FOR420 - NTFS File System

This seminar presents the complete details of the NTFS file system on-disk structure. You will learn how files are stored in NTFS, how directory indexes work, and how to recover deleted files and partitions.

Level: Intermediate
Audience:

Cyber forensics investigators

Topics:
  • NTFS paradigm

    • Clusters
    • Files
    • Attributes and streams
    • Security
    • Names and collation
    • Indexing
    • Hard and soft links
    • Link tracking and object IDs
    • Quotas
    • Fault tolerance
    • Encryption
    • Compression
    • Sparse files
    • Timestamps
  • Transaction log

    • Checkpoint records
    • Undo
    • Redo
  • Important non-NTFS areas

    • Master boot record
    • Partition table
    • BIOS parameter block
  • NTFS boot block
  • B+ Trees

    • Free blocks
    • Indexes
  • File system metadata files

    • $MFT: Master File Table
    • $MFTMirr: MFT mirror
    • $LogFile: Transaction log
    • $Volume: Volume information
    • $AttrDef: File attributes and names
    • .: Root directory
    • $Bitmap: Volume bitmap
    • $Boot: Volume boot record
    • $Bad: Bad clusters
    • $Secure: Security descriptors
    • $UpCase: Lowercase character conversion table
    • $Extend: Directory of additional metadata files
    • $Extend$Reparse: Reparse points
    • $Extend$UsnJrnl: Update Sequence Number journal
    • $Extend$Quota: Disk space quota
    • $Extend$ObjId: Object IDs
    • $Extend$RmMetadata: Resource manager directory
  • File Record Segment

    • Attributes
    • Data runs
    • Update sequence number
  • Attributes

    • Standard information
    • Attribute list
    • File name
    • Object ID
    • Security descriptor
    • Volume name
    • Volume information
    • Data
    • Index root
    • Index allocation
    • Bitmap
    • Reparse point
    • Extended attribute information
    • Extended attributes
    • Property set
    • Logged utility stream
  • "Undeleting" files

    • Finding the FRS
    • Finding the clusters
  • Recovering a deleted partition

    • Locating the start of the partition
    • Editing the partition table
  • Recovering a formatted disk

    • Finding the original MFT
    • Updating the MFT
Prerequisites:

FOR201: Windows Internals Overview, or FOR205: Windows Internals for Forensics, or equivalent Windows experience; and FOR220: Windows Storage Systems Overview

Operating systems supported:

All Windows versions

Durations and formats: 2 days with labs