When a volume is formatted with the NTFS file system, several system (metadata) files are created, including the Master File Table (MFT), which stores information about all files and folders on the volume. The volume begins with the partition boot sector (the $Boot metadata file) at sector 0, up to 16 sectors in size, and the first file created is the MFT ($MFT). The following figure shows the layout of an NTFS volume.
Like the boot sector in FAT, the boot sector in NTFS describes the data structure of the file system. It provides the cluster size, MFT entry size, and the starting cluster address of the MFT since it is not placed in a predefined sector.
The NTFS Partition Boot Sector
On an NTFS volume, the Partition Boot Sector resides at logical sector 0 and occupies the first 16 sectors as the $Boot metadata file. Sector 0 contains the boot record and BIOS Parameter Block (BPB), while sectors 1–15 store the remainder of the boot record. NTFS also places a backup copy of this boot sector at the last sector of the partition for reliability.
The BPB provides key file system parameters, including the MFT record size and the starting location of the $MFT. These values are essential for correctly identifying and interpreting MFT records during forensic analysis. The figure below shows the hexadecimal dump of the boot sector.
 |
| Figure 1: Hexadecimal dump of the NTFS boot sector |
It should be noted that the values are stored in Little Endian. To parse correctly, the endianness must be reversed. At the table below is shown the outline layout of the BIOS Parameter Block which begins at byte offset 0x0B of the boot sector.
|
Byte Offset |
Length |
Description |
|
0x0B |
WORD |
Number of bytes per sector, usually 512 |
|
0x0D |
BYTE |
Number of sectors per cluster |
|
0x0E |
WORD |
Number of reserved sectors, usually 0 |
|
0x10 |
3 BYTES |
Always 0 |
|
0x13 |
WORD |
Not used by NTFS |
|
0x15 |
BYTE |
Media descriptor. The type of media on which the file system is resident. This is generally 0xF8 for standard hard drives. |
|
0x16 |
WORD |
Always 0 |
|
0x18 |
WORD |
Sectors per track (used by BIOS, not critical for NTFS). This value is related to the old format CHS addressing in disks |
|
0x1A |
WORD |
Number of heads (used by BIOS, not critical for NTFS). This value is related to the old format CHS addressing |
|
0x1C |
DWORD |
Hidden sectors. Number of sectors before the start of the partition. Meaning uncertain. |
|
0x20 |
DWORD |
Not used by NTFS |
|
0x24 |
DWORD |
Not used by NTFS |
|
0x28 |
LONGLONG |
Total sectors |
|
0x30 |
LONGLONG |
Logical Cluster Number (LCN) for the file $MFT |
|
0x38 |
LONGLONG |
Logical Cluster Number (LCN) for the file $MFTMirr |
|
0x40 * |
BYTE |
Size of the MFT record in clusters, usually 1024. A two’s complement number. A positive number represents the MFT record size in bytes. In the case of a negative number, x, the MFT record size is given by 2|x| bytes. |
|
0x41 |
3 BYTES |
Not used |
|
0x44 * |
BYTE |
Size of index buffer, INDX file, in clusters. |
|
0x45 |
3 BYTES |
Not used |
|
0x48 |
LONGLONG |
Volume Serial Number |
|
0x50 |
DWORD |
Not used |
The two values marked with an asterisk (*) (i.e., offsets 0x40 and 0x44) in the table above are signed 8-bit numbers that may be used in two different ways. If the numbers in these fields are positive (between 0x00–0x7F) they define how many clusters there are for each MFT record or INDX file. If the numbers are negative (0x80–0xFF), they define how many bytes there are for each MFT record or INDX file.
The actual value is calculated by raising 2 to the power of the absolute value of this number. Thus, if byte offset 0x40 contains, as it does in the sample BPB in Figure 1, the value F6h, then the 8-bit signed value of the number, F6, is –10 and its absolute value is 10. Thus, the number of bytes (because it is negative) in each MFT record entry is 210 = 1024 bytes. This conforms with current experience that all systems seen to date have a 1024-byte MFT record size.
Similar to other file systems, such as FAT, NTFS uses clusters to allocate disk space for files, and each cluster comprises a certain number of sectors, typically a power of two sectors. The cluster number starts with 0 at the beginning of the file system. The number of clusters in NTFS is also given another name called LCN (Logical Cluster Number). Further, the clusters belonging to a file are referenced in the MFT using virtual cluster numbers (VCNs). VCNs start from 0, sequentially increasing by 1 until the last cluster allocated to the file. An LCN is its relative offset from the beginning of an NTFS file system, whereas a VCN is its relative offset from the beginning of a file. Both LCN and VCN start from 0. The figure below shows an example of a file with 3 clusters (clusters 1355, 1588, and 2033) and the VCN-to-LCN mapping for the clusters in the MFT.
You can use the TSK mmls command to discover the layout of your forensic image. With the mmls command, we can determine where the partition of interest starts.
In this example, we can clearly see that there is only one partition in the image. The locations of the starting sector and ending sector for the partition are Sector 97 and Sector 248319, respectively. Thus, the size of the partition is 248223 sectors.
Use the dcfldd command to extract the partition image from the disk image, as shown below, where ntfs.dd is the name of the file used to store the extracted partition image.
Extract the boot sector from the resultant NTFS partition as follows.
Locating the Master File Table (MFT) In An NTFS Volume
The MFT is critical to the NTFS file system. Thus, it is very important to know its location. The location of the start of the MFT is given within the BPB. The logical cluster number of the start of theMFT is given at byte offsets 0x30 to 0x37 as a 64-bit little endian number. In this case the MFT is seen to start at logical cluster number (LCN) 10342. At byte offset 0xD the sector-per-cluster count is shown as 8. The starting sector of the MFT is determined by the formula shown below.
MFT sector = MFT_LCN × sectors_per_cluster
= 10342 x 8
= 82,736Thus, the MFT sector is 82,376.
As might be expected, the MFT file itself is the subject of the first record in the MFT.Its size is defined within the Attribute Header for the $Data Attribute within the record.
Determining the Address of the Cluster Which Contains a Given MFT Entry
In order to conduct a thorough forensic analysis on an NTFS volume, we will need to check each of the MFT entries. In doing so, we have to locate these MFT entries. At byte offset 0x30–0x37) in the partition boot sector, we can find the address of starting cluster of the MFT. Suppose we know the cluster size. Also, the MFT entries are 1 KB or 1024 bytes, as standard. Then, we can determine the address C of the cluster which contains any given MFT entry. This is done using the following formula:
C = MFT_LCN + floor(MFT entry # / (Cluster Size / 1024))
Where MFT_LCN is the starting cluster address of MFT, floor(x) is the floor function, MFT entry # is a given MFT entry number, and Cluster Size is the cluster size in bytes.
In our test image, we want to determine the address of a cluster, denoted by X, which contains a MFT entry Y, which points to a file named “canada.txt”. We also know that the cluster size (i.e. bytes-per-sector * sector-per-cluster) is 4 KB, which means each cluster has 4 MFT entries. For example, the starting cluster (or the first cluster) of MFT contains four NTFS system files, including $MFT (MFT entry 0), $MFTMirr (MFT entry 1), $LogFile (MFT entry 2) and $Volume (MFT entry 3). We also denote the starting cluster address of MFT by S. The relationship between cluster address X and MFT entry number Y, given the starting cluster S of the MFT can be expressed as:
X = S + floor(Y / 4)
For example, the file “canada.txt” uses the MFT entry 35, here Y = 35, and the first cluster of MFT is 10,342, here S = 10,342. Then, we know that the MFT entry 35 is located within Cluster 10,350, specifically in the last 1 KB of Cluster 10,350.
Post a Comment