Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems

Chapter Topics: File Systems vs Operating Systems Understanding FAT File Systems Understanding NTFS File Systems Understanding exFAT File Systems Dealing with Alternate Data Streams

File Systems vs Operating Systems Operating system responsible for carrying out the basic tasks of the computer O/S types: –Microsoft Windows –Unix –Linux –Mac OS X

File Systems vs Operating Systems File system is the system or method of storing & retrieving data on a computer File system types: –FAT (12, 16, 32) –NTFS –exFAT –HFS –HFS+ –Ext2 –Ext3 –ISO 9660 –UDF –UFS

Windows Operating System Uses FAT, exFAT and NTFS file systems FAT is ideal cross-platform file system as nearly all operating systems can reliably read it and write to it

Minimal Functions of any File System Track the name of the file (or directory). Track the starting point where the file starts. Track the length of the file along with other file metadata, such as timestamps. Track the clusters used by the file (cluster runs). Track which allocations units (clusters) are allocated and which ones are not.

FAT File System Major components –FAT (File Allocation Table) Tracks clusters used by the file Tracks which allocation units (clusters) are allocated and which are not –32 byte FAT directory entry Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps

FAT 32 Directory Entry B YTE O FFSET (D ECIMAL ) D ESCRIPTION 0First Character of Filename or Status Byte 1 - 7Characters of Filename Characters of File Extension 11Attributes (Detailed in Table 7.6) Reserved Created time and date of file. Stored as MS-DOS 32-bit date / time stamp Last Accessed date—no time! Two high bytes of FAT32 starting cluster.FAT12/16 will have zeros Last Written time and date of file. Stored as MS-DOS 32- bit date / time stamp Starting cluster for FAT12/16—two low bytes of starting cluster for FAT Size in bytes of file (32-bit integer). Note: Will be 0 for directories!

NTFS File System Major Components –Cluster bitmap ($Bitmap) Tracks allocation status of all clusters in partition –Master File Table ($MFT) Tracks clusters used by the file Tracks the name of the file (or directory) Track the starting point where the file starts Track the length of the file along with other file metadata, such as timestamps

NTFS System Files MFT R ECORD # F ILENAME D ESCRIPTION 0$MFTMaster File Table – Each MFT record is 1,024 bytes in length 1$MFTMirrContains a backup copy of the first four entries of the MFT 2$LogFileJournal file that contains file metadata transactions used for system recovery and file integrity 3$VolumeNTFS Version and Volume Label and Identifier 4$AttrDefAttribute Information 5$.Root directory of file system 6$BitmapTracks allocation status of all clusters in partition 7$BootContains partition boot sector and boot code 8$BadClusBad clusters on partition are tracked with this file 9$SecureContains file permissions and access control settings for file security 10$UpCaseConverts lower case characters in Unicode by storing an uppercase version of all Unicode characters in this file 11$ExtendA directory reserved for options extensions

Alternate Data Streams (ADS) MFT entry can have more than one $DATA attribute If more than one $DATA attribute exists, they are called ADS Invisible to user, even to administrator Can hold hidden data / malicious code Always examine for ADS using tools such as streams.exe, EnCase, etc

exFAT File System Most recently supported file system Theoretical volume size of 64 ZB Uses a file allocation table Incorporates a cluster bitmap Times recorded for modified, accessed and created timestamps with UTC support