Filesystem Structure and Metadata - NTFS

Using the mmls command analyse /images/diskimg1.dd. Extract the sector offset information for the three partitions shown.

Using the dd and xxd commands open the first sector of the NTFS partition and complete the following table. Refer to the NTFS Cheat Sheet located in Moodle to find and decode information from VBR.

NTFS was designed for reliability, security, and support for large storage devices. Scalability is provided by the use of generic data structures that wrap around data structures with specific content. This is a scalable design because the internal data structure can change over time as new demands are placed on the file system, and the general wrapper can remain constant. One example of a generic wrapper is that every byte of data in an NTFS file system is allocated to a file.

The Master File Table (MFT) is the heart of NTFS because it contains the information about all files and directories. Every file and directory has at least one entry in the table, and the entries by themselves are very simple. They are 1 KB in size, but only the first 56 bytes have a defined purpose. The remaining bytes store attributes, which are small data structures that have a very specific purpose.

To verify our information regarding the $MFT in the VBR we can go to the sector/cluster in question and determine if the MFT record stored there is the MFT. Using the dd command open first sectors of the $MFT.

What physical sector is the start of the $MFT file?

Verify that you are indeed at the correct sector. Reproduced below are the values that should be present. The one of note is the Unicode text $MFT that is located at about the halfway point in the sector.

Figure 1: $MFT record

The record we will attempt to decode is located at offset 0x14c00 (in bytes) within $MFT file.

What is the physical sector of the record at offset 0x14c00 within $MFT?

Use dd command to open the physical sector.

The core structure of each record is based on the following information and attributes that are stored for each file:

• Header: The header in the MFT is a set of low-level management data used by NTFS to manage the directory. It includes sequence numbers used internally by NTFS and pointers to the file's other attribute and free space within the record.
• Standard Information Attribute: This attribute contains "standard" information stored for all files and directories. This includes fundamental properties such as date/timestamps for when the file was created, modified and accessed.
• File Name Attribute: This attribute stores the name associated with the file. Note that a file can have multiple file name attributes, to allow the storage of the "regular" name of the file, along with an MS-DOS short filename alias and also POSIX-like hard links from multiple directories.
• Data Attribute: This attribute stores the actual contents of the file.

Decode the following information from the header of the record:

Identify the offsets of each of the main attributes (the first has been filled in to assist).

Decode the following information from the $STANDARD_INFORMATION attribute:

Note: use DCode tool for time and date: http://www.digital-detective.net/digital-forensicsoftware/free-tools/

Note: Use date and time format: (MM/dd/yyyy HH:mm:ss) 10/18/2024 00:00:00

Decode the following information from the $File_Name attribute:

Finally decode the data run from the $DATA attribute.

Note: Refer to "Run List Example" document on Moodle

So far we have explored NTFS file system with hex editor. Now we can verify our findings with the appropriate tool.

To verify the content of the VBR, use the fsstat command to display the file system information. It should be the same as information in question 2.

In this NTFS partition, what is the cluster size in bytes?
Size:

The NTFS file system views each file (or directory) as a set of file attributes. Elements such as the file's name, its security information, and even its data, are all file attributes. Each attribute is identified by an attribute type code and, optionally, an attribute name.

What is the attribute type code of the $FILE_NAME attribute?

What is the first disk block (not partition block) of the MFT and the MFT Mirror.
MFT:
MFT Mirror:

Use fls to see the files in the NTFS partition, and obtain the inode number for $Boot. Then use that in the istat command to discover the allocated size in bytes of the $Boot file.
Size:

What is the first and last cluster number allocated to this file? This information is often found on the last line of the istat output as a list of numbers.
First:
Last:

What is so special about $BOOT file?
Nothing special, just a file system metadata file. It is required to boot the operating system Contains the boot sector of the file system Stores information regarding boot sequence of the PC

In the NTFS partition there are a number of directories. In the docs directory there is a file called fatcat.jpg. What is its inode number in the format 00-000-0?
Inode id:

What is the size in bytes of the space allocated to store the file fatcat.jpg?
Size:

How many clusters are allocated to this file?
Total:

What is the first and last cluster number allocated to this file?
First:
Last: