NTFS
The NTFS file system
Microsoft developed a newer file system called the New Technology File System (NTFS) to add these features. This file system was introduced in 1993 with the Windows NT 3.1. However, it became mainstream since Windows XP. The NTFS file system resolves many issues present in the FAT file system and introduces a lot of new features. We will discuss some of the features below.
Journaling
The NTFS file system keeps a log of changes to the metadata in the volume. This feature helps the system recover from a crash or data movement due to defragmentation. This log is stored in $LOGFILE in the volume's root directory. Hence the NTFS file system is called a journaling file system.
Access Controls
The FAT file system did not have access controls based on the user. The NTFS file system has access controls that define the owner of a file/directory and permissions for each user.
Volume Shadow Copy
The NTFS file system keeps track of changes made to a file using a feature called Volume Shadow Copies. Using this feature, a user can restore previous file versions for recovery or system restore. In recent ransomware attacks, ransomware actors have been noted to delete the shadow copies on a victim's file systems to prevent them from recovering their data.
Alternate Data Streams
A file is a stream of data organized in a file system. Alternate data streams (ADS) is a feature in NTFS that allows files to have multiple streams of data stored in a single file. Internet Explorer and other browsers use Alternate Data Streams to identify files downloaded from the internet (using the ADS Zone Identifier). Malware has also been observed to hide their code in ADS.
Master File Table
Like the File Allocation Table, there is a Master File Table in NTFS. However, the Master File Table, or MFT, is much more extensive than the File Allocation Table. It is a structured database that tracks the objects stored in a volume. Therefore, we can say that the NTFS file system data is organized in the Master File Table. From a forensics point of view, the following are some of the critical files in the MFT:
$MFT
The $MFT is the first record in the volume. The Volume Boot Record (VBR) points to the cluster where it is located. $MFT stores information about the clusters where all other objects present on the volume are located. This file contains a directory of all the files present on the volume.
$LOGFILE
The $LOGFILE stores the transactional logging of the file system. It helps maintain the integrity of the file system in the event of a crash.
$UsnJrnl
It stands for the Update Sequence Number (USN) Journal. It is present in the $Extend record. It contains information about all the files that were changed in the file system and the reason for the change. It is also called the change journal.
MFT Explorer
MFT Explorer is one of Eric Zimmerman's tools used to explore MFT files. It is available in both command line and GUI versions.
Administrator: Command Prompt
user@machine$ MFTECmd.exe
MFTECmd version 0.5.0.1
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
f File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required
m $MFT file to use when -f points to a $J file (Use this to resolve parent path in $J CSV output).
json Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified
jsonf File name to save JSON formatted results to. When present, overrides default name
csv Directory to save CSV formatted results to. This or --json required unless --de or --body is specified
csvf File name to save CSV formatted results to. When present, overrides default name
body Directory to save bodyfile formatted results to. --bdl is also required when using this option
bodyf File name to save body formatted results to. When present, overrides default name
bdl Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided
blf When true, use LF vs CRLF for newlines. Default is FALSE
dd Directory to save exported FILE record. --do is also required when using this option
do Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets
de Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5.
fls When true, displays contents of directory specified by --de. Ignored when --de points to a file.
ds Dump full details for Security Id as decimal or hex. Example: 624 or 0x270
dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff
sn Include DOS file name types. Default is FALSE
fl Generate condensed file listing. Requires --csv. Default is FALSE
at When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE
vss Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE
dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE
debug Show debug information during processing
trace Show trace information during processing
Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashesMFTECmd parses data from the different files created by the NTFS file system like $MFT, $Boot, etc. The above screenshot shows the available options for parsing MFT files. For parsing the $MFT file, we can use the following command:
MFTECmd.exe -f <path-to-$MFT-file> --csv <path-to-save-results-in-csv>
You can then use the EZviewer tool inside the EZtools folder to view the output of MFTECmd, or to view CSV files in the next tasks as well. You will see that it lists information about all the files present on the volume. You can similarly parse the $Boot file, which will provide information about the boot sector of the volume. MFTECmd doesn't support $LOGFILE as of now.
Last updated