FORFUN

Week 3 File System

Dr Fudong Li
Session Content
●Recap on previous week
●Introduction to file systems
Recap
● A number of hash functions can be used both
within Windows and Linux OSs
● Fuzzy hashing with ssdeep (may need to unplug
the USB)
● Md5 is the weakest hashing algorithm in terms
of hash collision
● The power of PhotoDNA
● NSRL RDS hash sets
Task
● This is a individual task

● Draw 3-4 things/items by linking dots on the

given paper
● You do not have to use all of the dots

● Provide a description for each item on a

separated paper [maximum 30 characters]
Data Unit
● A sector is the smallest addressable storage unit
on the hard disk and typically 512 bytes
○ The optimal method of storing a file is in a contiguous
series
○ A 600-byte file requires n sectors
● A cluster is the smallest unit at the OS level and
can consist of one or more consecutive sectors.
○ The number of sectors in one cluster is always an
exponent of 2, hence 1, 2, 4, 8
○ Is used for protecting the stored data from being over-
written.
Bitmap
● A bitmap is a data structure that has a bit for
each cluster on the hard disc
○ 1: the cluster is allocated
○ 0: the cluster is unallocated
Slack Space (1)
● Slack space occurs when the size of a file is not a
multiple of a cluster size.
● RAM slack is the area from the end of the file to the end
of that sector.
○ Under DOS and early versions of Windows the data
used for this comes directly from RAM
○ More typically this is filled with zeros
● File slack is the area from the end of RAM Slack to the
end of the cluster – it is typically not changed, leaving
the prior contents still present
Slack Space (2)
● Slack space occurs when the size of a file is not a
multiple of a cluster size.

File RAM Slack File Slack

FAT
● File Allocation Table (FAT) was the file system of
MS-DOS, circa 1980
● Versions of FAT (FAT 12, FAT 16, FAT 32) were
primary file system of MS Windows through
Millennium Edition
○ Replaced by New Technology File System (NTFS) on
Windows NT, which became mainstream with Windows
2000
● Still widely used on small storage devices, and
recognized by essentially all modern OSs.
FAT Basic Concepts
● Each file and directory is allocated a directory
entry that contains file name, file size, starting
address of file content and other metatdata
● If a file or directory needs more than one cluster,
those clusters are found in the FAT structure
● File and directory content is stored in clusters
NTFS – Overview
● NTFS is a proprietary file system developed by
Microsoft in 1993; default file system of
Windows NT family
● Notable features of NTFS
○ Security: by using an Access Control List (ACL), an administrator
controls who can access specific files.
○ Encryption: Encryption File System (EFS) provides strong and
user-transparent encryption of any files or folder on an NTFS
volume
○ B-tree: faster file look up times
○ Support large file sizes: up to 16 exbibytes
B-tree
NTFS Partition Organization
● NTFS Boot Sector
○ Contains the BIOS parameter block that stores information about
the layout of the volume and the file system structures.
● Master File Table
○ Contains the information necessary to retrieve files from the NTFS
partition, such as the attributes of a file
● File System Data
○ Stores data that is not contained within the Master File Table
● Master File Table Copy
○ Includes copies of the records essential for the recovery of the file
system if there is a problem with the original copy
Master File Table
● Each file on an NTFS volume is represented by a
record in a special file called the master file table
(MFT)
● Starting location of the MFT is given in the boot
sector;
● 12.5% of space allocated but only used when
necessary
● Each entry is 1024 bytes (1KB)
○ Only first 42 bytes defined, containing 12 fields
○ The rest are allocated to numerous/various attributes
● First field is the signature – standard – FILE
MFT Metadata Files
Entry Filename Description

0 $MFT The entry for the MFT itself

1 $MFTMirr Backup of the MFT

2 $LogFile Journal containing records of metadata transactions

3 $Volume Volume information

4 $AttrDef Attribute information (identifier values, name)

5 $. Root directory of the file system

6 $Bitmap Allocation status of each cluster in the file system

7 $Boot Boot sector and boot code for the file system

8 $BadClus Clusters that have bad sectors

9 $Secure Security and access control for the files

10 $Upcase Contains the uppercase version of every Unicode character

11 $Extend Directory containing files for optional extensions

Single File Record in MFT
● NTFS reads attributes from the record – not files – files
are simply one of the attributes
 MFT Entry Attribute Types
Type ID Name Description

16 $STANDARD_INFORMATION General – MACs; Owner, Security ID

32 $ATTRIBUTE_LIST List of attributes and locations

48 $FILE_NAME File Name

Access control and security
80 $SECURITY_DESCRIPTOR
properties
128 $DATA File Contents

144 $INDEX_ROOT Root node of an index tree

Nodes of an index tree root in
160 $INDEX_ALLOCATION
$INDEX_ROOT
176 $BITMAP A Bitmap for the MFT file/indexes
Master Boot Record
● Master Boot Record (MBR) is used to store
essential information about the structure of the
hard disk.
● MBR is always located at cylinder 0, head 0,
sector 0 (i.e. the first sector of the disk)
● Is where the BIOS can find the information on
how to proceed with boot up and loading the OS
MBR Structure
● Boot Code (446 bytes): when this code is executed, it
hands over control to the consecutive boot program
which is located to the active partition in order for the OS
to be loaded
● Partition Table (64 bytes): contains the information about
the physical partitions of the disk; one of the partitions
will be indicated as active
● MBR Signature (2 bytes): 55 AA
Partition Table
● The first partition table starts at address 0x1be in the
MBR
● Each entry consists of 16 bytes and all multi-byte fields
are little-endian
● Boot flag: (Active:0x80, inactive:0x00)
● Partition types, including FAT 12 (0x01), FAT 16 (0x04),
Extended (0x05), and NTFS (0x07)
MBR example
Conclusion
● A forensic examiner must have an excellent
working knowledge of the file system that they
examine.
● In this way, a completed picture of the
investigation can be obtained.