WEBVTT 0:00:09.480000 --> 0:00:16.460000 When we transition into looking at a file system like NTFS, we have to 0:00:16.460000 --> 0:00:22.000000 understand that the concepts are very, very similar to a simple file system 0:00:22.000000 --> 0:00:28.440000 like FAT. What we need to know is that what NTFS does is it adds performance. 0:00:28.440000 --> 0:00:32.440000 And of all the file systems, you're probably going to come across NTFS 0:00:32.440000 --> 0:00:36.400000 most often in your work as a digital forensics practitioner. 0:00:36.400000 --> 0:00:40.980000 And that's mostly because for probably about the last decade to decade 0:00:40.980000 --> 0:00:46.680000 and a half, NTFS has become the standard file system for Windows. 0:00:46.680000 --> 0:00:51.860000 And so it works in a massive number of workplaces and in homes. 0:00:51.860000 --> 0:00:57.660000 While NTFS is definitely more complex, it is supported by pretty much 0:00:57.660000 --> 0:01:00.520000 every single forensic tool out there. 0:01:00.520000 --> 0:01:03.220000 So what makes NTFS so great? 0:01:03.220000 --> 0:01:07.500000 Here is just a brief list of what NTFS does. 0:01:07.500000 --> 0:01:11.660000 And I'm going to highlight the fact that it's a journaling file system. 0:01:11.660000 --> 0:01:14.200000 It's highly scap-scalable. 0:01:14.200000 --> 0:01:17.800000 It supports file compression and volume shadow copies. 0:01:17.800000 --> 0:01:23.400000 And then it has one of the most important things in it, which is the permissions, 0:01:23.400000 --> 0:01:27.880000 access control lists or ACLs, and then encryption. 0:01:27.880000 --> 0:01:33.000000 Okay, so again, it's not that NTFS is any better than the file allocation 0:01:33.000000 --> 0:01:35.320000 table file system. 0:01:35.320000 --> 0:01:38.640000 It's just that it's built for a different purpose. 0:01:38.640000 --> 0:01:43.120000 So let's talk about some file size limitations, knowing that every file 0:01:43.120000 --> 0:01:46.860000 system out there has some type of file limitation. 0:01:46.860000 --> 0:01:51.240000 In NTFS, the following limits are applied. 0:01:51.240000 --> 0:01:55.480000 A file can really be no bigger than 16 terabytes. 0:01:55.480000 --> 0:02:01.380000 A volume has about a 256 terabyte limitation. 0:02:01.380000 --> 0:02:07.660000 And then we have support within the file system for about 4.2 billion 0:02:07.660000 --> 0:02:12.580000 files. So it is a rather robust file system. 0:02:12.580000 --> 0:02:18.600000 One thing to understand is that NTFS doesn't separate the partitions out 0:02:18.600000 --> 0:02:21.600000 by category, like FAT does. 0:02:21.600000 --> 0:02:26.440000 Instead, everything within NTFS is in a file. 0:02:26.440000 --> 0:02:29.880000 So rather than storing the information in a particular set of cluster 0:02:29.880000 --> 0:02:36.140000 offsets, everything the file system needs to know is actually in a file 0:02:36.140000 --> 0:02:40.660000 in the root of every partition. 0:02:40.660000 --> 0:02:45.940000 And the way we see that represented is all of those system files are what 0:02:45.940000 --> 0:02:48.620000 you see with the dollar sign in there. 0:02:48.620000 --> 0:02:52.300000 And that dollar sign at the beginning of a file, it means that a file 0:02:52.300000 --> 0:02:58.040000 isn't visible to Windows, so it's not normally accessible to be changed. 0:02:58.040000 --> 0:03:04.700000 It kind of is, but the users don't really know that it's there. 0:03:04.700000 --> 0:03:11.200000 The primary file that we're interested in in an NTFS file system is the 0:03:11.200000 --> 0:03:14.280000 master file table or MFT. 0:03:14.280000 --> 0:03:20.180000 And it is the primary file system responsible for keeping a record of 0:03:20.180000 --> 0:03:22.380000 all of the files in the volume. 0:03:22.380000 --> 0:03:26.920000 And that in that way, an MFT can be compared to a file allocation tables 0:03:26.920000 --> 0:03:30.080000 that are used within the FAT file system. 0:03:30.080000 --> 0:03:35.980000 The MFT is definitely stored in the dollar sign MFT file at the root of 0:03:35.980000 --> 0:03:40.800000 a volume. And let's dig a little bit deeper into that MFT because the 0:03:40.800000 --> 0:03:46.120000 MFT is that go-to resource for where all the files lived. 0:03:46.120000 --> 0:03:51.320000 And one thing that's really interesting about the MFT is it doesn't get 0:03:51.320000 --> 0:03:55.320000 fragmented. That's what keeps our high performance going on. 0:03:55.320000 --> 0:04:01.260000 So when you format a drive, any drive, every drive, NTFS is going to reserve 0:04:01.260000 --> 0:04:08.580000 12.5% at a minimum of the total volume storage for that master file table 0:04:08.580000 --> 0:04:14.480000 to grow into. That permission can be increased if needed, and the space 0:04:14.480000 --> 0:04:16.460000 is called the MFT zone. 0:04:16.460000 --> 0:04:22.500000 And one more thing to know is that every single file that you create on 0:04:22.500000 --> 0:04:29.380000 that file system is going to take up at least one megabyte on inside of 0:04:29.380000 --> 0:04:36.700000 the MFT, whether that file is one megabyte in size or less or greater. 0:04:36.700000 --> 0:04:41.580000 What you're going to see are the remaining primary system files with those 0:04:41.580000 --> 0:04:43.600000 dollar signs in the beginning. 0:04:43.600000 --> 0:04:46.580000 And what we're going to have is we're going to have a mirror copy of the 0:04:46.580000 --> 0:04:48.860000 MFT in case we fail. 0:04:48.860000 --> 0:04:51.820000 Then we're going to have the logs, and that's going to hold information 0:04:51.820000 --> 0:04:54.180000 for the file system metadata changes. 0:04:54.180000 --> 0:04:57.800000 That's what gets replayed if there's a corrupt disk drive. 0:04:57.800000 --> 0:05:01.380000 The volume is going to contain more information about that volume, including 0:05:01.380000 --> 0:05:04.840000 its label. And then we can move down to all the different attributes, 0:05:04.840000 --> 0:05:08.560000 the cluster bitmap. 0:05:08.560000 --> 0:05:11.820000 And that's very similar to file allocation table. 0:05:11.820000 --> 0:05:13.260000 We're going to have our boot sector. 0:05:13.260000 --> 0:05:17.740000 We're going to have a tracking file that keeps track of all our bad clusters. 0:05:17.740000 --> 0:05:21.660000 So NTFS knows to never use a cluster that's been marked bad. 0:05:21.660000 --> 0:05:25.520000 And then, incredibly important, we have that security file. 0:05:25.520000 --> 0:05:29.660000 And then we have an extension directory that's kind of used for just optional 0:05:29.660000 --> 0:05:33.280000 features out there. 0:05:33.280000 --> 0:05:35.900000 Okay. One component. 0:05:35.900000 --> 0:05:40.220000 NTFS does not preemptively segment a volume out like a fat does either. 0:05:40.220000 --> 0:05:45.280000 And the MFT and MFT mirror files can actually live anywhere on that volume. 0:05:45.280000 --> 0:05:48.680000 That does have its advantages because it's not going to be in that first 0:05:48.680000 --> 0:05:54.700000 sector. And there's a high chance that if you have a corrupted MFT and 0:05:54.700000 --> 0:06:00.000000 there's a physical problem with that disk, then you have a good chance 0:06:00.000000 --> 0:06:03.260000 of recovering the MFT mirror file. 0:06:03.260000 --> 0:06:10.560000 However, one cool component about it is that we always find that VBR in 0:06:10.560000 --> 0:06:15.000000 the very beginning and that VBR is stored in that dollar sign boot record. 0:06:15.000000 --> 0:06:19.720000 And remember why I said it makes it cool is because that VBR is what contains 0:06:19.720000 --> 0:06:24.260000 the boot code. And then it also includes physical pointers to that MFT 0:06:24.260000 --> 0:06:29.620000 file and other very important disk information. 0:06:29.620000 --> 0:06:32.640000 Here's that quick look at the VBR. 0:06:32.640000 --> 0:06:38.460000 As you can see, it's still very similar to the fat file systems at VBR. 0:06:38.460000 --> 0:06:43.280000 However, it's got a little more going on and that's because it's a little 0:06:43.280000 --> 0:06:46.640000 more robust. So we're going to see those jump instructions. 0:06:46.640000 --> 0:06:49.520000 We're going to see the reserve number of sections. 0:06:49.520000 --> 0:06:53.820000 We are going to see those pointers, total numbers of sectors, and that 0:06:53.820000 --> 0:06:55.600000 volume serial number in there. 0:06:55.600000 --> 0:07:00.180000 That volume serial number is pretty unique for you to grab as a unique 0:07:00.180000 --> 0:07:07.160000 descriptor for your reporting of a forensic investigation. 0:07:07.160000 --> 0:07:16.220000 Okay. One thing to know is that offsets 48 to 55 of the MFT and 56 to 0:07:16.220000 --> 0:07:20.440000 53 of the MFT is one of the most important offsets. 0:07:20.440000 --> 0:07:25.040000 And that's going to be one of the ones that tells us where all of the 0:07:25.040000 --> 0:07:29.760000 MFT files are. So we really have to have that one. 0:07:29.760000 --> 0:07:35.520000 So every file within NTFS is going to give us one MFT entry. 0:07:35.520000 --> 0:07:38.240000 And here's kind of what the structure looks like. 0:07:38.240000 --> 0:07:42.320000 Of particular note in here, there will be a file. 0:07:42.320000 --> 0:07:49.860000 There will be file unless the file is usable, in which case it'll be bad. 0:07:49.860000 --> 0:07:51.800000 And notice how it's four characters the same way. 0:07:51.800000 --> 0:07:59.360000 So if you can actually visually determine the beginning of every MFT entry, 0:07:59.360000 --> 0:08:04.240000 sometimes just by scanning that right hand column in our hexadecimal editor 0:08:04.240000 --> 0:08:05.720000 that shows the ASCII listings. 0:08:05.720000 --> 0:08:09.760000 And if you scroll down, you'll see file, file, file, file. 0:08:09.760000 --> 0:08:16.040000 That's the beginning of every single MFT entry. 0:08:16.040000 --> 0:08:20.380000 MFTs have attributes to them. 0:08:20.380000 --> 0:08:25.320000 We have our resident attributes, which are contained within the MFT record 0:08:25.320000 --> 0:08:29.060000 itself. And they have an attribute header that's immediately followed 0:08:29.060000 --> 0:08:31.520000 by the attribute content. 0:08:31.520000 --> 0:08:35.080000 Examples of that are going to be like the standard information and the 0:08:35.080000 --> 0:08:37.420000 file name attributes. 0:08:37.420000 --> 0:08:40.420000 Then we're going to have non resident attributes. 0:08:40.420000 --> 0:08:44.020000 And those are the attributes that they just have the attribute in the 0:08:44.020000 --> 0:08:45.940000 header of the MFT entry. 0:08:45.940000 --> 0:08:50.020000 And then the attribute is actually going to be stored somewhere else, 0:08:50.020000 --> 0:08:54.980000 typically in the data portion of the file system. 0:08:54.980000 --> 0:09:00.200000 Let's look at a few different types of MFT entry attributes. 0:09:00.200000 --> 0:09:03.400000 Okay, what we're looking at in the standard information is going to be 0:09:03.400000 --> 0:09:04.520000 the access mode. 0:09:04.520000 --> 0:09:09.340000 Read only, rewrite, archive bids, time steps, link counts, that kind of 0:09:09.340000 --> 0:09:14.560000 stuff. And we're going to be looking at file names, the data. 0:09:14.560000 --> 0:09:19.020000 Remember that only one megabyte of data is stored in the NTFS. 0:09:19.020000 --> 0:09:25.880000 Any other data is stored in the data file that you see down here.