Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

Video Transcription
hi and welcome to everyday dentro forensics. I'm your host of Sunday said, and today will be going over. The NT FS file system, similar to the fat fellow system, will be defining what the fastball system is or review some of the basic concepts of this file system and go over the basics, structures and functionality of the N CFS file system. So
outside of being a foul system, what is inside of us? What does it stand for?
So anti F s stands for a new technology, Faust. It was first introduced by Marcus off in 1983 with the release off Windows NT 3.1. The primary use of anti FS is with in the Windows server lines and see fastest supported in both in the next 10 BST. But for Max, it's only read only support. So if you
attempt to every human image on a Mac machine,
you're gonna be failing. But you'll be able to actually go through the directories and the foul system of an anti FS file back waas. Some improvements for Aunt if S is support for metadata events, data structures. There's also an elaborate security system based on access control list A C. Else, and we'll go into this civil but further
and too fast. Supports file system drying.
You'll find aunt if us mostly in Windows time. 87 all the way down to Windows NT. So some features of anti FS is the journal me
this stores to some changes to a logs. It's like a journal how you have every day, where you write down things that you may do or things that are important to you.
Palaces himself records changes, and it's recorded before implementing those changes. With this, it supports reversion to a previous working condition. In event of a failure, you can see this within Windows where you have your restore points.
Thanks to the anti infested Jeremy feature,
Windows allows you to revert back to a previous version. It also supports hard links. There's improvements on performance, reliability and thats space, as you mentioned before, Security Access Control List a C house, and it supports encryption from five level to full dust encryption.
Not to go over some of the concepts and analysis of it
for an anti FS and file. NDFs considers everything as a file. Every file that started it has its attributes from data attributes. Founding ABS tributes in security at each of those files have four very important time stamps you have create, modify access and entry modified. If you remember from the fat file system, you only had about three
time stamps
during the process of forming a heart. It's so you got a brand new computer. You input back on days. Use the puppet of floppy disk or your CDs with the operating system set to be installed. It's for anti fast. You can see the image at the bottom first will split the partition into your boot sector. This is the information that your machine must know
to be able to boot this kind of operating system
master foul table. Your system files a new file area. This is very similar to and is very similar to fat file system where the beginning partition was your boot information. Next with your fat, our system,
then following that was your fat duplicate. You had your root directory and then other files and information with anti fast. The operating system keeps track of all the files are sorted. Each partition they're stored in either single or multiple clusters and will go into this a little bit further. Cluster size can vary from
512 bytes to 64 kilobytes.
If you have a larger Desai's, you have a larger crosser sized
during viral creation. A record of that bile is stored in the master file tape on. We'll go and see what I'm I'm of tea
says I mentioned earlier. Every object within NDFs is a pile
every file has attributes, and those attributes are just a set of foul Audrey. As I mentioned earlier, every object is a file in and CFS. Every file has its own attributes. So in a sense of how is a set of attributes. Those attributes are identified by Anat Tribute type and name
Master Filed table. Any attributes are stored. There are considered residential attributes.
These include the name of the file on the four time stands up. We have create modify access, an entry modified so those four times dams, including the name of the file and other attributes, are considered residential attributes and they're stored with an M F T.
Information of pedophile that's not stored in empathy are considered non residential attributes. These air attributes that can be stored in more than one cluster.
We're just in a different location. There's different attributes with an anti fs on your right. You can see some of the different attributes that are defines.
This may not include all of them, but you can see that we have standard information, which will get into a little bit later.
An attribute list File Name Security Descriptor The data itself some object I d
and so on. So the Master files April. This file system reserves the 1st 16 records off a table for storing important data. This includes an M F T record and an M F T mirror. This is similar to a triplicate. The first record describes MFC, which is followed by the MF to Brooke.
The Marron record tends to be useful in case
the M A T record is corrupted. So summer the perfect house system where you had fat one of fat to which is just duplicate a fat one. If in the case that I'm ft record becomes corrupt, the NDFs file system understands to read MF T mirror records. So the mayor record tends to be useful in the cases that MF record is corrupted. The locations of both
Master Foul Table and the
Master Foul Table copy also referred to as the mirror that's recorded in the Boots Act. In the previous side, we had the partition but record than the master file table. The locations of the master file table, including the Mary, is located in that first sector. MF T allocates a specific storage space for every file
It stores the attributes of files and directories and small files of size
500 top bites. So if you see here on the right, you see that we have a large file, but it extends out to two very different locations. This record
simply points
to where the file is.
But unless you know that, hey, it's actually three records. It's not. This record is not just one address. It's gonna be three addresses.
And at the end of the first address, normally at that last
there is an address to the next part. First cluster. It will have a record pointing to the next location the file system structures. So we've gotten over the master follow table now for system files. These air started aunt if s but they're hidden from the UNT infest view.
So the user, they're not in your typical location. They have to actually be looked for and a hint spot. In most of times, you'd have to pull down the image and perform some analysis to read this information used more for the system for storing data
and for implementing the file system. So these aren't records that a common user will see. Each of these files are named differently and on a different master file table record.
If you see below, we have a system file master file table also considered dollar sign MFC,
and it could be found in record zero.
The master file Table two referred Teoh dollars Time MSC and I are are can be fine in record one.
We also have log files. This is the only portion and this is where a log Files store, which is dollar sign Monk files can be found in ft. Record to We have volume and we have attribute definitions in three and four something is day. We've gone over features interview doble on NDFs
kind of briefly discuss things that have some similarity in the fact file system.
We went over that everything in NDFs is considered a file, including directories. Wave says, talked about foul attributes, talked about the master final table, also referred to as MFC and anti if assistant Bibles. I really hope you enjoyed today's video and I'll catch you on the next one.
Up Next
Forensics Comparison of NTFS and FAT
Image Acquisitions
Computer Investigations and Forensic Lab: Creating an Image with DD
Image Forensics Capstone Lab: Creating an Image with FTK Imager
Memory Extraction and Analysis Lab: Acquiring Volatile Memory