top of page
Search

Uncovering the Secrets of NTFS File Records: A Digital Forensics Guide

Windows file system forensics is a vital aspect of digital forensics investigations, as it allows examiners to recover and analyze evidence from the file system of a Windows operating system. One key element of Windows file system forensics is understanding the anatomy of NTFS (New Technology File System) file records.

In this article, we will delve into the structure and function of NTFS file records, provide real-life use cases for their analysis, and explore some of the tools and techniques used by digital forensics professionals to examine these artifacts.


What are NTFS File Records?

NTFS is the default file system used by Windows operating systems. It is a high-performance and self-healing file system that organizes and stores data on a hard drive in a hierarchical structure, with directories serving as containers for files and other directories.

NTFS file records are at the lowest level of this hierarchy, also known as file system records or MFT (Master File Table) entries. Each file and directory on an NTFS volume is represented by a unique file record that contains metadata about the file or directory, as well as pointers to the actual data contained within the file.


Anatomy of an NTFS File Record

An NTFS file record consists of several key fields, including:

  • File record header: This contains metadata about the file record itself, such as the record number, flags indicating the status of the file, and the sequence number of the file record.

  • File name attribute: This contains the name and extension of the file, as well as timestamps for when the file was created, modified, and accessed.

  • Standard information attribute: This includes metadata about the file, such as its attributes (e.g. read-only, hidden, etc.), timestamps for when the file's attributes were last modified, and the security descriptor of the file.

  • Data attribute: This contains pointers to the actual data contained within the file. In the case of small files (less than about 500 bytes), the data itself may be stored within the file record.

  • Attribute list attribute: If a file has more than one attribute (e.g. multiple data attributes), these will be listed in the attribute list attribute.


Importance of File System Artifacts in Digital Forensics Investigations

File system artifacts, such as file records and directory entries, are an important source of evidence in many types of digital forensics investigations. They can provide information about the files and directories on a hard drive, including their names, timestamps, attributes, and data pointers. By examining these artifacts, forensic analysts can recover and analyze evidence that can be used to understand the actions of the user, the history of the system, and the contents of the hard drive.


Forensic Imaging and the Importance of Creating a Forensic Image

Before examining the file system of a hard drive, it is important to create a forensic image of the drive. A forensic image is a bit-by-bit copy of the hard drive, including all data, deleted files, and unallocated space. Creating a forensic image allows you to preserve the evidence on the original hard drive while performing your analysis, ensuring that the data is not modified or corrupted during the process.

There are several tools available for creating forensic images, including FTK Imager and dd. It is important to follow best practices when creating a forensic image, including verifying the integrity of the image and documenting the imaging process.


Real-Life Use Cases for NTFS File Record Analysis

There are many situations in which a digital forensics examiner may need to analyze NTFS file records as part of an investigation. Some examples include:

  • Recovering deleted files: When a file is deleted on an NTFS volume, the file's name is removed from the directory and the file's file record is marked as deleted. However, the actual data contained within the file may still be present on the hard drive and can be recovered by analyzing the file record and following the pointers to the data.

  • Examining file timestamps: The timestamps contained within NTFS file records can be used to establish the chronology of events on a computer. For example, an examiner may be able to determine the order in which files were modified or accessed by analyzing the timestamps within the file records.

  • Identifying suspicious activity: NTFS file records may contain evidence of malicious activity, such as creating new files or directories by a malware infection. Examining file records can help an investigator identify and track these types of events.


Tools and Techniques for Examining NTFS File Records

There are several tools and techniques that digital forensics professionals can use to examine NTFS file records as part of an investigation. Some examples include:


Manual analysis: File records can be manually examined by using a hex editor to view the raw data on the hard drive. This can be a time-consuming process, but it allows the examiner to get a detailed understanding of the structure and content of the file records. Hex editors display the raw binary data of a file as a series of hexadecimal values, making it possible to see the underlying structure of the data. Some popular hex editors for digital forensics include Hex Workshop, HxD, and WinHex.

To use a hex editor to examine NTFS file records, follow these steps:

  1. Open the hex editor and load the forensic image of the hard drive.

  2. Navigate to the location of the NTFS file records on the hard drive. On an NTFS volume, the file records are stored in a system file called the Master File Table (MFT). The MFT is typically located at the beginning of the volume, and its location can be found in the boot sector of the volume.

  3. Use the hex editor to view the raw data at the location of the MFT. The file records in the MFT are arranged in a fixed-size format, with each record taking up 1024 bytes of space. The first four bytes of each record contain the offset of the next record, allowing you to navigate from one record to the next.

  4. Examine the contents of each file record to extract metadata and data pointers. The structure of NTFS file records is complex, but you can use references such as the "Windows Internals" book by Mark Russinovich to help understand the layout of the data.


FTK Imager: This tool, developed by AccessData, allows users to create forensic images of hard drives and examine the file system structure, including NTFS file records. It includes a GUI that allows users to view and analyze file records in a more user-friendly manner. FTK Imager can extract and display metadata from file records, including timestamps, attributes, and data pointers. It also includes a feature for recovering deleted files by analyzing their file records and reconstructing the data from the pointers.

To use FTK Imager to examine NTFS file records, follow these steps:

  1. Download and install FTK Imager from the AccessData website (https://accessdata.com/).

  2. Launch FTK Imager and select "Create Disk Image" from the main menu.

  3. Follow the prompts to create a forensic image of the hard drive you want to examine.

  4. Once the forensic image is created, select "View Disk Image" from the main menu.

  5. In the Disk Image Viewer window, navigate to the file system of the image (e.g. NTFS) and double-click on a file or directory to view its metadata and contents.

  6. To view the file records for a file or directory, right-click on the item and select "Properties".

  7. This will open the Properties window, showing the metadata and data pointers contained within the file record.


Autopsy: This open-source digital forensics platform includes a module for examining NTFS file records, allowing users to view and analyze file metadata, recover deleted files, and view timestamps and other metadata. Autopsy has a GUI interface that makes it easy to navigate the file system and view the contents of file records. It also includes features for searching and filtering file records, making it easier to locate specific artifacts of interest.

To use Autopsy to examine NTFS file records, follow these steps:

  1. Download and install Autopsy from the Sleuth Kit website (https://www.sleuthkit.org/autopsy/).

  2. Launch Autopsy and create a new case.

  3. Add the forensic image of the hard drive you want to examine to the case.

  4. In the main window, navigate to the file system of the image (e.g. NTFS) and double-click on a file or directory to view its metadata and contents.

  5. To view the file records for a file or directory, right-click on the item and select "File Properties". This will open the File Properties window, showing the metadata and data pointers contained within the file record.


TheSleuth Kit (TSK): This open-source toolkit includes a suite of command-line tools for examining file systems, including NTFS. One useful tool in the TSK suite is fls, which allows users to list file records in an NTFS partition and extract metadata from the file records. For example, the command

will list the file records in the NTFS partition of the forensic image image.dd, showing the file names and metadata for each file.

The -m / flag specifies that you want to list the file records in the root directory of the partition (i.e. the top-level directory), while the -r flag indicates that you want to list both allocated and deleted file records. The -f ntfs flag specifies that the file system is NTFS.

TSK also includes tools for extracting and analyzing specific file records, such as istat for displaying detailed metadata and icat for extracting the data contained within a file record. To use these tools, you will need to specify the file record number and the forensic image file.

Here is an example of using the istat tool to display detailed metadata for file record 3:

And here is an example of using the icat tool to extract the data from file record 3 and save it to a file called output.txt:

By using these tools and techniques, you can effectively examine NTFS file records as part of a digital forensics investigation. Understanding the structure and function of these artifacts can help you recover and analyze evidence from Windows systems more effectively.


Hands-On Example: Examining NTFS File Records with TSK

To further illustrate the process of examining NTFS file records, let's walk through a hands-on example using TSK. In this example, we will use the fls and istat tools to list and analyze file records in an NTFS partition.

  • First, we need to obtain a forensic image of the hard drive that we want to examine. You can use one of the tools mentioned above (e.g. FTK Imager, dd) to create a forensic image of the hard drive.

  • Next, we need to install TSK on our forensic workstation. TSK is available for download from the Sleuth Kit website (https://www.sleuthkit.org/).

  • Once TSK is installed, open a command prompt and navigate to the directory where TSK is installed.

  • To list the file records in the NTFS partition of the forensic image, use the fls tool with the following command:

This will list all of the file records in the root directory of the NTFS partition, including both allocated and deleted file records. The output will show the file name, metadata, and data pointers for each file record.

  • To view the detailed metadata for a specific file record, use the istat tool with the following command:

For example, to view the metadata for file record 3, use the command

This will display a detailed breakdown of the metadata contained within the file record, including timestamps, attributes, and data pointers.

  • To extract the data from a file record, use the icat tool with the following command:

For example, to extract the data from file record 3 and save it to a file called output.txt, use the command icat -f ntfs image.dd 3 > output.txt. This will extract the data from the file record and save it to the specified file. By using these tools and techniques, you can effectively examine NTFS file records as part of a digital forensics investigation. Understanding the structure and function of these artifacts can help you recover and analyze evidence from Windows systems more effectively.


Conclusion

In this article, we have provided a comprehensive guide to examining NTFS file records in digital forensics investigations. We have discussed the importance of file system artifacts in forensic investigations, the process of creating a forensic image, and various tools and techniques for examining file records. We also provided a hands-on example of using TSK to list and analyze file records in an NTFS partition. By following these steps and using these tools, you can effectively recover and analyze evidence from NTFS file systems.

Comments

ABOUT THIS SITE

This site is intended for educational purposes in the cybersecurity world. 
All rights reserved to Security Hive only and his owners.

 

GET IN TOUCH

Leave us a message on

Contact page>>

© Security Hive 2020

 
bottom of page