FILE SYSTEM FORENSICS-

ntfs8gb.dd
 Master Boot Record
The Master Boot Record is created when the disk is partitioned.
It contains a
 small amount of executable code called the master boot code, and
 the partition table for the disk.
 a 2-byte structure called a signature word or end of sector marker, which is always set to
55 AA.

The Master Boot Record (MBR), is located at sector 0 of cylinder 0, head 0, of the first
physical sector of a hard disk and is not part of any partition.

The master boot code performs the following activities:

 Scans the partition table for the active partition

 Finds the starting sector of the active partition
 Loads a copy of the Volume Boot Record from the active partition into memory
 Transfers control to the executable code in the volume boot record.
 New Technology File System (NTFS)
NTFS is made up of several components including: a partition boot sector ; the master file
table that stores a record of all files and directories in the filesystem; A series of metadata
files that help structure meta data more efficiently.NTFS supports multiple data
streams, allowing more than one data sequence to be associated with a
single file. NTFS uses file locks to manage access to the data streams.
 MBR -- ntfs.dd

0x 0800 * 0x200 = 0x100000

The Volume Boot Record:

• A Volume Boot Record (VBR) (also known as a Master Boot Sector, a partition boot
record or a partition boot sector) is a type of boot sector introduced by the IBM
Personal Computer.

• The VBR occupies the first partition sector i.e. VBR is located at logical sector zero in
the active partition and the operating system loader (NTLDR up to and including
Windows XP, winload.exe and the Windows Boot Manager in Vista onwards) occupy
subsequent sectors.

• VBR is found on a partitioned data storage device, such as a hard disk, a floppy disk,
and contains machine code for bootstrapping programs stored in other parts of the
device.

• On non-partitioned storage devices, it is the first sector of the device.

• On partitioned devices, it is the first sector of an individual partition on the device,

with the first sector of the entire device being a Master Boot Record (MBR)
containing the partition table.
VOLUME BOOT RECORD / MASTER BOOT SECTOR
Volume Boot Record – ntfs8gb.dd
Bios Parameter Block break up
Finding location for MFT – ntfs8gb.dd
 The Master File Table (MFT)
• The Master File Table (MFT) is the primary source of
metadata in NTFS.
• It contains or indirectly references everything about a
file:
– its timestamps, size in bytes, attributes (such as
permissions), parent directory, and contents.
– A sizeable area of the NTFS volume is reserved for the MFT
to avoid it becoming fragmented as it grows in size.
– This area, by default, is about 12.5% of the volume size and
is known as the “MFT Reserved Area”.
– As data is added, the MFT can expand to take up 50% of the
disk.
• On a standard hard drive with 512-byte sectors, the MFT is
structured as a series of 1,024-byte records, also known as
“entries,” one for each file and directory on a volume but
only the first 42 bytes (MFT header) have a defined
purpose.

• The remaining 982 bytes store attributes, which are small

data structures that have a very specific purpose.

• However, on advanced format (AF) drives with 4KB sectors,

each MFT record will be 4,096 bytes instead.
0x400

If the MFT Entry for an NTFS volume starts with FILE0, this
means that the NTFS volume has probably been
formatted with Windows XP, or newer.

If the MFT Entries start with FILE*, it means that the

volume was probably formatted with Windows 2K or
older.
System File Records in MFT
MFT USER RECORD SUBSECTIONS
 MFT Header
The MFT record starts with a header with a size of 42 bytes.

The first 4 bytes (characters) for all MFT records are FILE.

The header information contains additional data specifying where the first attribute ID
starts, which is typically at offset 0x20 from the beginning of the record.

Each attribute ID has a length value in hexadecimal defining where it ends and where the
next attribute starts.

The length value is located 4 bytes from the attribute ID.

Byte Description
rang
e
0-3 Signature (“FILE”). Size: 4 bytes
4-5 Offset to fixup array - 0x30 00. Size: 2 bytes.
The fixup array is used to validate sectors within the MFT record.
This output is in little-endian ordering, so we need to reverse the order
of the numbers. So it becomes 00 30, which is 48 in decimal. This shows
that the fixup array is located 48 bytes (0x0030) into the MFT entry.
6-7 Number of entries in fixup array - 0x03 00. Size: 2 bytes.
This output is in little-endian ordering, so we need to reverse the order
of the numbers. So it becomes 00 03, which is 3 in decimal. This means
that the array has three values in it.
8 - 15 $LogFile sequence number (LSN) - 0x 4A 43 22 D4 0C 00 00 00. Size: 8 bytes.
Holds the sequence number of the logfile entry that tracks every change
to the file. The log records when metadata updates are made to the file
system so that a corrupt file system can be more quickly fixed.
This output is in little-endian ordering, so we need to reverse the order
of the numbers. So it becomes 00 00 00 0C D4 22 43 4A, which is
55098622794 in decimal.
Byte Description
rang
e
16 - Sequence value - 0x 01 00. Size: 2 bytes
17 The sequence value is incremented when the entry is
either allocated or unallocated, determined by the OS.
18 - Link count - 0x 01 00. Size: 2 bytes
19 The link count shows how many directories have entries for this
MFT entry. If hard links were created for the file, this number is
incremented by one for each link.
Microsoft defines hard links as:
“NTFS-based links to a file on an NTFS volume. By creating
hard links, you can have a single file in multiple folders without
duplicating the file. You can also create multiple hard links for a
file in a folder if you use different file names for the hard links.
Because all of the hard links reference the same file,
applications can open any of the hard links and modify the file.”
In little endian becomes 00 01 which is 1 in decimal. This brings
us to a conclusion that only one directory has entry for this MFT
Byte Description
rang
e
20 - Offset to first attribute - 0x38 00. Size: 2 bytes
21 This is the first attribute for the file. All other attributes follow the
first one, and we find them by advancing ahead using the size field in
the attribute header. The end of file marker 0xffffffff exists after the
last attribute. If a file needs more than one MFT entry, the additional
ones will have the file reference of the base entry in their MFT entry.
This output is in little-endian ordering, so we need to reverse the
order of the numbers. So it becomes 00 38, which is 56 in decimal.
This indicates that the first Attribute starts at byte offset 56.
22 -23 Flag (in-use and directory): 0x0000: Deleted file; 0x0001: Allocated
file; 0x0002: Deleted directory; 0x0003: Allocated directory. Size: 2
bytes
In this case we note that the value is 0x01 00 and that it is a FILE
record in use
24 - Used size of MFT entry - 0xB0 01 00 00. Size: 4 bytes
27 Indicates the “real” length of the file record. If this MFT record is the
base entry for the file then this field is zero: if the record is an
extension then this field holds the base record reference address.
Byte Description
rang
e
28 - Allocated size of MFT entry - 00 04 00 00. Size: 4 bytes
31 Indicates the allocated storage size of the file record. This is referred
to as the “physical” size and this size has already been preset to 1024
bytes by the BPB.
In this case translation from the little endian format gives 0x00 00 04
00, which does indeed equate to 1024 bytes in decimal.

32 - File reference to base record. Size: 8 bytes

39 It is used when the record to be stored exceeds the allocated space of
one or more MFT records.

40 - Next attribute ID. Size: 2 bytes

41
42 - Alignment to 4-byte boundary
43
44 - MFT file record number (only in NTFS 3.1 and later)
47
42 - Attribute and Fixup value
• File or folder information is typically stored in one of two ways in an MFT
record: resident and nonresident.

• For very small files, about 512 bytes or less, all file metadata and data are
stored in the MFT record. These types of records are called resident files
because all their information is stored in the MFT record.

• Files larger than 512 bytes are stored outside the MFT. The file or folder’s MFT
record provides cluster addresses where the file is stored on the drive’s
partition.

• These cluster addresses are referred to as data runs. This type of MFT record is
called nonresident because the file’s data is stored outside the MFT.

• Each MFT record starts with a header identifying it as a resident or nonresident

attribute.
Example Non-Resident Files
When the information for a
file is too large to fit in its
MFT file record, some of the
file attributes are non-
resident.

Non-resident attributes are

allocated one or more
clusters of disk space and
stored as an alternate data
stream in the volume.

NTFS creates the

$Attribute_List attribute to
describe the location of both
resident and non-resident
attribute records.

Non Resident is denoted by

01 in the data attribute
– ntfs8gb.dd
 Deleted files
• When a file is deleted in NTFS, it is marked as deleted within
the MFT entry for that file. The clusters that were allocated
to the fille are now marked as free, within the $BitMap

• This is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of

the MFT for that entry.

• For an active file the 22nd and 23rd offsets read “01 00″

• For a deleted file the 22nd and 23rd offsets read “00 00″.
• Active File
• Deleted File