Presentation is loading. Please wait.

Presentation is loading. Please wait.

Orphaned Files What Does That Mean?

Published byShana Brooks Modified over 6 years ago

Similar presentations

Presentation on theme: "Orphaned Files What Does That Mean?"— Presentation transcript:

1 Orphaned Files What Does That Mean?
© Dr. D. Kall Loper, all rights reserved Orphaned Files What Does That Mean?

2 Orphaned Files

3 Orphaned Files Definitions Orphaned Files
Files are orphaned when their parent directory is overwritten in the $MFT. Deleted directories and associated files are intact and can be recovered with metadata intact. If the ‘parent’ directory is overwritten, all pointers to the parent directory found in the associated files are invalid—thus orphaning the files. Definitions

4 Orphaned Files Definitions Master File Table
The MFT is an index of data about the files, directories, and metafiles in the system. All the data in a file is simply a ‘property’ or extent of the file object. Definitions

5 MFT Record Structure MFT Record Structure
Record entries are the fundamental unit of the MFT. The basic record entry is 1024 bytes. Additional records can be added to describe a file system object that exceeds that size.

6 MFT Record Structure NTFS Versions
NTFS made slight changes to the MFT between versions 3.0 and In this case, the offset from beginning of record to the Standard Information Attribute (SIA) changed from 48 bytes to 56 bytes. Version 1.1 (NT 3.5) Version 1.2 (NT 3.51 & 4.0) Version 3.0 (Windows 2000) Version 3.1 (Windows XP et seq.)

7 MFT Record Structure Illustration Standard Information Attribute (SIA)
Header is Version 3.0 (Win2K) offset=48 bytes Version 3.1 (WinXP) offset=56 bytes Illustration

8 MFT Record Structure Illustration Standard Information Attribute (SIA)
The size of the SIA is variable. To find the size of SIA, read the 4 bytes after the header (little endian). Illustration

9 MFT Record Structure Illustration Standard Information Attribute (SIA)
0x60h = 96 decimal. So count over 96 bytes and there will be the File Name Attribute header. Illustration

10 MFT Record Structure Illustration File Name Attribute (FNA)
Header = Illustration

11 MFT Record Structure Within the File Name Attribute is a pointer to the parent or child. Folders have children Files have parents There is no absolute offset from the beginning of the record since the SIA has a variable size. However, the pointer can be found 24 bytes inside of the FNA and is 8 bytes long.

12 MFT Record Structure Illustration File Name Attribute (FNA)
Header = Offset = 24 bytes into the FNA including the header. Illustration

13 MFT Record Structure Illustration File Name Attribute (FNA)
The first 6 bytes of this value (little endian) represent the MFT Record number of the parent. Illustration

14 MFT Record Structure Parent MFT Record Number
To find the offset of the parent, multiply the ParentID number by 1024 (MFT record size).

15 MFT Record Structure Illustration File Name Attribute (FNA)
The last 2 bytes of this value (little endian) is the “stored sequence value” of the parent. Illustration

16 MFT Record Structure Stored Sequence Value
The number of times that the record has been used and reused (i.e. after deletion) is stored as a sequence value in the MFT record. When a record is created it has the hex value 0x Each time the file or folder is deleted, this value increments, and it never decrements.

17 MFT Record Structure Illustration Stored Sequence
Record offset = 16 bytes Data is 2 byte value stored little endian Illustration

18 MFT Record Structure Each MFT record contains a sequence value as mentioned above and an allocation value. The allocation value determines whether the record is available for rewrite or is already allocated.

19 MFT Record Structure Illustration Allocation Value
Record offset = 22 bytes Data is 2 byte value stored little endian Illustration

20 MFT Record Structure The allocation value tells whether the record is or is not allocated. Binary Hex Allocation Type Allocated 00 File Unallocated 01 02 Folder 03

21 Orphaned Files Deleted Files
When the parent is deleted, the Sequence Value increments by 1. The sequence value of the parent is one greater than the child. The parent folder was deleted and thus, the child is deleted too. The parent’s allocation status will be 0x02h ( binary).

22 Orphaned Files Orphaned Files
Once the parent is deleted, the allocation value is changed to “unallocated.” When the next record is needed in the MFT, that record may be “reallocated.” Since the child records (folders and/or files) are still present, but their pointers now incorrectly identify the parent, they are called orphans.

Download ppt "Orphaned Files What Does That Mean?"

Similar presentations

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.

NTFS MFT Example COEN 152 / 252. MFT Table Entry.
File Systems Examples.

File Systems Examples.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.

Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
File management in UNIX and windows 2000

File management in UNIX and windows 2000
Ceng Operating Systems

Ceng Operating Systems
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
ARRAYS AND POINTERS Although pointer types are not integer types, some integer arithmetic operators can be applied to pointers. The affect of this arithmetic.

ARRAYS AND POINTERS Although pointer types are not integer types, some integer arithmetic operators can be applied to pointers. The affect of this arithmetic.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Basic File Recovery Techniques BACS 371 Computer Forensics.

Basic File Recovery Techniques BACS 371 Computer Forensics.
New Technologies File System

New Technologies File System
Chapter 8 File Management

Chapter 8 File Management
BACS 371 Computer Forensics

BACS 371 Computer Forensics
File Systems (1). Readings r Silbershatz et al: 10.1,10.2, 11.1-11.5.

File Systems (1). Readings r Silbershatz et al: 10.1,10.2,
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.

Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.

Similar presentations

Ads by Google