Scribd
Upload
24 views

Week 3 File Systems

Uploaded by

bacofe4661
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
24 views

Week 3 File Systems

Uploaded by

bacofe4661
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

FORFUN

Week 3 File System

Dr Fudong Li
Session Content
●Recap on previous week
●Introduction to file systems
Recap
● A number of hash functions can be used both
within Windows and Linux OSs
● Fuzzy hashing with ssdeep (may need to unplug
the USB)
● Md5 is the weakest hashing algorithm in terms
of hash collision
● The power of PhotoDNA
● NSRL RDS hash sets
Task
● This is a individual task

● Draw 3-4 things/items by linking dots on the


given paper
● You do not have to use all of the dots

● Provide a description for each item on a


separated paper [maximum 30 characters]
Data Unit
● A sector is the smallest addressable storage unit
on the hard disk and typically 512 bytes
○ The optimal method of storing a file is in a contiguous
series
○ A 600-byte file requires n sectors
● A cluster is the smallest unit at the OS level and
can consist of one or more consecutive sectors.
○ The number of sectors in one cluster is always an
exponent of 2, hence 1, 2, 4, 8
○ Is used for protecting the stored data from being over-
written.
Bitmap
● A bitmap is a data structure that has a bit for
each cluster on the hard disc
○ 1: the cluster is allocated
○ 0: the cluster is unallocated
Slack Space (1)
● Slack space occurs when the size of a file is not a
multiple of a cluster size.
● RAM slack is the area from the end of the file to the end
of that sector.
○ Under DOS and early versions of Windows the data
used for this comes directly from RAM
○ More typically this is filled with zeros
● File slack is the area from the end of RAM Slack to the
end of the cluster – it is typically not changed, leaving
the prior contents still present
Slack Space (2)
● Slack space occurs when the size of a file is not a
multiple of a cluster size.

File RAM Slack File Slack


FAT
● File Allocation Table (FAT) was the file system of
MS-DOS, circa 1980
● Versions of FAT (FAT 12, FAT 16, FAT 32) were
primary file system of MS Windows through
Millennium Edition
○ Replaced by New Technology File System (NTFS) on
Windows NT, which became mainstream with Windows
2000
● Still widely used on small storage devices, and
recognized by essentially all modern OSs.
FAT Basic Concepts
● Each file and directory is allocated a directory
entry that contains file name, file size, starting
address of file content and other metatdata
● If a file or directory needs more than one cluster,
those clusters are found in the FAT structure
● File and directory content is stored in clusters
NTFS – Overview
● NTFS is a proprietary file system developed by
Microsoft in 1993; default file system of
Windows NT family
● Notable features of NTFS
○ Security: by using an Access Control List (ACL), an administrator
controls who can access specific files.
○ Encryption: Encryption File System (EFS) provides strong and
user-transparent encryption of any files or folder on an NTFS
volume
○ B-tree: faster file look up times
○ Support large file sizes: up to 16 exbibytes
B-tree
NTFS Partition Organization
● NTFS Boot Sector
○ Contains the BIOS parameter block that stores information about
the layout of the volume and the file system structures.
● Master File Table
○ Contains the information necessary to retrieve files from the NTFS
partition, such as the attributes of a file
● File System Data
○ Stores data that is not contained within the Master File Table
● Master File Table Copy
○ Includes copies of the records essential for the recovery of the file
system if there is a problem with the original copy
Master File Table
● Each file on an NTFS volume is represented by a
record in a special file called the master file table
(MFT)
● Starting location of the MFT is given in the boot
sector;
● 12.5% of space allocated but only used when
necessary
● Each entry is 1024 bytes (1KB)
○ Only first 42 bytes defined, containing 12 fields
○ The rest are allocated to numerous/various attributes
● First field is the signature – standard – FILE
MFT Metadata Files
Entry Filename Description

0 $MFT The entry for the MFT itself

1 $MFTMirr Backup of the MFT

2 $LogFile Journal containing records of metadata transactions

3 $Volume Volume information

4 $AttrDef Attribute information (identifier values, name)

5 $. Root directory of the file system

6 $Bitmap Allocation status of each cluster in the file system

7 $Boot Boot sector and boot code for the file system

8 $BadClus Clusters that have bad sectors

9 $Secure Security and access control for the files

10 $Upcase Contains the uppercase version of every Unicode character

11 $Extend Directory containing files for optional extensions


Single File Record in MFT
● NTFS reads attributes from the record – not files – files
are simply one of the attributes
MFT Entry Attribute Types
Type ID Name Description

16 $STANDARD_INFORMATION General – MACs; Owner, Security ID

32 $ATTRIBUTE_LIST List of attributes and locations

48 $FILE_NAME File Name


Access control and security
80 $SECURITY_DESCRIPTOR
properties
128 $DATA File Contents

144 $INDEX_ROOT Root node of an index tree


Nodes of an index tree root in
160 $INDEX_ALLOCATION
$INDEX_ROOT
176 $BITMAP A Bitmap for the MFT file/indexes
Master Boot Record
● Master Boot Record (MBR) is used to store
essential information about the structure of the
hard disk.
● MBR is always located at cylinder 0, head 0,
sector 0 (i.e. the first sector of the disk)
● Is where the BIOS can find the information on
how to proceed with boot up and loading the OS
MBR Structure
● Boot Code (446 bytes): when this code is executed, it
hands over control to the consecutive boot program
which is located to the active partition in order for the OS
to be loaded
● Partition Table (64 bytes): contains the information about
the physical partitions of the disk; one of the partitions
will be indicated as active
● MBR Signature (2 bytes): 55 AA
Partition Table
● The first partition table starts at address 0x1be in the
MBR
● Each entry consists of 16 bytes and all multi-byte fields
are little-endian
● Boot flag: (Active:0x80, inactive:0x00)
● Partition types, including FAT 12 (0x01), FAT 16 (0x04),
Extended (0x05), and NTFS (0x07)
MBR example
Conclusion
● A forensic examiner must have an excellent
working knowledge of the file system that they
examine.
● In this way, a completed picture of the
investigation can be obtained.

You might also like