Windows NTFS File System

In order to improve performance, reliability, and support large disk volumes,
Microsoft developed NTFS file system for Windows NT in the early ’90s. NTFS is still widely used today.
NTFS is a robust journaling file system.
Changes in the file system are first recorded to a log file, then written to the disk.
It enhances security by storing permissions for each file in a directory.
The size of a cluster in NTFS file system range from 512 bytes up to 64 kB.
To support a smaller disk volume with mostly small files,
you can create smaller clusters, to reduce wasted disk space.
If you use a large disk, you may create bigger clusters, to save, read,
write performance and reduce file fragmentation.
NTFS uses 64 bits for each cluster’s address.
Therefore, NTFS can support up to 2 to the 64 powers number of clusters.
The key component of NTFS is master file table, or MFT.

NTFS VOLUME BOOT SECTOR

Like the boot record from a fat file system, in NTFS volume boot sector,
begins in the first sector of the partition, can use up to 16 sectors.
It contains the cluster size, the address of MFT in logical sector numbers,
the address for the MFT mirror, which contains the copies
of the first four entries from MFT as a backup.
If the partition is bootable, the boot sector also contains the program called
to load the NT loader.

MASTER FILE TABLE

Master file table is a system file, and its file name starts
with a $. The master file table is created when the NTFS volume was formatted.
The MFT records each file in the directory on the volume, including an entry for itself.
Each file uses one or more MFT records to store metadata information.
In attributes, $file record head, $standard information, $filename, and $data.
$file record header includes MFT number, link count, file type, file size, etc, for this
file.
Standard information contains the files MAC time
and the characteristics telling whether the file is a hidden file or a system file.
$filename contains the file name that can be up to 255 characters.
The data attributes normally lists all the cluster addresses allocated to the file.
The file content will be stored outside of the MFT record in clusters.
However, a small file may have its content held entirely
in $data attribute, inside it’s MFT record.
What do I mean by a small file here?
If MFT record is 1024 bytes in size, files that are less
than 740 bytes are considered as small files.
I will demonstrate this scenario later.

A SMALL FILE THAT RESIDES IN $MFT ENTRY

If a file’s metadata information is larger than one MFT record, NTFS uses two
or more MFT records to contain the file’s attributes.
It uses the attribute $attribute list to point to all of the other records in MFT.
There is a flag in each record to indicate the MFT record’s allocation status.
This flag is set to zero when the record is marked for deletion, also known as unallocated.
Each directory record uses attribute $index root to list all its children.
More specifically, each child reside in this directory is represented
by an index entry holding the information of its file name and its standard information.
$index root contains a list of its children’s index entries.
$root is sorted based on filenames in either ascending name order or in a B-Tree
structure.
When a folder contains index entries that cannot fit in one MFT record,
the additional index entries are stored in index buffers.
The $index allocation attribute stores the location’s information of this index buffers.
The first 16 files in MFT are the system files.
The first file is $MFT itself.
The $bitmap file keeps track of clusters’ usage.
It uses one bit to record the status of each cluster on a volume.
If a cluster is used, the corresponding bit is one.
Otherwise, the bit is zero.
When you create a file in NTFS volume, one or more free clusters are chosen from bitmap file.
MFT record will be created to store the file’s filename,
standard information, and its clusters’ addresses.
Its index entry is inserted in the correct sequence in its parents’ $index root attribute.
When you delete a file on NTFS volume, its cluster references
in the bitmap file are changed to zero.
The MFT record for that file is marked for deletion.
That is the flag for allocation status is set to zero.
The index entry for the file is removed from its parent’s MFT.
Consequently, in $root, the index entries below it will be moved up,
overwriting the deleted entry.
Therefore, in NTFS, it is common for a deleted file to lose its parent folder’s information.
As well as the clusters holding the file data have not been reallocated to other file,
a segment of the file is still recoverable.
If the MFT record is still a variable, we can possibly get all the clusters’ locations
to recover a file with its filename.
Since we live in age of information, there is a demand for a file system
that can support large storage, such as multi-terabytes drives
and also provide continual reliability.
Windows introduced a new file system called Resilient File System, IEFS.
First used in Windows server 2012 and Windows 8.
As of now, the Resilient File System is still not ready
to completely take over as the default file system.
And forensic investigation procedures for Resilient File System are still being developed.

Reference: Yin Pan,
Professor, Computing Security
Rochester Institute of Technology

Author: McPeters Joseph

Joseph McPeters is a Security Researcher. He specializes in network and web application penetration testing. Contact: admin@incidentsecurity.com

Leave a Reply

Your email address will not be published. Required fields are marked *