File system Forensics analysis (12th: NTFS analysis)

/*

Skogkatt began translation in 2015-02-01, only as a study of the use of, declined to reprint.

Dig up the hole in this chapter first.

I translated the three chapters of this book for a long time, but not a planned job. Because before and Vczh, Mili, Darkfall had discussed everything this software, also thought to write an open source everything, so came out a pit. Everything this software is a direct parse from the bottom of the NTFS MFT, and then parse class every file entry, from the inside to remove the information from each of the files, this operation is much faster than Win32 FindFirstFile and FindNextFile. The truth is simple, but the code will not be implemented very rarely.

Again, I began to study and analyze the NTFS file system from 2013 cause work, and read the NTFS three chapter of the book "File System Forensic analysis". The information in these three chapters is already slightly outdated and there are some technical details that are not translated, but only for poor English friends to expand their knowledge. If you want to study the details of NTFS implementation, it is recommended to look at the leaked Windows source code, the open source ntfs3g library, and use disk editing tools to actually look at the layout of the disk.

In addition, NTFS3G currently exposes a lot of code pits, in the high-load stress test will have serious data loss damage or even file system hangs, not recommended as a rigorous NTFS implementation to use.

*/

This is the second chapter on NTFS, and we are now going to start discussing analysis techniques and considerations, and we will use the five classification model used in chapter 8th, "File system Analysis". NTFS is very different from other file systems, so before we dive into these materials, we covered the core concepts of NTFS in the previous chapter. If you are unfamiliar with NTFS and skip the 11th chapter, I recommend that you go back to chapter 11th before you begin reading this chapter. The 13th chapter, "NTFS Data Structures", overrides the NTFS structure. Most of this book is organized as a chapter in which you can read file system analysis and data structures in parallel. However, this is very difficult for NTFS because everything is a file and it is difficult to look at the file system Metadata section of the file system classification before reviewing the properties of the metadata classification. In other words, reading this chapter before you begin reading the 13th chapter will make you less confused.

File System classification

Content classification

Meta Data classification

File name classification

Application classification

Panoramic

Other topics

Summarize

There are a lot of data structures and pointers in NTFS, which makes manual analysis extremely difficult. In this chapter, we analyze common known data structures. It must be re-emphasized that this is not an official norm, but they have proven to be reliable. There are certain values or flag options that have not yet been discovered.

Resources

Please look at the original.

File system Forensics analysis (12th: NTFS analysis)