. How do you load an image into Autopsy? 2. Name two NTFS system files. 3. Name three files that should be on every NTFS image. 4. What is the function of the $MFT? References: 1. Comparing NTFS and FAT file systems windows.microsoft.com/en-us/windows-vista/comparing-ntfs-and-fat-file-systems
2. EFS https://technet.microsoft.com/en-us/library/cc700811.aspx
3. Alternate Data Streams http://www.irongeek.com/i.php?page=security/altds
4. FAT32 vs. NTFS http://www.pcmag.com/article2/0,2817,2421454,00.asp
5. Encrypted File System http://en.wikipedia.org/wiki/Encrypting_File_System
Organization: Moraine Valley Community College
Author: Jesse Varsalone
Copyright © National Information Security, Geospatial Technologies Consortium (NISGTC)
The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah. This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
© Infosec Learning, LLC. All rights reserved.