Forensics Analysis Approach To NTFS File System

James Ryder | Published: October 20, 2015 | File Forensics

NTFS file system or New Technology File System is the name of the file system used by the Windows NT OS. Introduced by Microsoft, it has been the default file system of Windows NT family, starting from Windows NT 3.1. The file system is responsible for storing and retrieving files stored on the hard drive. It is a successor of FAT and HPFS and has several advantages over both the file systems. The features, which make it a more reliable format over other file systems, are improved performance, reliability, metadata support improved, additional extensions, proper utilization of disk space, etc.

How Does NTFS Function?

For forensic analysis of NTFS file system, we need to understand how this file system actually works. When a hard drive is being formatted, it gets divided into partitions of the total space of the hard disk. The operating system keeps track of all the files that are stored in each partition of the hard drive. In actual each file is stored in single or multiple clusters (predefined disk spaces) on the hard drive.in the NTFS file system the size of these clusters varies from 512 Bytes to 64 KB. The larger the size of the hard disk more will be its cluster size.

When the operating system creates a file using NTFS, the record about that file is stored in the file known as Master File Table or MFT. The record can be used to locate the scattered clusters of the file. Moreover, when a volume is formatted with NTFS, several file systems are created as the result of this. Some of them include $LogFile and $Bitmap. The structure of the volume after being formatted by NTFS is shown as below:

ntfs file system forensic analysis

Structure Of Master File Table (MFT) – NTFS File System Forensics

NTFS has reserved the first 16 records of the table for storing the special information. The first record describes the MFT, which is followed by the MFT mirror record. This mirror record tends to be useful in case the MFT record is corrupted. NTFS reads this mirror copy at such instance. The locations of both the MFT and MFT Mirror copy gets recorded in the boot sector.

ntfs file system forensics

MFT allocates a specific amount of storage space for every file record. The allocated space in the MFT stores the attributes of a file. Moreover, directories and small files of size 512 Bytes or smaller, are also stored in the Master File Table.

Forensic Analysis of File Attributes Of NTFS

Each file or folder is viewed as a set of file attributes by the NTFS file system. The attributes like name of the file, security info, its data, etc. are all seen as file attributes. All the attributes are identified with the help of an attribute type and name. These attributes when get fit in the MFT file record, are termed as Resident attributes. For instance details such as name of the file and time stamp always get stored in the MFT File record.

When some information about a file does not get fit in the MFT, they are termed as Nonresident attributes. These attributes are stored in one or more clusters n a different location in the hard drive.

The different attributes defined by NTFS are:

  • Standard information
  • Attribute List
  • File Name
  • Security Descriptor
  • Data
  • Object ID
  • Logged Utility Stream
  • Reparse Point
  • Index Root
  • Index Allocation
  • Bitmap
  • Volume Information
  • Volume Name

File Systems Of NTFS

There are several system files, which are stored in the NTFS but are hidden from the NTFS view. These files are used by the system for storing the data and for implementing the file system. The Format utility is responsible for placing the system files on the NTFS volume.

Each system file is stored with a different file name and on a different MFT Record on the NTFS volume. These files similar to the attributes, serve different purposes. Some of them are:

ntfs file system structure forensic analysis

NTFS has a very simple but a very powerful design. Everything on the NTFS volume is a file and everything stored on the file is an attribute. The list of attributes goes on from data attribute, filename attribute to security attribute. Every sector that is present on the NTFS volume belongs to the same file.