8. DIGITAL INFORMATION FORENSICS-ANUM HASAN 8
Examining FAT Disks(for info)
• File Allocation Table (FAT)
– File structure database that Microsoft originally designed for floppy
disks
– Used before Windows NT and 2000
• FAT database is typically written to a disk’s outermost track and
contains:
– Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
• FAT versions
– FAT12, VFAT, currently 3x FAT16, FAT32, exFAT (mobile)
9. DIGITAL INFORMATION FORENSICS-ANUM HASAN 9
FAT Versions(for info)
• FAT12—for floppy disks, max size 16 MB
• FAT16—allows hard disk sizes up to 4 GB
• FAT32— allows hard disk sizes up to 32 GB however, 3rd
party tools
extend up to 2 TB
• Cannot handle larger 4GB file
• exFAT—For mobile storage, flash memory
• VFAT (Virtual File Allocation Table)
– Allows long file names on Windows (MS-DOS)
11. Examining FAT Disks (continued)
• Cluster sizes vary according to the hard disk size and file system
For FAT32 file systems, cluster sizes are determined by the OS. Clusters
can range from 1 sector consisting of 512 bytes to 128 sectors of 64 KB
12. ProDiscover Showing Cluster Chain
When the OS stores data in a FAT file system, it assigns a
starting cluster position to a file.
13. Examining FAT Disks (continued)
• When the OS stores data in a FAT file system, it assigns a starting
cluster position to a file
– Data for the file is written to the first sector of the first assigned
cluster
• When this first assigned cluster is filled and runs out of room
– FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the current cluster
– File becomes fragmented
• Rare case cluster chain can be broken, can only point forward
– Rebuilding the broken chain could be difficult
– FAT looks forward for the next cluster assignment but doesn’t
provide pointers to the previous cluster
14. Deleting FAT Files
• In Microsoft OS, when a file is deleted
– Directory entry is marked as a deleted file
• With the HEX E5 (oxE5) character replacing the first letter of the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides becomes unallocated disk
space
– Available to receive new data from newly created files or other files needs
more space
17. Examining NTFS
Disks
• New Technology File System (NTFS)
• Introduced with Windows NT, and still main FS in Windows
• Each generation of Windows has minor changes in config. & features
• NTFS offers many more features than FAT, more utilities are used to manage
• Improvements over FAT file systems
• NTFS provides more information about a file (i.e. security features, ownership,
attributes etc.)
• NTFS gives more control over files and folders
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS uses Unicode – international data format.
• UTF-8, UTF-16, UTF-32 (Unicode Transformation Format)
• For Western-language alphabet, UTF-8 is identical to ASCII
• Comes handy once searching the keyword on disk
18. Examining NTFS Disks
(continued)
• NTFS was Microsoft’s move toward a journaling file system
• The system keeps track of transactions such as file deleting or
saving
• System record a transaction before the system carried out.
• That’s way, in a power failure or other interruption, the system can
complete the transaction or go back to the last good setting.
19. Examining NTFS Disks
(continued)
• On NTFS disk
– Everything written on disk is considered as a file.
– First data set is the Partition Boot Sector, start at [0] up to 16 sectors
– Next is Master File Table (MFT)
• MFT contains information about all files and folders on the disk
• Including the OS system files
• The MFT, similar to FAT, is the first file on the disk
• Created with disk partition at NTFS formatting time, consumed 12.5% of the
disk.
• MFT can expand to take up to 50% of the disk
• In the MFT, the first 15 records are reserved for system files
• Records in the MFT are called File system metadata
21. NTFS System Files
• Everything on NTFS disk is a file, the first file, the MFT contains all the info
about files on disk.
• Following 16 records/metadata are reserved.
24. MFT and File
Attributes
• In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes
each.
• Each record contains file or folder information
• This information is divided into record fields containing metadata about the file
or folder and the file’s data or links to the file’s data. Referred to as attribute ID
• 2x mode of for storing file/folder
• resident and nonresident
• For very small files, about 512 bytes or less, all file metadata and data are
stored in the MFT record (resident mode)
• Files larger than 512 bytes are stored outside the MFT. This MFT record
provides cluster addresses (data runs) where the file is stored on the
drive’s partition (nonresident).
• Each MFT record starts with a header identifying resident and nonresident
• First 4 bytes referred to MFT record are FILE
• Further header indicate the start and end of other attributes etc.
30. MFT Structures for File Data
• The first section of an MFT record is the header that defines the size
and starting position of the first attribute
• Following the header are attributes that are specific for the file type,
such as an application file or a data file.
• MFT records for directories have additional attributes that don’t appear
in a file MFT record.
31. MFT Structures for File
Data
• MFT Header Fields
– Offset 0x00—The MFT record identifier FILE; the letter F is at offset 0.
– Offset 0x14—Length of the header, indicates where the next attribute starts;
typically 0x38 (56th
bytes)
– Offset 0x1D to 0x1F—Size of the MFT record; the default is 0x400 (1024) bytes, or
two sectors.
– Offset 0x32 and 0x33—The update sequence array, stores two bytes of first sector
of the MFT record. It’s used only when MFT data exceeds 512 bytes. The update
sequence array is used as a checksum for record integrity validation
32. Attribute 0x10: Standard Information
• Offset 0x38 from beginning of MFT record—start of attribute 0x10.
• Offset 0x04 and 0x05 from beginning of attribute 0x10—Size of 0x10
attribute.
• Offset 0x18 to 0x1F—File’s create date and time; all dates and times are
stored in Win32 Filetime format.
• Offset 0x20 to 0x27—Last modified date and time for file.
• Offset 0x28 to 0x2F—Last access date and time.
• Offset 0x30 to 0x37—Record update date and time.
33. Attribute 0x30: File_Name
• Offset 0x04 and 0x05 from beginning of attribute 0x30—Size of attribute 0x30.
• Offset 0x5A from 0x30 attribute’s starting position—Short filename; in Unicode.
• Offset 0x20 to 0x27— File’s create date and time; in Win32 Filetime format.
• Offset 0x28 to 0x2F— Last modified date and time for file.
• Offset 0x30 to 0x37— Last access date and time.
• Offset 0x38 to 0x3F— Record update date and time.
DCode utility can be used to extract
the date etc.
34. Attribute 0x30: File_Name
A: Attribute 0x30 short filename
B: Size of attribute 0x30 short filename
C: Short create date and time
D: Short last modified date and time
E: Short last access date and time F:
Short record update date and time G:
Starting position of short filename
H: Attribute 0x30 long filename
I: Size of attribute 0x30 long filename
J: Long create date and time
K: Long last modified date and time
L: Long last access date and time
M: Long record update date and time
N: Starting position of long filename
35. Attribute 0x40: Object_ID (ownership/access
control)
• Offset 0x04 and 0x05 from beginning of attribute 0x40—The size of
attribute 0x40
• Offset 0x14—Starting offset position for GUID data
• Offset 0x18 to 0x27—Starting position for GUID Object_ID data
36. Attribute 0x80: Data for a Resident File
• Offset 0x04 and 0x05 from beginning of attribute 0x80—Size of the attribute.
• Offset 0x08—Resident/nonresident flag; for resident data, it’s set to 0x00
• Offset 0x10—Number of bytes in the data run.
• Offset 0x18—Start of the resident data run.
• Offset 0x1FE and 0x1FF from beginning of MFT header— Sector checksum value, used
to validate first 512 bytes of MFT record. Break between the first and second sectors is
referred to as sector boundary. The 2 bytes at positions 0x32 and 0x33 of MFT header
in the update sequence array field are where the actual values for these bytes are
stored.
• End of the MFT record is indicated by the hexadecimal values FF FF FF FF at
the end of the record.
38. MFT and File Attributes (continued)
• When a disk is created as an NTFS file structure
– OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster numbers (LCNs)
– Become the addresses that allow the MFT to link to nonresident files on
the disk’s partition
39. Attribute 0x80: Data for Nonresident File
• Offset 0x04 and 0x05 from beginning of attribute 0x80—Size of attribute.
• Offset 0x08—Resident/nonresident flag; for nonresident data, it’s
set to 0x01.
• Offset 0x40—The start of the data run. The first run is the LCN ; if the file is
fragmented, additional data runs follow
• Following the last data run, the value 0x00 indicates the end of
the Data attribute
40. Attribute 0x80: Data for Nonresident File(VCN
maps to LCN)
A: Start of attribute
0x80 B: Size of
attribute 0x60 C:
Nonresident flag
D: First data run
E: Second data run
F: Additional data
runs G: End of data
run
H: End of MFT record
I: Sector checksum
J: Sector boundary
42. Interpreting a Data Run
• Data runs has 3 components
• The first indicate the no. of bytes are required for 2nd
and 3rd
components.
• The second component stores the number of clusters assigned to the data
run
• Third component contains the starting cluster address value
46. Deleting NTFS Files
• Typically, File Explorer is used to delete files from a disk
• OS rename it and move it to Recycle bin
• Another method is del (delete) MS-DOS command
• Does not rename and don’t move to Recycle bin
• Windows changes the filename and moves the file to a subdirectory with a unique
identity in the Recycle Bin
• Windows stores information about the original path and filename in the Info2 file,
which is the control file for the Recycle Bin.
• NTFS files deleted at a command prompt function much like FAT files
47. Deleting NTFS Files
When a user empties the Recycle Bin
1. The associated clusters are designated as free—that is, marked as available for new
data.
2. The $Bitmap file attribute in the MFT is updated to reflect the file’s deletion, showing
that this space is available.
3. The file’s record in the MFT is marked as being available.
4. VCN/LCN cluster locations linked to deleted nonresident files are then removed from
the original MFT record.
5. A run list is maintained in the MFT of all cluster locations on the disk for nonresident
files. When the list of links is deleted, any reference to the links is lost.
48. NTFS Data Streams
• Data streams
• Ways data can be appended to existing files
• Can obscure valuable evidentiary data, intentionally or by coincidence
• In NTFS, a data stream becomes an additional file attribute
• Allows the file to be associated with different applications
• You can only tell whether a file has a data stream attached by examining
that file’s MFT entry
#19:When a file is created using NTFS, a record about the file is created in the Master File Table (MFT). The record is used to locate a file's possibly scattered clusters. NTFS looks for a storage space that will hold all the clusters of the file, but it isn't always able to find one space all together.
Along with its data content, each file contains its metadata, which is a description of its attributes.
#28:Each MFT record starts with a header identifying it as a resident or nonresident
attribute. The first 4 bytes (characters) for all MFT records are FILE. The header
information contains additional data specifying where the first attribute ID starts,
which is typically at offset 0x14 from the beginning of the record. Each attribute ID
has a length value in hexadecimal defining where it ends and where the next attribute
starts. The length value is located 4 bytes from the attribute ID.
#38:Offset means after the size of attributes…
0x80 ID for data
0x78 = 120 bytes for data
0x00 = resident file
0x5A = 90 byes are allocated for data
#46:Figures 5-22 and 5-23 show the second and third data runs for the SanteFe001.
jpg file. For the second and all other data runs, the third component is a signed
integer; for example, in Figure 5-22, this value is converted from a hexadecimal number
to a negative decimal number. In NTFS, if the next available open area of a highly
fragmented disk is at a lower address, a negative number is assigned as the VCN value.
The way NTFS navigates to this second open area is by adding the VCN to the previous
LCN. For example, the first data run has the LCN address 35980, and the second data
run has the value -4715. The OS adds the two numbers, but because the second data
run has a negative number, they’re actually subtracted: 35980+(-4715)=31265.
https://onlinetoolz.net/unsigned-signed#base=16&value=ED95&bits=16
1- check 008c8c/24 bit its sign bit is zero so positive and move forward
2- check ED95/16/bit its sign bit is 1 so negative then move backward
3- check 01363c/24 bit its sign bit is 0 so move farward
![Examining NTFS Disks
(continued)
• On NTFS disk
– Everything written on disk is considered as a file.
– First data set is the Partition Boot Sector, start at [0] up to 16 sectors
– Next is Master File Table (MFT)
• MFT contains information about all files and folders on the disk
• Including the OS system files
• The MFT, similar to FAT, is the first file on the disk
• Created with disk partition at NTFS formatting time, consumed 12.5% of the
disk.
• MFT can expand to take up to 50% of the disk
• In the MFT, the first 15 records are reserved for system files
• Records in the MFT are called File system metadata](https://image.slidesharecdn.com/dif-lec7-250330052221-450f7774/85/Digital-Information-Forensics-Lecture-on-the-topic-of-Partion-Table-19-320.jpg)
