Orphaned Files What Does That Mean?

Slides:



Advertisements
Similar presentations
Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone
Advertisements

Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.
Chapter 10: File-System Interface
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
File management in UNIX and windows 2000
Ceng Operating Systems
1 File Management in Representative Operating Systems.
ARRAYS AND POINTERS Although pointer types are not integer types, some integer arithmetic operators can be applied to pointers. The affect of this arithmetic.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Basic File Recovery Techniques BACS 371 Computer Forensics.
New Technologies File System
Chapter 8 File Management
BACS 371 Computer Forensics
File Systems (1). Readings r Silbershatz et al: 10.1,10.2,
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
File Processing - Indexing MVNC1 Indexing Jim Skon.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows NTFS Introduction to Operating Systems: Module 15.
File System Interface. File Concept Access Methods Directory Structure File-System Mounting File Sharing (skip)‏ File Protection.
Lecture 4 Forensic Analysis of Windows Systems
File Systems in Real-Time Embedded Applications March 5th Eric Julien Understanding How the File Allocation Table (FAT) Operates 1.
Lecture 11: The FAT, VFAT, and NTFS Filesystems 6/19/2003 CSCE 590 Summer 2003.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
CE Operating Systems Lecture 17 File systems – interface and implementation.
1 5. Abstract Data Structures & Algorithms 5.1 Data Structure Fundamentals.
OPERATING SYSTEMS Frans Sanen.  Analyze a FAT file system manually  FAT12 first and simplest version  Still used on smaller disks (e.g. floppies) 
1 File Processing : File Organization and File Systems 2015, Spring Pusan National University Ki-Joune Li.
Chapter 6 File Systems. Essential requirements 1. Store very large amount of information 2. Must survive the termination of processes persistent 3. Concurrent.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Files An operating system, maintains descriptive information about files in a data structure called a file descriptor. NameDeletion control Storage Organization.
CS 257: Database System Principles Variable length data and record BY Govind Kalyankar Class Id: 107.
Day 28 File System.
Advanced Computer Forensics
UMBC CMSC 421 Spring 2017 The FAT Filesystem.
Computer Forensics NTFS File System.
CHP - 9 File Structures.
Indexing Goals: Store large files Support multiple search keys
Working with Disks Lesson 4.
CS522 Advanced database Systems
Chapter 11: File System Implementation
Understanding Ownership
Database Management Systems (CS 564)
Windows XP File Systems
File System API Calls in Windows 2000 (1)
Introduction to Computers
File Management Chase Goehring.
File Systems and Partitioning Systems
Forensic Examination of Clients and Servers
Paging Examples Assume a page size of 1K and a 15-bit logical address space. How many pages are in the system?
Deleted Files Soup to Nuts.
Chapter 11: File System Implementation
Chapter 11: File System Implementation
FILE SYSTEM ANALYSIS Dr Fudong Li
File Extractor Pro’s File Signature Builder
Introduction to Database Systems
Forensic Analysis of Internet Explorer Activity Files
NTFS.
Chapter 10: File-System Interface
File Analysis with MicroSoft DEBUG
Computer Forensics NTFS File System.
Objectives You should be able to describe: Addresses and Pointers
File Processing : File Organization and File Systems
Chapter 11: File System Implementation
Presentation transcript:

Orphaned Files What Does That Mean? © Dr. D. Kall Loper, all rights reserved Orphaned Files What Does That Mean?

Orphaned Files

Orphaned Files Definitions Orphaned Files Files are orphaned when their parent directory is overwritten in the $MFT. Deleted directories and associated files are intact and can be recovered with metadata intact. If the ‘parent’ directory is overwritten, all pointers to the parent directory found in the associated files are invalid—thus orphaning the files. Definitions

Orphaned Files Definitions Master File Table The MFT is an index of data about the files, directories, and metafiles in the system. All the data in a file is simply a ‘property’ or extent of the file object. Definitions

MFT Record Structure MFT Record Structure Record entries are the fundamental unit of the MFT. The basic record entry is 1024 bytes. Additional records can be added to describe a file system object that exceeds that size.

MFT Record Structure NTFS Versions NTFS made slight changes to the MFT between versions 3.0 and 3.1. In this case, the offset from beginning of record to the Standard Information Attribute (SIA) changed from 48 bytes to 56 bytes. Version 1.1 (NT 3.5) Version 1.2 (NT 3.51 & 4.0) Version 3.0 (Windows 2000) Version 3.1 (Windows XP et seq.)

MFT Record Structure Illustration Standard Information Attribute (SIA) Header is 10 00 00 00 Version 3.0 (Win2K) offset=48 bytes Version 3.1 (WinXP) offset=56 bytes Illustration

MFT Record Structure Illustration Standard Information Attribute (SIA) The size of the SIA is variable. To find the size of SIA, read the 4 bytes after the header (little endian). Illustration

MFT Record Structure Illustration Standard Information Attribute (SIA) 0x60h = 96 decimal. So count over 96 bytes and there will be the File Name Attribute header. Illustration

MFT Record Structure Illustration File Name Attribute (FNA) Header = 30 00 00 00 Illustration

MFT Record Structure Within the File Name Attribute is a pointer to the parent or child. Folders have children Files have parents There is no absolute offset from the beginning of the record since the SIA has a variable size. However, the pointer can be found 24 bytes inside of the FNA and is 8 bytes long.

MFT Record Structure Illustration File Name Attribute (FNA) Header = 30 00 00 00 Offset = 24 bytes into the FNA including the header. Illustration

MFT Record Structure Illustration File Name Attribute (FNA) The first 6 bytes of this value (little endian) represent the MFT Record number of the parent. Illustration

MFT Record Structure Parent MFT Record Number To find the offset of the parent, multiply the ParentID number by 1024 (MFT record size).

MFT Record Structure Illustration File Name Attribute (FNA) The last 2 bytes of this value (little endian) is the “stored sequence value” of the parent. Illustration

MFT Record Structure Stored Sequence Value The number of times that the record has been used and reused (i.e. after deletion) is stored as a sequence value in the MFT record. When a record is created it has the hex value 0x01 00. Each time the file or folder is deleted, this value increments, and it never decrements.

MFT Record Structure Illustration Stored Sequence Record offset = 16 bytes Data is 2 byte value stored little endian Illustration

MFT Record Structure Each MFT record contains a sequence value as mentioned above and an allocation value. The allocation value determines whether the record is available for rewrite or is already allocated.

MFT Record Structure Illustration Allocation Value Record offset = 22 bytes Data is 2 byte value stored little endian Illustration

MFT Record Structure The allocation value tells whether the record is or is not allocated. Binary Hex Allocation Type Allocated 0000 0000 00 File Unallocated 0000 0001 01 0000 0010 02 Folder 0000 0011 03

Orphaned Files Deleted Files When the parent is deleted, the Sequence Value increments by 1. The sequence value of the parent is one greater than the child. The parent folder was deleted and thus, the child is deleted too. The parent’s allocation status will be 0x02h (0000 0010 binary).

Orphaned Files Orphaned Files Once the parent is deleted, the allocation value is changed to “unallocated.” When the next record is needed in the MFT, that record may be “reallocated.” Since the child records (folders and/or files) are still present, but their pointers now incorrectly identify the parent, they are called orphans.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.