NTFS

00:00

hi and welcome to everyday dentro forensics. I'm your host of Sunday said, and today will be going over. The NT FS file system, similar to the fat fellow system, will be defining what the fastball system is or review some of the basic concepts of this file system and go over the basics, structures and functionality of the N CFS file system. So

00:19

outside of being a foul system, what is inside of us? What does it stand for?

00:27

So anti F s stands for a new technology, Faust. It was first introduced by Marcus off in 1983 with the release off Windows NT 3.1. The primary use of anti FS is with in the Windows server lines and see fastest supported in both in the next 10 BST. But for Max, it's only read only support. So if you

00:46

attempt to every human image on a Mac machine,

00:49

you're gonna be failing. But you'll be able to actually go through the directories and the foul system of an anti FS file back waas. Some improvements for Aunt if S is support for metadata events, data structures. There's also an elaborate security system based on access control list A C. Else, and we'll go into this civil but further

01:08

and too fast. Supports file system drying.

01:11

You'll find aunt if us mostly in Windows time. 87 all the way down to Windows NT. So some features of anti FS is the journal me

01:23

this stores to some changes to a logs. It's like a journal how you have every day, where you write down things that you may do or things that are important to you.

01:32

Palaces himself records changes, and it's recorded before implementing those changes. With this, it supports reversion to a previous working condition. In event of a failure, you can see this within Windows where you have your restore points.

01:46

Thanks to the anti infested Jeremy feature,

01:49

Windows allows you to revert back to a previous version. It also supports hard links. There's improvements on performance, reliability and thats space, as you mentioned before, Security Access Control List a C house, and it supports encryption from five level to full dust encryption.

02:07

Not to go over some of the concepts and analysis of it

02:09

for an anti FS and file. NDFs considers everything as a file. Every file that started it has its attributes from data attributes. Founding ABS tributes in security at each of those files have four very important time stamps you have create, modify access and entry modified. If you remember from the fat file system, you only had about three

02:29

time stamps

02:30

during the process of forming a heart. It's so you got a brand new computer. You input back on days. Use the puppet of floppy disk or your CDs with the operating system set to be installed. It's for anti fast. You can see the image at the bottom first will split the partition into your boot sector. This is the information that your machine must know

02:50

to be able to boot this kind of operating system

02:53

master foul table. Your system files a new file area. This is very similar to and is very similar to fat file system where the beginning partition was your boot information. Next with your fat, our system,

03:06

then following that was your fat duplicate. You had your root directory and then other files and information with anti fast. The operating system keeps track of all the files are sorted. Each partition they're stored in either single or multiple clusters and will go into this a little bit further. Cluster size can vary from

03:23

512 bytes to 64 kilobytes.

03:27

If you have a larger Desai's, you have a larger crosser sized

03:30

during viral creation. A record of that bile is stored in the master file tape on. We'll go and see what I'm I'm of tea

03:37

says I mentioned earlier. Every object within NDFs is a pile

03:40

every file has attributes, and those attributes are just a set of foul Audrey. As I mentioned earlier, every object is a file in and CFS. Every file has its own attributes. So in a sense of how is a set of attributes. Those attributes are identified by Anat Tribute type and name

03:58

Master Filed table. Any attributes are stored. There are considered residential attributes.

04:02

These include the name of the file on the four time stands up. We have create modify access, an entry modified so those four times dams, including the name of the file and other attributes, are considered residential attributes and they're stored with an M F T.

04:17

Information of pedophile that's not stored in empathy are considered non residential attributes. These air attributes that can be stored in more than one cluster.

04:26

We're just in a different location. There's different attributes with an anti fs on your right. You can see some of the different attributes that are defines.

04:33

This may not include all of them, but you can see that we have standard information, which will get into a little bit later.

04:40

An attribute list File Name Security Descriptor The data itself some object I d

04:47

and so on. So the Master files April. This file system reserves the 1st 16 records off a table for storing important data. This includes an M F T record and an M F T mirror. This is similar to a triplicate. The first record describes MFC, which is followed by the MF to Brooke.

05:05

The Marron record tends to be useful in case

05:08

the M A T record is corrupted. So summer the perfect house system where you had fat one of fat to which is just duplicate a fat one. If in the case that I'm ft record becomes corrupt, the NDFs file system understands to read MF T mirror records. So the mayor record tends to be useful in the cases that MF record is corrupted. The locations of both

05:28

Master Foul Table and the

05:30

Master Foul Table copy also referred to as the mirror that's recorded in the Boots Act. In the previous side, we had the partition but record than the master file table. The locations of the master file table, including the Mary, is located in that first sector. MF T allocates a specific storage space for every file

05:47

It stores the attributes of files and directories and small files of size

05:53

500 top bites. So if you see here on the right, you see that we have a large file, but it extends out to two very different locations. This record

06:03

simply points

06:05

to where the file is.

06:08

But unless you know that, hey, it's actually three records. It's not. This record is not just one address. It's gonna be three addresses.

06:15

And at the end of the first address, normally at that last

06:19

sector,

06:20

there is an address to the next part. First cluster. It will have a record pointing to the next location the file system structures. So we've gotten over the master follow table now for system files. These air started aunt if s but they're hidden from the UNT infest view.

06:36

So the user, they're not in your typical location. They have to actually be looked for and a hint spot. In most of times, you'd have to pull down the image and perform some analysis to read this information used more for the system for storing data

06:50

and for implementing the file system. So these aren't records that a common user will see. Each of these files are named differently and on a different master file table record.

07:01

If you see below, we have a system file master file table also considered dollar sign MFC,

07:08

and it could be found in record zero.

07:11

The master file Table two referred Teoh dollars Time MSC and I are are can be fine in record one.

07:17

We also have log files. This is the only portion and this is where a log Files store, which is dollar sign Monk files can be found in ft. Record to We have volume and we have attribute definitions in three and four something is day. We've gone over features interview doble on NDFs

07:35

kind of briefly discuss things that have some similarity in the fact file system.