File Systems 2
browser cache
"files" or "pages" saved on HD so that web content doesnt need to be downloaded if its unchanged
LBA
(Logical Block Address) Disk access using sector number. - Sectors are considered numbered, starting at 0.
MBR
(Master Boot Record) First sector on hard disk, zip disk, flash drive contains MBR. - 446 bytes: Boot code - 64 bytes: Partition Table - Four 16 byte entries (three may be empty) - 2 bytes: 0x55 0xAA (footer)
Attributes
(NTFS) used to record information (file system metadata) about files and directories within MFT record -have an attribute type identifier (four byte unsigned integer) -occur after standard header of file entry -are in order by attribute type identifier - vary in length (but length is always (?) a multiple of 8) -same attribute may occur more then once in file entry -end of attributes is signed by 0xFFFF FFFF in file entry -all parts of an attribute may not be required (space may be allocated but not used)
FAT file deletion
-First byte of directory entry (or entries) set to 0xE5. -FAT cluster entries for the file set to 000 or 0000 or 0000 0000
registry files
-SAM -SECURITY -SOFTWARE -SYSTEM -NTUSER.DAT
Unsigned Integer
0, 1, 2, 3, 4, .... 0x00, 0x01, 0x02, ...0x0A, 0x0B... -if bits represent and unsigned integer all bits are used to form a binary number (or most equivalently a hexadecimal number)
FAT12
12 bits (1 1/2 bytes) per cluster
FAT16
16 bits (2 bytes) per cluster
FAT32
32 bits (4 bytes) per cluster -only 28 bits (3 1/2 bytes) are significant
ADS
Alternate Data Stream -NTFS permits a file to have more than $DATA (0x80) atrribute, if the $DATA attribute is named, it is an alternate data stream -keeps file of data for carrier file -$Bad in $BadClus is an ADS -ADS is mostly hidden from the system -Forensics implication: ADS is a way to hide data (files)
DVn.ext
D - deleted V - drive (volume) letter n - number (0, 1, ...) ext - original extension
EFI
Extensible Firmware Interface (officially UEFI (Unified Extensible Fireware Interface)) -Intel ("Tiano") developed, since standardized fireware-op system interface. Includes boot services and partition specifications.
FSINFO
FAT32 only -sectors contaning "hints" about file system -sector number (within partition) of FSINFO in VBR at bytes 0x30-0x31 (typically is 1 - immediately after VBR) -number of free clusters 0x1E8-0x1EB -next free cluster 0x1EA-0x1EF
FAT
File Allocation Table -A table with an entry for each cluster on a disk. Cluster's entry can be: --000 0000 00000000 (cluster not in use. Free) --xxx xxxx xxxxxxxx (cluster in use to store a file or directory and xxx... is the next cluster used for the file or directory) --FFF FFFF 0FFFFFFF (cluster is in use to store a file and it is the last cluster for the file. EOF (end of file))
FAT file system
File system which uses a FAT to keep track of clusters' allocation.
GPT
GUID (globally unique identifer) Partition Table. -Replaces the partition table of the MBR when EFI is utilized --MBR is present at sector 0 --Partition code of 0xEE in MBR partition table entry indicates GPT --GPT follows MBR
GUID
Globally Unique IDentifier
Cluster
Group of one or more consecutive sectors considered to be a unit by Microsoft file system (FAT, exFAT, NTFS) -Also called allocation unit
HKEY_CLASS_ROOT
HKCR - application information --file types of extension --open with lists --commands -- alias for HKLM\Software\Classes
HKEY_CURRENT_USER
HKCU -pointer to alias for HKU\SID - SID of current user
HKEY_LOCAL_MACHINE
HKLM -hardware, software, security settings -- frequently important in investigations
HKEY_USERS
HKU -configuration information for users (by SID)
LFN
Long File Name -File descriptor using more than 8 characters for name or 3 characters for extension or characters not legal in MS-DOS file descriptor. Also some descriptors with mixed upper and lower case letters.
$MFT
Master File Table -a file containing information about every file in the NTFS volume -file information in $MFT is in MFT record or file entry -most file entry in $MFT consists of attributes (which follow the header) -one entry for every file and directory -file entries 0-11 for system files and 12-23 are reserved -after standard header, sequence of attributes -first four bytes of attribute are attribute type identifier -MFT records are kept consistent by using an update sequence
NTFS
New Technology File System -Number of cluster = 0-2^64-1 (theoretical) -0-2^32-1 (implemented in XP) -Cluster size (maximum 128 sectors/cluster) -64KB with 512 byte sectors -maximum file size ~ 2^64-1 bytes (theoretical) - ~ 2^44-1 bytes (implemented) -maximum number of files = 2^32-1 -file name up to 255 unicode characters
FATs
Number of the first cluster used to store a file or directory is in the directory entry for the file. -The entry in the FAT for a cluster used to store a file contains either the number of next cluster or an end of file marker.
Numerical Prefixes
Numerical prefixes are used to express large quantities, especially storage capacity. Kilo K Thousands Mega M Millions Giga G Brillions Tera T Trillions Peta P Quadrillion Exa E Quintillion
SID
Security IDentifier -MS Windows unique, unchangeable identifier for "security principle"
VFAT
Virtual File Allocation Table -Adaptation of Windows to use LFN (with FATs)
Data run
a continuous group of clusters used for attribute contents -number of clusters in the data run followed by number of first cluster
Links
additional references to files, alternate access to files
0x80 $data
alternate data stream (ADS) -second (or third or...) 0x80 $data atrribute which is named. must (?) be "attached" to existing file, essentially a file attached to a file
0x10 $standard_information
always resident -flag at 0x08 of attribute header is always 00 -four dates/times file creation (born) file alteration (modification,write) file entry alteration (modification,change) file read (accessed)
mount
attach a storage device to a system so the data on the device is accessible -attach a volume within a file system so that the volume is incorporated into the file system (usually as a directory)
Resident Attribute
attribute entirely within MFT entry (many attributes are resident) - attributes consisting of a header and contents (or data)
Non-resident Attribute
attribute partially (maybe mostly) outside $MFT -data attribute is frequently non-resident -attribute consisting of a header and location (clusters) of the attributes contents (or data) -flag at 0x08 is 01
$MFTMirr
backup copy of first four file entries in $MFT
Little Endian
bytes are stored with least significant byte first. Effectively, this means reverse order. -intel architecture uses little endian
shell bags
collection of keys recording each folders display setting for a user
tree
collection of nodes conneced by directed edges with no cycles
Sysinternals Suite
collection of tools (software) for obtaining information (some live) about a computer
$Upcase
contains entries for all unicode characters to define a collating sequence for file names
$Volume
contains information about the volume itself (the volume name) -file size is 0 -may be contained completely within $MFT (all attributes may be resident)
symbolic link
creates 0xC0 $reparse_point attribute
short cut
creates new file with link information in 0x80 $data attribute
registry data
data (value) in registry is in three parts: -Name -Type -Value
b-tree
data structured which can be efficiently searched -NTFS directory's file (and subdirectories) are in b-tree
registry
database of settings and information for a system. Maintained in several files and memory - intended to replace initialization and configuration files
decremented
decreased by 1
$Extend
directory for containing additional files for NTFS (extending NTFS)
recycle bin
extend across volumes
exFAT
extended FAT (extended File Allocation Table) -larger files and more files then FAT32 -max volume size(theoretical) 2^57 -primary VBR sectors 0-11 -backup VBR sectors 12-23 -for larger flash drives and SSD's -older versions of D.F tools may not recognize exFAT -allocation status of clusters is recorded in $BITMAP
INFO2
file (like a DB) in RECYCLED or RECYCLER\User_SID containing information about deleted files
Sparse File
file with a large number of consecutive null bytes (an entire cluster or clusters of null bytes)
$BOOT
first sector and cluster number 0 in NTFS -contains data about file system -contains important file system parameters (file system ID, bytes per sector, sectors per cluster, size of MFT file record(usually 2 sectors/1024 bytes), etc.) -footer (signature) 55 AA
0x30 $file_name
for "standard" file, resident attribute -may occur more than once (SFN, hard links) -MFT entry number of parent or containing directory -use 0x10 $standard_information for dates/times flags -use file size in 0x80 $data -file name in unicode (two bytes per character)
0xA0 $index_allocation
for nodes of b-tree (nonroot nodes, called index nodes)
0x90 $index_root
for root of b-tree -$I30 (name for a directory index) -32 bytes: index parameters (clusters per index node) -file (or index) entries: at least one (which may be null)
$LogFile
forensic value: may contain file fragments
$Secure
holds security descriptors
Signed Integer
if bits are represented an (arbitrary) integer (0, +-1, +-2,...) the leading bit gives the sign of the number and the other bits are used to give the absolute value (size) of the number. -the leading bit's value indicates positive (0) or negative (1) integer. -if a byte (8 bits) is expressed in hexadecimal, the leading bit is 1 only if the high digit is 8, 9, A, B, C, D, E, or F (which means the signed integer is negative)
incremented
increased by 1
nonroot node
index node -in clusters designated (by data runs) in 0xA0 $index_allocation -starts with "INDX" (ASCII) -four bytes INDX at offset 00 -four bytes at offset 0x18 is offset from 0x18 to first entry - after index header, file (index) entries
$Ixxxx.ext
information about recycled file
Hard Link
link to file contents -direct reference to file contents -creates a 0x30 $file_name attribute
jump list
lists of recent items, organized by program. May include pinned items
plug-in
module which can be added to larger program to give additional functionality
MRU
most recently used order
MFT Entry
mostly (perhaps all) file metadata
KEYS
node below hives in registry - contain last write time - contain VALUES
root node
node which has no parent
leaf
node without children
dates and times
recorded elsewhere in MFT -$std_info's are used by system -UTC is converted to time zone (including daylight savings or other local bias) when shown to user
$Rxxxx.ext
recycled file, renames
RegRipper
registry file analyzer
thumbnail
small graphic for a graphics file or icon for nongraphics file
cookie
small text file with information from web site visit
Soft Link
symbolic link -link made to file metadata -indirect reference to file contents
HIVES
top level node of registry -names begin with HKEY
$BadClus
tracks bad clusters
$BITMAP
tracks use of clusters -1 (set) cluster is in use -0 (clear) cluster is not in use
subtree
tree starting at a given node
0xC0 $reparse_point
used to mount volumes and also for symbolic links
0x20 $attribute_list
used when attributes wont fit in file entry (file record of MFT -list entry: attribute type number length of entry MFT entry number for attribute attribute ID attribute name (if named)
Two's compliment
using this, the leading bit indicates positive (if 0) or negative (if 1)
