NTFS Overview NTFS Overview

NTFS Partitions

New Technology File System File NTFS Logical ClusterB-Trees Number $REPARSE_POINT $INDEX_ALLOCATION$Extend System Overview Master FileRoot $UsrJrnl$SECURITY_DESCRIPTOR $VOLUME_INFORMATIONTable Multiple Data Streams $STANDARD_INFORMATION $MFT Compressed Forensics $Logfile $Reparse Everything is a ﬁleData . . Runs. . File ClusterNon-Resident$Volume Number Attribute$Bitmap$INDEX_ROOT $BITMAP $INDX Records Everything is a Boot Sector $MFTMirr $OBJECT_ID$BadClusfile . . . . Digital Forensics Center Encryption $FILE_NAME$AttrDef THINK BIG WE DO Record Attributes$EFS$EA_INFORMATION Department of Computer Science and Statics $LOGGED_UTILITY_STREAM$DATA$UpCase $Secure Volume Cluster Number $ObjId $EA Resident $BootAttribute$VOLUME_NAME U R I $ATTRIBUTE_LIST http://www.forensics.cs.uri.edu

NTFS Partitions NTFS Overview

New Technology File System Cluster 0 Master File Table $MFT $BOOT - “Everything is a file.” - Location and attributes for all files on partition - NTFS stores information about itself and files in files. Master File Table Mirror $MFTMirr $MFT - Entire partition is available for data (files) - Backup of first four MFT records - Cluster 0 begins at start of partition Boot Sector $BOOT - Special files describing the NTFS File System - BIOS Parameter Block (BPB) - have file names beginning with $ - Always at Logical Volume Sector 0 $MFTMirr - are not visible in Windows Explorer

NTFS Partition - Location of Master File Table (MFT) and MFT Mirror NTFS Partition - referred to as metafiles Data - Size of file entries in the MFT Data - Size of sectors and clusters

Boot Sector Master File Table

$BOOT 00 $BOOT Master File Table $MFT $BOOT 03 11 - Location and attributes for all files on partition 13 14 16 $MFT - Can grow in size as new entries added $MFT 19 $MFT 21 - Reserved zone set aside for growth If positive: 22 MFT Zone 24 - 50%, 25%, 12.5% of disk number of clusters in each 26 MFT record 28 $MFT cont’d 32 - Zone is halved if rest of disk is filled 36 If negative 40 - MFT can become fragmented number of bytes in each 48 $MFTMirr $MFTMirr MFT record (210) 56 64 65 NTFS Partition NTFS Partition 68 69 72 Data Data 72 72 80 510 Master File Table Storing Content

Master File Table $MFT $BOOT Data Runs (storing non-resident content)

- Location and attributes for all files on partition Content - File content cannot always be stored in continuous blocks of clusters LCN 48 LCN 49 LCN 50 - Each FILE record is usually 1024 bytes $MFT $MFT - $DATA attribute header contains starting and ending VCN - MFT Header - first 42 bytes MFT Zone ContentContent is isstored stored at - Data runs are stored as attribute content using LCN’s - Attributes - remaining bytes* LCN 62 LCN 63 LCN 64 anotherin*Can this alsoFILE location contain record. in $MFT cont’d - Each attribute has “fix-up”“Resident”partition. data. “Non-Resident” Virtual Cluster Number Logical Cluster Number - a header (16 bytes) $MFTMirr (VCN) (LCN) Cluster offset from file start - location and size of content (8 or 56 bytes) Logical File System Address LCN 90 LCN 91 LCN 92 LCN 93 Logical File Cluster (LFC) NTFS Partition Content - and content (size varies) - details of attribute Run Start Length Data MyFile 1 48 3 MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute 2 +42 4 Header Content MFT File Record Content Space Header Header Siz Header Siz Header Loc/ Loc/ VCN 0 VCN 1 VCN 2 VCN 3 VCN 4 VCN 5 VCN 6 VCN 7 VCN 8 VCN 9 Loc/Siz Loc/Siz 3 -28 3

Storing Content Storing Content

Sparse File Content Compressed File Content - NTFS saves disk space by not saving clusters that are all zeros - Cluster grouped into compression units This example uses a compression unit of - Sparse clusters are removed after compression 4

Default for NTFS is 16 Run Start Length These clusters 1 48 4 contain all 2 0 3 Run Start Length zeros. 1 48 2 LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57 3 +4 3 LCN 48 LCN 49 LCN 50 LCN 51 LCN 52 LCN 52 LCN 54 LCN 55 LCN 56 LCN 57 2 0 2 3 +2 1 4 0 3 MyFile MyFile 5 +1 2 VCN 4 VCN 5 VCN 6 VCN 4 VCN 5 VCN 6 VCN 0 VCN 1 VCN 2 VCN 3 VCN 7 VCN 8 VCN 9 VCN 0 VCN 1 VCN 2 VCN 3 VCN 7 VCN 8 VCN 9 00000 00000 00000 0000 0000 0000

NTFS Overview

File System Metafiles Non-Resident Data Content - $BOOT, $MFT, $MFTMirr - Data Runs - Additional metafiles describe other - Run start is offset from start LCN of NTFS Overview parts of file system previous run Master File Table Record Layout - Sparse Data - Has starting offset of zero - FILE Header information - Compressed Data - Attributes - Stored similar to sparse data - Resident - stored in MFT record Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO - Non-Resident - stored as a file - Additional Record Types U R I - INDX, BAAD http://www.forensics.cs.uri.edu