>> In order to improve performance, reliability, and support large disk volumes,
Microsoft developed NTFS file system for Windows NT in the early '90s.
为了提高性能、可靠性和支持大容量磁盘,微软在90年代早期为Windows NT开发了NTFS文件系统。
NTFS is still widely used today.
NTFS至今仍被广泛使用。
NTFS is a robust journaling file system.
NTFS是一个健壮的日志记录文件系统。
Changes in the file system are first recorded to a log file, then written to the disk.
文件系统中的更改首先记录到日志文件中,然后写入磁盘。
It enhances security by storing permissions for each file in a directory.
它通过在目录中存储每个文件的权限来增强安全性。
The size of a cluster in NTFS file system range from 512 bytes up to 64 kB.
NTFS文件系统中的集群大小从512字节到64 kB不等。
To support a smaller disk volume with mostly small files,
you can create smaller clusters, to reduce wasted disk space.
为了用较小的文件支持较小的磁盘卷,可以创建较小的集群,以减少磁盘空间的浪费。
If you use a large disk, you may create bigger clusters, to save, read,
write performance and reduce file fragmentation.
如果使用大磁盘,可以创建更大的集群,以保存、读取、写入性能并减少文件碎片。
NTFS uses 64 bits for each cluster's address.
NTFS为每个集群的地址使用64位。
Therefore, NTFS can support up to 2 to the 64 powers number of clusters.
因此,NTFS可以支持最多2到64次方个集群。
The key component of NTFS is master file table, or MFT.
NTFS的关键组件是主文件表(MFT)。
Like the boot record from a fat file system, in NTFS volume boot sector,
begins in the first sector of the partition, can use up to 16 sectors.
与从fat文件系统引导记录一样,在NTFS卷引导扇区中,从分区的第一个扇区开始,最多可以使用16个扇区。
It contains the cluster size, the address of MFT in logical sector numbers,
the address for the MFT mirror, which contains the copies
of the first four entries from MFT as a backup.
它包含集群大小、逻辑扇区号中的MFT地址、MFT镜像的地址,其中包含作为备份的MFT的前四个条目的副本。
If the partition is bootable, the boot sector also contains the program called
to load the NT loader.
如果分区是可引导的,则引导扇区还包含加载NT加载程序所调用的程序。
Master file table is a system file, and its file name starts
with a $. The master file table is created when the NTFS volume was formatted.
主文件表是一个系统文件,它的文件名以$开头。主文件表是在格式化NTFS卷时创建的。
The MFT records each file in the directory on the volume, including an entry for itself.
MFT记录卷上目录中的每个文件,包括一个条目。
Each file uses one or more MFT records to store metadata information.
每个文件使用一个或多个MFT记录存储元数据信息。
In attributes, $file record head, $standard information, $filename, and $data.
属性中,$file记录头、$standard信息、$filename和$data。
$file record header includes MFT number, link count, file type, file size, etc, for this
file.
$file record header包含该文件的MFT编号、链接计数、文件类型、文件大小等。
Standard information contains the files MAC time
and the characteristics telling whether the file is a hidden file or a system file.
标准信息包含文件MAC time和特征,这些特征告诉我们该文件是隐藏文件还是系统文件。
$filename contains the file name that can be up to 255 characters.
$filename包含最多255个字符的文件名。
The data attributes normally lists all the cluster addresses allocated to the file.
The file content will be stored outside of the MFT record in clusters.
数据属性通常列出分配给文件的所有集群地址。文件内容将以集群的形式存储在MFT记录之外。
However, a small file may have its content held entirely
in $data attribute, inside it's MFT record.
然而,一个小文件的内容可能完全保存在它的MFT记录中的$data属性中。
What do I mean by a small file here?
这里的小文件是什么意思?
If MFT record is 1024 bytes in size, files that are less
than 740 bytes are considered as small files.
如果MFT记录的大小为1024字节,则小于740字节的文件被视为小文件。
I will demonstrate this scenario later.
稍后我将演示这个场景。
If a file's metadata information is larger than one MFT record, NTFS uses two
or more MFT records to contain the file's attributes.
如果文件的元数据信息大于一条MFT记录,NTFS使用两条或多条MFT记录来包含文件的属性。
It uses the attribute $attribute list to point to all of the other records in MFT.
它使用属性$attribute列表指向MFT中的所有其他记录。
There is a flag in each record to indicate the MFT record's allocation status.
每个记录中都有一个标志,指示MFT记录的分配状态。
This flag is set to zero when the record is marked for deletion, also known as unallocated.
当记录被标记为要删除时,此标志被设置为0,也称为未分配。
Each directory record uses attribute $index root to list all its children.
每个目录记录使用属性$index根来列出它的所有子目录。
More specifically, each child reside in this directory is represented
by an index entry holding the information of its file name and its standard information.
更具体地说,驻留在这个目录中的每个子目录由一个索引条目表示,该索引条目包含其文件名和标准信息的信息。
$index root contains a list of its children's index entries.
$index根目录包含其子目录项的列表。
$root is sorted based on filenames in either ascending name order or in a B-Tree
structure.
$root是根据文件名按升序或b -树结构排序的。
When a folder contains index entries that cannot fit in one MFT record,
the additional index entries are stored in index buffers.
当一个文件夹包含不能装入一个MFT记录的索引项时,额外的索引项存储在索引缓冲区中。
The $index allocation attribute stores the location's information of this index buffers.
$index分配属性存储该索引缓冲区的位置信息。
The first 16 files in MFT are the system files.
MFT中的前16个文件是系统文件。
The first file is $MFT itself.
第一个文件是$MFT本身。
The $bitmap file keeps track of clusters' usage.
$bitmap文件跟踪集群的使用情况。
It uses one bit to record the status of each cluster on a volume.
它使用一个位记录卷上每个集群的状态。
If a cluster is used, the corresponding bit is one.
如果使用集群,对应的位是1。
Otherwise, the bit is zero.
否则,位就是0。
When you create a file in NTFS volume, one or more free clusters are chosen from bitmap
file.
在NTFS卷中创建文件时,从位图文件中选择一个或多个空闲集群。
MFT record will be created to store the file's filename,
standard information, and its clusters' addresses.
将创建MFT记录来存储文件的文件名、标准信息及其集群的地址。
Its index entry is inserted in the correct sequence in its parents' $index root attribute.
它的索引条目以正确的顺序插入其父$index根属性中。
When you delete a file on NTFS volume, its cluster references
in the bitmap file are changed to zero.
当删除NTFS卷上的文件时,位图文件中的集群引用将更改为零。
The MFT record for that file is marked for deletion.
该文件的MFT记录被标记为删除。
That is the flag for allocation status is set to zero.
这是分配状态的标志被设置为零。
The index entry for the file is removed from its parent's MFT.
文件的索引条目从其父MFT中删除。
Consequently, in $root, the index entries below it will be moved up,
overwriting the deleted entry.
因此,在$root中,它下面的索引条目将被向上移动,覆盖已删除的条目。
Therefore, in NTFS, it is common for a deleted file to lose its parent folder's information.
因此,在NTFS中,被删除的文件通常会丢失其父文件夹的信息。
As well as the clusters holding the file data have not been reallocated to other file,
a segment of the file is still recoverable.
由于保存文件数据的集群还没有重新分配到其他文件,文件的一部分仍然是可恢复的。
If the MFT record is still a variable, we can possibly get all the clusters' locations
to recover a file with its filename.
如果MFT记录仍然是一个变量,我们可以获得所有集群的位置来恢复文件名为MFT的文件。
Since we live in age of information, there is a demand for a file system
that can support large storage, such as multi-terabytes drives
and also provide continual reliability.
因为我们生活在一个信息时代,所以需要一个文件系统来支持大容量的存储,比如多tb的驱动器,并且能够提供持续的可靠性。
Windows introduced a new file system called Resilient File System, IEFS.
Windows引入了一个名为弹性文件系统IEFS的新文件系统。
First used in Windows server 2012 and Windows 8.
首次用于Windows server 2012和Windows 8。
As of now, the Resilient File System is still not ready
to completely take over as the default file system.
到目前为止,弹性文件系统还没有准备好完全接管默认文件系统。
And forensic investigation procedures for Resilient File System are still being developed.
弹性文件系统的取证调查程序仍在开发中。
Encase for NTFS Demo
>> In this video I want to show you how to use EnCase to analyze NTFS file system.
>>在这个视频中,我想向你展示如何使用EnCase来分析NTFS文件系统。
And in class we also mentioned about that dollar sign MFT and each file has an entry
in dollar sign MFT, and the small size file will even have the content reside inside
of MFT entry.
在课堂上我们也提到过美元符号MFT每个文件在美元符号MFT中都有一个条目,小文件甚至会把内容放在MFT条目中。
So I want to demonstrate this in this video.
我想在这个视频中演示一下。
Now currently I have my EnCase open and previewing my Windows 7 image.
现在我打开了我的外壳,预览我的Windows 7图像。
And I did green highlights on the drive C, C drive, and then you see this is the content
of C drive only, because otherwise there's a lot of other content I don't want to see that.
我在驱动器C上画了绿色的高光,然后你会看到这只是C驱动器的内容,因为除此之外还有很多其他内容我不想看到。
So only I want to see the content from the drive C. If you look at the file name,
many file names start with the dollar sign.
所以我只想看驱动器c的内容。如果你看文件名,很多文件名都是以美元符号开头的。
Those are system files in NTFS file system.
这些是NTFS文件系统中的系统文件。
In the class we talk about dollar sign Bitmap.
在课堂上我们讨论美元符号位图。
We talk about dollar sign MFT and dollar sign MFTMirror
in those are the system files you can see that.
我们讨论了美元符号MFT和美元符号MFTMirror这些是你们可以看到的系统文件。
Now, let's look into the time stamps for.
现在,让我们看看时间戳。
If you look at those time stamps for the system files, interestingly they are all same.
如果您查看这些系统文件的时间戳,有趣的是它们都是相同的。
Okay. Those time stamps for the system files,
they generated when NTFS file system is formatted.
好吧。这些时间戳是在格式化NTFS文件系统时生成的。
And those never change again.
这些永远不会改变。
So as a forensics investigator if you see those time stamps,
do you know this file system is formatted during that time.
作为一名法医如果你看到这些时间戳,你知道这个文件系统是在那段时间格式化的吗。
If you see it's very recent time and that should give you a signal the person has reformatted the
file system.
如果你看到它是最近的时间,这应该会给你一个信号,这个人已经重新格式化了文件系统。
Okay? So that's great information to know.
好吧?这是很好的信息。
Now, especially I want to show you the dollar sign MFT and the dollar sign MFTMirror.
现在,我特别想给你们看美元符号MFT和美元符号MFTMirror。
So, dollar sign MFTMirror is mirroring number of files in the dollar sign MFT.
美元符号MFTMirror是美元符号MFT中的文件数量的镜像。
So here I highlight dollar sign MFTMirror.
这里我突出了美元符号MFTMirror。
Because you see this is the highlight on that.
因为这是它的亮点。
If you look at the text view here, a bunch of things is not able to read,
but if you see this is a study head of file zero.
如果你看这里的文本视图,很多东西都不能读取,但如果你看到这是一个学习头文件零。
If you highlight until hit the next head of file zero, this is on entry,
one dollar sign, one entry for dollar sign MFT.
如果您突出显示,直到击中文件0的下一个头,这是在条目上,一个美元符号,一个美元符号MFT条目。
Because each file has entry in dollar sign MFT and this is one entry.
因为每个文件都有美元符号MFT的条目,这是一个条目。
The size, you can see here, size is 1024.
这里的尺寸是1024。
Size 1024.
And from the lecture you should know, inside of this 1024 bytes, this specified files,
file name which is used 255 bytes and with standard information
which is cluster information and all that within this 1024.
从课上你们应该知道,在这1024字节内,这个指定的文件,文件名用了255字节,还有标准信息也就是集群信息,所有这些都在这1024字节内。
Now, we cannot read much, but we can see the file names in that.
现在,我们不能读很多,但是我们可以看到文件名。
So this is the first file actually, in dollar sign MFT, and that's saved in the mirror.
这是第一个文件,以美元符号MFT表示,它保存在镜像中。
So dollar sign MFT.
美元符号MFT。
Okay. That's the first file.
好吧。这是第一个文件。
And the next half, next file, it's saved in that if you look at next file zero,
you look through, that's a dollar sign MFTMirror.
下一个文件,它保存在这里如果你看下一个文件0,你仔细看,这是一个美元符号MFTMirror。
Okay? And then the third one is dollar sign Logfile.
好吧?第三个是美元符号日志文件。
And then the fourth one is-- the fourth one is dollar sign Volume.
第四个是,第四个是美元符号体积。
Now, by examining that, you know dollar sign MFTMirror only copies the top--
the first four files for entry from dollar sign MFT.
现在,通过检查,您知道美元符号MFTMirror只复制顶部——从美元符号MFT输入的前四个文件。
And it should be familiar with this looking of the content.
它应该熟悉这些内容的外观。
If you look at the file zero, those are the entries for dollar sign MFT entries.
如果您查看文件zero,这些是美元符号MFT条目的条目。
Next I want to look at a small file, hopefully to see this small file resides inside
of this 1024 bytes to see that I have a one small file on my desktop.
接下来我想看一个小文件,希望看到这个小文件驻留在这个1024字节内,看看我的桌面上有一个小文件。
It is called FT-- FTK Password.
它叫做FT——FTK密码。
If I open that up, this is a text file.
如果我打开它,这是一个文本文件。
Very simple.
非常简单。
Just say username is admin and the password is netsys.
用户名是admin,密码是netsys。
And then username student student.
然后是用户名student student。
So that's the file size is certainly very small.
所以文件的大小是非常小的。
And we want to see if this file's content, the data, is reside within dollar sign MFT entry.
我们想知道这个文件的内容,数据,是否驻留在美元符号MFT条目中。
So, first let's find that file.
首先我们要找到那个文件。
Okay. Shift a little bit and then I want to see this file is on the desktop,
so it's under D drive, user, student.
好吧。稍微移动一下,然后我想看到这个文件在桌面上,它在D drive, user, student下。
So let me highlight student and the desktop.
我突出显示学生和桌面。
I only want to see the desktop.
我只想看桌面。
Okay. So I only want to see the desktop entry here.
好吧。所以我只想在这里看到桌面条目。
And then I need to find the MF-- the-- called FTK Password.
然后我需要找到MF,叫FTK密码。
Now lots of files listed here, so let me try a trick here.
这里列出了很多文件,我来试试技巧。
See if I can type FTK.
看看我能不能打FTK。
No, yeah, it won't try to look for it.
不,是的,它不会去找的。
So this is the FTK Password file.
这是FTK密码文件。
If I highlight this file, now you can see its content.
如果我突出显示这个文件,现在您可以看到它的内容。
Username, admin, password, netsys and username student, student.
用户名,管理员,密码,netsys和用户名学生,学生。
And certainly it tells you this is the FTK Password, that text.
它会告诉你这是FTK密码,文本。
But I still cannot prove this is inside of MFT.
但我仍然不能证明这是在MFT内部。
But when you click either one, you would see this file, it looks different,
like this is a very clean, only have one line, nothing else.
但是当你点击任何一个,你会看到这个文件,它看起来不一样,就像这个很干净,只有一行,没有别的。
But nevertheless, let's try to find whether this is inside of MFT.
但无论如何,让我们试着找出它是否在MFT中。
So I click the first character, highlighting that, and I go to the disk view.
我点击第一个字符,高亮显示,然后转到disk view。
Now, this content certainly is reside in this disk.
现在,这个内容肯定驻留在这个磁盘中。
This in this sector, because I clicked it and I going back
to disk view, this is one highlighted.
在这个扇区中,因为我点击了它,回到disk view,这是一个高亮显示的。
Now I need to find whether this content is inside of that.
现在我需要知道这个内容是否在里面。
Okay? If you are familiar with this dollar sign MFT probably you already notice this is all
start from file zero.
好吧?如果您熟悉这个美元符号MFT,您可能已经注意到这都是从文件0开始的。
This is inside of MFT, dollar sign MFT content, but then we need to find the data is in that.
Now you see here.
这是MFT的内部,美元符号MFT内容,然后我们需要找到数据在里面。看这里。
This is the data. 这是数据。
Okay. And inside of-- Inside of an entry, dollar sign MFT entry, 1024.
好吧。在一个入口里面,美元符号MFT入口,1024。
Okay. That whole thing, I think, is 1024.
好吧。整个是1024。
Yeah. So, this is one entry for that small file.
是的。这是那个小文件的一个条目。
Okay? The file name is called FTK Password.
好吧?该文件名为FTK Password。
File. And then the content is inside of dollar sign MFT.
文件。然后内容在美元符号MFT中。
So in this case, inside of dollar sign MFT entry, in this case, Windows needn't--
the file system needn't save cluster information because it's just a tiny bit of content.
所以在这种情况下,在美元符号MFT条目内,在这种情况下,Windows不需要——文件系统不需要保存集群信息,因为它只是一点点内容。
And they can have up to 700 content, 700 bytes of content
to be directly effectively just inside of this MFT entry.
它们可以有多达700个内容,700字节的内容直接有效地在这个MFT条目中。
That's good enough.
这是不够好。
You needn't locate-- allocate the cluster to be outside of this record.
您不需要定位——将集群分配到此记录之外。
Okay? So, that proves small files data content resides in dollar sign MFT entry.
好吧?因此,这证明了小文件的数据内容驻留在美元符号MFT条目中。
Okay. So, hopefully you enjoyed this video and I will end it here.
好吧。希望你们喜欢这个视频,我就讲到这里。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
