1. 1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010

2. 2 Introduction “File systems are the road map to the disk” –Determines how data is stored on disk –Differs according to OS One reason advice to Digital Forensics experts Learn all you can about many OS's, file systems Today look at Windows OS in terms of file systems

3. 3 Topics Windows File Systems –FAT, NTFS –Drive slack explained With example –Deleting files

4. 4 Disk Drive Technology Brief review Disk Drive technology –Read on your own –Wikipedia has some good refs Hard drives http://en.wikipedia.org/wiki/Hard_drive Floppy disks http://en.wikipedia.org/wiki/Floppy_disk CD ROM http://en.wikipedia.org/wiki/CD_ROM

5. 5 Hard Disk Drive Modern hard disk, modern OS has: –Bunch of sectors, formed into a circle –Circle of predefined sectors defined as a single track –A group of concentric circles (tracks) define a single surface of a disk platter –Early hard disks had single one-sided platter, while today's hard disks are comprised of several platters with tracks on both sides –Many heads to read/write platters

6. 6 Hard Disk Drive

7. 7 File Systems Operating system keeps track of data (documents, pictures, etc.) by placing it into a file. To store and retrieve files: Disk has to be ________________. What's the process of putting this structure on a disk?

8. 8 Purpose of Formatting When you format a disk OS creates concentric recording bands, called tracks, around the circumference of the disk Formatting program (think... Windows XP)‏ Subdivides each track into equal parts, called sectors Simple Example: 3.5 floppy disk 80 concentric tracks on a 3 ½ inch high density diskette and each track is divided into 18 sectors Each sector = 512 bytes So 80 tracks X 18 sectors X 2 sides X 512 bytes = 1,474,560 bytes = 1.4 MB

9. 9 A hard disk has extremely smooth metal or glass plates called “platters” Each platter is divided into tracks and sectors by the format operation Number of tracks on a hard disk depends on the disk size and the manufacturer. Hard Disk Details

10. 10 Question Discussed, –Tracks, Sectors, Platters, Heads –What's a Cluster?

11. 11 A cluster, also known as an allocation unit, consists of one or more sectors of storage space, represents minimum amount of space that an operating system allocates when saving file to disk Number of sectors per cluster is dependent on Type of disk (floppy disk, hard disk)‏ Version of operating systems Size of disk Every sector contains 512 bytes. (NTFS does allow you to change this number)‏ The number of clusters per disk is determined by the file system (FAT 16, FAT 32 or NTFS)‏ Clusters

12. 12 Comparing File Systems 64 KB (128 sectors)‏32 KB (64 sectors)‏Not Supported>32 GB (up to 2 TB)‏ 32 KB ( 64 sectors)‏16 KB (32 sectors)‏Not Supported16 to 32 GB 16 KB (32 sectors)‏8 KB (16 sectors)‏Not Supported8 to 16 GB 8 KB (16 sectors)‏4 KB (8 sectors)‏Not Supported4 to 8 GB 4 KB (8 sectors)‏ 64 KB (128 sectors)‏2 to 4 GB 2 KB (4 sectors)‏4 KB (8 sectors)‏32 KB (64 sectors)‏1024 MB to 2 GB 1KB (2 sectors)‏4 KB (8 sectors)‏16 KB (32 sectors)‏512 to 1023 MB 512 bytes (1 sector)‏Not Supported8 KB (16 sectors)‏260 to 511 MB NTFS Cluster Size FAT 32 Cluster Size FAT 16 Cluster Size DRIVE SIZE

13. 13 Sector~Cluster~File layout

14. 14 Example - File size = 2KB Hard drive = 2GB  FAT 16 – the file will use 1 cluster which is 64 sectors, so 64 X 512 bytes per sector = 32KB – 2KB = 30KB slack space  FAT 32 – the file will use 1 clusters which is 8 sectors, so 8 X 512 bytes per sector = 4KB – 2KB = 2KB slack space  NTFS – the file will use 1 cluster which is 4 sectors, so 4 X 512 bytes per sector = 2KB – 2KB = 0 slack space

15. 15 Partitions Disks are broken into one or more partitions. Each partition can have its own file system (UFS, FAT, NTFS, …)‏ Addresses in Partitions are logical –Function of Operating System Mapped to actual physical addresses of disk

16. 16 FAT File Systems FAT –Stands for file allocation table –File system designed to keep track of allocation status of clusters on a hard drive –Developed in 1977 by Microsoft Corporation –Originally the file system on floppy disks Prior to Win NT, 2000, Win XP

17. 17 FAT File Systems Layout of the FAT16 File System Boot Sector More reserved FAT #1 FAT #2 Root directory Data sectors (opt) (FAT12/16 only) (rest of disk)‏ MBR always there, contains information about how the storage device is logically partitioned. File Allocation Tables keep track of allocation status of clusters, or logical groupings of sectors, on the disk drive Provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system FAT2 is a typically a duplicate of FAT1

18. 18 Root Directory and Data Area Root Directory, or Root Folder, contains an entry for each file and directory in file system Includes file name, starting cluster number, and file size –Information is changed whenever file is created or subsequently modified Root directory has fixed size of 512 entries on hard disk, size on floppy disk depends Remaining space on logical drive is Data Area, where files are actually stored

19. 19 Clusters Cluster size has impact on performance and disk utilization –Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters –Cluster size specified in Boot Record Range from single sector (512 bytes) to 64 sectors (32 KB)‏ Sectors in cluster, continuous, each cluster is continuous block of space on disk – Optimal condition

20. 20 Clusters and File Storage If contiguous clusters not available Second two clusters may be written elsewhere on the same disk or within same cylinder or on a different cylinder –Wherever file system finds two sectors available. –File stored in this non-contiguous manner is considered to be fragmented

21. 21 FAT File Organization The file allocation table contains the following types of information about each cluster on the volume (see example below for FAT16): * Unused (0x0000)‏ * Cluster in use by a file * Bad cluster (0xFFF7)‏ * Last cluster in a file (0xFFF8-0xFFFF)‏ There is no organization to the FAT folder structure, and files are given the first available location on the volume

22. 22 Example of File Allocation Table –File1.txt a file that is large enough to use three clusters. File2.txt, is a fragmented file that also requires three clusters. File3.txt, fits completely in one cluster –In each case, the folder structure points to the first cluster of the file.

23. 23 FAT Versions FAT16 –Supports disk partitions of maximum capacity up to 2 GB of data –It is called FAT16 because all entries are 16 bit –FAT16 can hold max of 65,536 addressable units –Used for small and moderate sized hard disk volumes –Actual capacity is 65,525 due to some reserved values

24. 24 FAT File Systems FAT 32 –Used in Win 95, 98, ME, 2000, XP –Access up to 2 Terabytes of storage –Since FAT32 uses smaller clusters (of 4 KB each), uses hard drive space more efficiently –This is a 10 to 15 % improvement over FAT16 –In FAT32, root folder is an ordinary cluster chain, and can be located anywhere on the drive

25. 25 FAT File Systems Originally developed for Floppy drives Is the FAT file system still in use today?

26. 26 FAT File System Uses Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become choice medium for storing and transferring data in consumer electronic devices –Majority of flash memory storage is formatted using FAT file system –IAT also frequently used in electronic devices with miniature hard drives USB thumb drives Digital cameras Digital camcorders Portable audio and video players Multifunction printers Electronic photo frames PDAs

27. 27 File System Slack RAM Slack and File Slack –DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters –Rarely do file sizes exactly match size of one or multiple clusters perfectly –Storage space that exists from end of file to the end of the last cluster assigned to file is called File slack

28. 28 File System Slack File Slack File slack is contained in unused sectors at the end of a cluster Since a cluster is simply a group of contiguous sectors, a file that doesn’t fill an entire cluster will leave file slack space in unused sectors

29. 29 File System Slack File slack potentially contains randomly selected bytes of data from computer memory Happens because Windows normally writes in 512 byte sectors If not enough data in file to fill last sector in a file –DOS/Windows makes up difference by padding remaining space with data from memory buffers of operating system –This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer

30. 30 RAM Slack Definition –RAM slack is latent data used by the operating system to ‘pad’ the end of a file to completely fill its last sector –Hard drives write one complete sector at a time –They need the padding

31. 31 RAM Slack RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted Thus, if the computer has not been shut down for several days –Data stored in file slack can come from work sessions that occurred in the past

32. 32 Slack Space Example On this hard drive, There are 4096 bytes per cluster –How many Sectors? There are 512 bytes per sector. Thus, there are 8 sectors per cluster. (4,096 ÷ 512 = 8)‏

33. 33 Slack Space Example In this file, The file is 2304 bytes Each of the first four sectors contain 512 bytes, but the file cannot fill a fifth (512 x 4 = 2048) and (2304-2048 = 256)‏

34. 34 Slack Space Example In this file, The remaining 256 bytes are filled with data from the system memory: RAM –In this illustration, the file is green; the RAM slack is blue

35. 35 Slack Space Example In this file, The remaining space in the cluster is called file slack In this illustration, file slack is red

36. 36 FAT File Systems Deleting FAT Files What happens when a file is deleted? –Windows Explorer or with Delete... –Deletion by OS results in a HEX E5 in first letter position of file name in FAT DB –Instructs OS that file is no longer available and a new file can be written to same cluster location

37. 37 FAT File Systems Deleting FAT Files Modification to directory entry: Marked as deleted FAT cluster chain for file set to zero Data remains on disk drive Area on disk becomes unallocated disk space – free space Most Forensic tools recover any data still there

38. 38 Data Recovery Recovering directory entries from FAT file systems –Looking for entries that begin with sigma 0xe5 –The remainder of directory entry information remains intact

39. 39 Data Recovery Recovery tools look at FAT to find entry for file Location of starting cluster will still be in directory –Not deleted or modified –Tool goes straight to cluster, tries to recover file using file size to determine number of clusters to recover What do you think happens if a lot of time between file deletion and file recovery?

40. 40 NTFS File System New Technology File System (NTFS)‏ –Created when Microsoft created Win NT –NTFS primary file system in Windows XP Improvement over FAT FS Store more information about files –Owner, date, time, plus other file attributes –First data on disk is Partition boot Sector (PBR)‏ –Starts at Sector [0] –Format an NTFS volume, format program allocates the first 16 sectors for boot sector and bootstrap code

41. 41 NTFS File System Whats in a Boot Sector Record? –Disk information Sectors per cluster Bytes per sector Number of heads Total Sectors, Volume Serial Number, Checksum –Master File Table Information (MFT)‏ Logical Cluster Number for the file $MFT and Mirror Clusters Per File Record Segment Clusters Per Index Block

42. 42 NTFS File System After Partition Boot Record –Master File Table (MFT) is first file on disk –MFT created at same time disk partition is created, It can, however be moved Consumes about 12.5% of disk when created –MFT expands to 50% of disk as data is added –One significant benefit of NTFS over FAT is that... less file slack space

43. 43 NTFS Sizes

44. 44 NTFS File System NTFS System Files –In MFT, first 15 records are reserved for system files –First record of this table describes the master file table itself, followed by a MFT mirror record –If first MFT record is corrupted, NTFS reads second record to find the MFT mirror file –Locations of data segments for both MFT and MFT mirror file are recorded in the boot sector

45. 45 NTFS MTF Structure

46. 46 NTFS MTF Structure Third record of MFT is log file, used for file recovery –Seventeenth and following records of the master file table are for each file and directory on the volume

47. 47 NTFS File System NTFS Files –Master file table allocates a certain amount of space for each file record, min = 1024, max = 4096 –Attributes of a file written to record in MFT –Small files and directories (typically 1500 bytes or smaller) can entirely be contained within the master file table record –Each file (or folder) as a set of file attributes File's name, its security information, data, are all file attributes – Each attribute is identified by an attribute type code and, optionally, an attribute name

48. 48 NTFS File System File Attributes –Each file (or folder) is a set of file attributes –Elements: file's name, its security information, data, are all file attributes – Each attribute is identified by an attribute type code and, optionally, an attribute name –Bellow is structure of record for small file All data for file fits within MFT record

49. 49 File Attributes Standard Information –Includes information such as timestamp and link count Attribute List –Lists the location of all attribute records that do not fit in the MFT record File Name Security Descriptor –Describes who owns the file and who can access it

50. 50 File Attributes Data –Contains file data –NTFS allows multiple data attributes per file Other attributes –Related to directories, bitmaps and some logging activities, some historic attributes for HPFS file systems

51. 51 NTFS File Systems Deleting Files –File is deleted with Windows Explorer –OS, renames deleted file and moves it to recycle bin –Can also use delete command in a DOS window This deletes the file the same as in a FAT file system –Windows Explorer – can restore deleted file from recycle bin

52. 52 NTFS File Systems Restore a file –1. When moved to recycle bin Changes file name, moves it to subdirectory with unique identity –2. Stores information about original path and file name in the info2 file control file for Recycle Bin Path is C:\Recycler

53. 53 References –Nelson, Bill et al. “Guide to Computer Forensics Investigations” Chapter 7 –Wikipedia – NTFS http://en.wikipedia.org/wiki/NTFS –NTFS.com http://www.ntfs.com/ntfs_basics.htm –Data Recovery e-Book http://www.easeus.com/data-recovery- ebook/index.htm

54. 54 Finish –Next time More on Windows –Reading: Still Chapter 7 –New Assignment – Number Two!!!!