NTFS Boot Record (NTFS forensics part 2)
April 19, 2011 Leave a comment
New Technology File System (NTFS) is Microsoft’s preferred file system to be installed on all new machines that utilize the Windows operating system. NTFS is superior then the standard FAT file system for several factors that it can reach greater sizes and it is “self healing,” as well as NTFS provides security, compression, encryption. The benefits that NTFS provides are not available on FAT systems. These benefits also make it a preferred option for the majority of computers. This chapter explains the first sector in the partition of a standard install of NTFS. It is required that you understand how to read hexadecimal and how the hard drive stores data on your system.
The tools that will be required will be a hex editor such as HxD which can be found at http://mx-nedus.de/en, also administrator access is required to be able to read the hard drive at a disk level. This document will not go in depth on how to use a hex editor. I am keeping this as generic as possible so you can use your own tools, an understanding of your tools is required.
Figure 2-1 shows sector zero of an active NTFS partition. This sector stores information for NTFS and has executable code for loading windows. The MBR sector is important for getting sector size (typically 512 bytes), sectors per cluster and the master file table location start. Also could possibly to be used to get the master file table mirror location if the original master file table has been destroyed. From this capture you can determine that this is a NTFS by examining 8 bytes with an offset of 3 bytes. Looking at the Unicode section you will see NTFS or in hex 4E 54 46 53 20 20 20 20. If you are performing forensic analysis on a hard drive with an unknown file system this is an excellent way to determine what file system is being used. Table 2-1 lists the structure of the MBR sector. To find what you are looking for take how many bytes there are before what you are looking for and then find the offset in the hex editor.
Finding the $MFT Start
The master file table stores all the Meta data about a file, file location, creation time, accessed time and more. If the file is small enough the information in the file will be stored in the $MFT. When a file is deleted all that changes in the $MFT is a single byte which informs the file system that the file is no longer in use. This explains how certain programs and companies can recover a file after it has been deleted from the operating system. Changing a byte is quicker then actually erasing the file off of the hard drive. Operating systems will eventually use that space the file that was deleted was deleted making the file un-recoverable in most cases. There are some theory methods such as taking the platter and finding the difference from the zero and a one of a bit is off and then getting the value of the erased file that way.
In order for us to find the starting location of the $MFT we need to find the MFT start value and then multiply it by the sectors per cluster. To find the sectors per clusters you start from the beginning of the sector and then go to an offset of 13 bytes and get the next byte. In our example the next byte is 0x08 which translated to 8 sectors per cluster. The next important piece of information that is needed is the MFT start location. In our example you want to go to an offset of 48 or 0x30 and obtain the next 8 bytes. We will obtain the value 00 00 0C 00 00 00 00 00. This will convert to C0000 when converting it from the hex to decimal system. After converting you should obtain the value 786432. That is the block starting point but in order to get the correct block we must multiply that by the sectors per cluster which is 8. The starting point in our example is 6291456. To obtain the mirror you do the same steps except for getting the MFT start you obtain the MFT Mirror Start.
|Bytes Per Sector||2|
|Sectors Per Cluster||1|
|Sectors Per Track||2|
|Number of heads||2|
|MFT Mirror Start||8|
|Clusters Per File Record||4|
|Clusters Per Index Block||4|
|Volume Serial Number||8|
To obtain how many bytes are in each table you need to the following pieces of information which is clusters per file record, sectors per cluster, and bytes per cluster. Using the table 2-1 and figure 2-1 as the example we can obtain the values 246, 8 and 512 respectively. We need to figure if the value of clusters per file record is smaller than 0x80 or 128 in decimal then we need to multiple 246 * 8 * 512 to get the cluster but since 246 is larger than 128 we need to subtract 256 from clusters per file record which we would get 10 in our example. We need to bitwise left shift it with 1 and then we will get 1024 bytes per file record or 2 sectors. Bytes per file record is also described as how long each file entry is.