The Windows File System @ Articles -> Software Oct 07 2004, 00:45 (UTC+0)



Similar documents
New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

FAT32 vs. NTFS Jason Capriotti CS384, Section 1 Winter Dr. Barnicki January 28, 2000

Windows NT File System. Outline. Hardware Basics. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

Outline. Windows NT File System. Hardware Basics. Win2K File System Formats. NTFS Cluster Sizes NTFS

A Forensic Comparison of NTFS and FAT32 File Systems

Operating Systems CS-384. File Systems. NTFS and FAT32. Submitted To: Dr. Chris Taylor. Submitted By: Aditya Sitani

Windows OS File Systems

NSS Volume Data Recovery

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

IT Essentials v4.1 LI Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI Windows OS directory structures

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

REPORT DOCUMENTATION PAGE

Installing a Second Operating System

Chapter 5: Fundamental Operating Systems

Hyperoo 2 User Guide. Hyperoo 2 User Guide

NTFS Undelete User Manual

Chapter 12 File Management

Stellar Phoenix. SQL Database Repair 6.0. Installation Guide

Review NTFS Basics. Behzad Mahjour Shafiei, Farshid Iranmanesh, Fariborz Iranmanesh. Bardsir Branch, Islamic Azad University, Bardsir, Iran

Windows Operating Systems. Basic Security

Operating Systems Forensics

Installing GFI LANguard Network Security Scanner

CHAPTER 17: File Management

AxCMS.net on Network Load Balancing (NLB) Environment

Workflow Templates Library

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

File Systems Management and Examples

K-Backup: Automatic Network Backup solution

Copyright

3. USB FLASH DRIVE PREPARATION. Almost all current PC firmware permits booting from a USB drive, allowing the launch

Password Changer for DOS User Guide

Windows Server Password Recovery Techniques Courtesy of Daniel Petri

Windows Host Utilities Installation and Setup Guide

Installing Active Directory

Using Windows Administrative Tools on VNX

Installing GFI MailEssentials

StarWind iscsi SAN Software: Implementation of Enhanced Data Protection Using StarWind Continuous Data Protection

Configuring ThinkServer RAID 100 on the TS140 and TS440

Chapter 13 File and Database Systems

Chapter 13 File and Database Systems

AMD RAID Installation Guide

Maintaining a Microsoft Windows Server 2003 Environment

1! Registry. Windows System Artifacts. Understanding the Windows Registry. Organization of the Windows Registry. Windows Registry Viewer

DISK DEFRAG Professional

Windows clustering glossary

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Case Study: Quick data recovery using HOT SWAP trick in Data Compass

Application Note 116: Gauntlet System High Availability Using Replication

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

General DBA Best Practices

PowerSchool Student Information System

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

AMD RAID Installation Guide

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

MANAGING DISK STORAGE

RECOVERING FROM SHAMOON

Introduction to BitLocker FVE

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

User Guide. Version 3.0

Activity 1: Scanning with Windows Defender

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

QUICK RECOVERY FOR RAID

Date: March Reference No. RTS-CB 018

Exam: QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4

FalconStor Recovery Agents User Guide

SATARAID5 Serial ATA RAID5 Management Software

ScoMIS Encryption Service

Direct Storage Access Using NetApp SnapDrive. Installation & Administration Guide

2.8.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 16

ScoMIS Encryption Service

Managing Users and Identity Stores

VoipSwitch Security Audit

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Windows 2000 Security Configuration Guide

A+ Practical Applications Solution Key

Microsoft s SBS 2003 Best Practice Guide

Introduction p. 1 Approach to the Book p. 2 At Least Three Ways to Do It p. 2 Where to Find the Tools p. 3 Running Tools with Alternate Credentials

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

3 Setting up Databases on a Microsoft SQL 7.0 Server

Home and Shared Folders on Windows Accessing Home and Shared Folders on Active Directory File Servers Using Windows

Lenovo Online Data Backup User Guide Version

UNDELETE Users Guide

BULLGUARD BAckUp GUIDE

User Guide Win7Zilla

SafeGuard Enterprise Tools guide

HP StorageWorks Automated Storage Manager User Guide

NTFS Documentation. Richard Russon Yuval Fledel

Acronis Disk Director 11 Home. User's Guide

Active Data Recovery Software. User Guide. Version Number 2.1

K-Backup: Network automatic backup data to free iscsi SAN

Avira System Speedup. HowTo

File Server Migration

Omtool Server Monitor administrator guide

Transcription:

select a site 6 forums 6 juice: USS Cole Automatic network monitoring with GFI Network Server Monitor. Dld Free Trial! Main Exploits Links Forums Register features You're not registered and logged, please click here to register. login: password: The Windows File System @ Articles -> Software Oct 07 2004, 00:45 (UTC+0) nabiy writes: In this paper I will take a look at the current windows file system and explain the following in detail: the boot sector, the MFT, Files and their attributes, folders and the B+ Data Structure, and Possible Attacks on NTFS. login post news (SMS/Articles/Exploits) search files, exploits & links sections: search Article Themes 6 logged users active for last 5 minutes Regular user AniZ Standard user a_fazeli bobborisbob cerealkiller cypher_coded ghostface gr00ve mike33 neurastenix repulsest Saleeby registered users:86764 There are currently 11 registered users and 103 guests browsing the website. quotable quotes The Boot Sector The windows File system begins with the boot sector. This is made whenever you format an NTFS volume and is located in the first sector of your windows partition. The boot sector holds information about the drive, which is recorded in the BIOS parameter block (often referenced as BPB). The BPB details information about the hard disk such as its size, and the physical parameters of volume. The boot sector also contains code that points to the Master File Table and it's backup ($MFT and $MFTMirror). The MFT Backup ($MFTMirror) acts as a fault tolerance mechanism; it holds a mirror copy of the first four records or the first cluster of the Master File Table. If any records in the MFT are corrupt, NTFS will refer to the boot sector for the location of the mirror and use the mirror copy to not only get the correct information but to also repair the MFT. The Boot Sector is also the mechanism that is responsible for passing operations from the Master Boot Record to the NT loader program. The Boot process basically goes something like this: BIOS >> MBR >> Boot Sector >> the NT Loader (NTLDR) >> hardware detection >> Core OS loads (Ntoskrnl.exe) >> Services Start >> Logon. The Master File Table The MFT is the core component of the NTFS file system. Through the MFT the NTFS file system becomes a highly organized array of records containing information describing the content of your file system. Every instance of data on your hard disk is described within these records, from the boot sector to your plain text file. The first sixteen records of the MFT are dedicated to metadata files. The metadata files define the structure of the MFT and essentially make it a self-describing database. The use of metadata files in the MFT should not be surprising; every database uses some form of metadata to define it's data structure. The metadata files that are stored within the first sixteen records of the MFT are as follows: The MFT Rec. File Name Description 0 $Mft The Master File Table

Theres is alway more than one way to look at things online chat server: chat.box.sk chan: #neworder linking & backends Information about how to link to NewOrder. New Order news backend, a more advanced version or an RSS feed. featured download 1 $MftMirror The Master File Table Mirror 2 $LogFile A log file containing a list of transaction steps for NFTS recoverability. 3 $Volume Information about he volume. 4 $AttrDef Defines attributes (discussed later) 5. The root folder 6 $Bitmap Cluster bitmap representing the volume. 7 $Boot Boot sector (discussed above) 8 $BadClus Contains bad clusters for a volume 9 $Secure Contains security descriptors for all files within the volume. 10 $Upcase Converts lowercase characters to Unicode uppercase characters. 11 $Extend Used for various option extensions (Unique file Ids, Quota Information, Reparse point information, etc.) 12-15 Reserved for future use. GFI LANguard Network Security Scanner: Scans your entire network, IP by IP, for possible security holes. Free for non commercial use. download here The location of these files is not fixed (save for the boot sector which must be located in the first sector of the partition. NTFS is a flexible file system, in windows XP, Microsoft moved the location of the $LogFile and $Bitmap metadata files to improve overall performance. In fact, nearly all of the system files described above can be moved if needed to avoid bad clusters. Microsoft stores every file or folder on your system as a record within the MFT starting at either record seventeen or record twenty-four. The reason I give two starting points here is because there are two different views on the subject. The Linux-NTFS project says that the MFT table doesn't use records seventeen through twenty-three, while ntfs.com says that file records begin at record seventeen. I have not seen Microsoft give a specific starting point for normal file records. Files and their Attributes In the MFT, normal records are made up of numerous fields called file attributes. A file attribute describes some aspect of the file that is contained within the MFT record. Going into more detail, a descriptive list of attributes are as follows: File Attributes Standard Information: Old school file attributes: read only, timestamp, link count etc. Attribute List: Almost like another metadata file. It gives locations of all attribute records that don't fit in the actual MFT. File name: The name of the file. The long name can be up to 255 Unicode characters while the short name follows the 8.3 old-school format. Additional names

(required to meet the POSIX standard), or hard links are stored here also as file name attributes. Data: This attribute contains the actual data (if it is a small file) or is the base file that points to the extent on the disk that contains the data. It is possible to have multiple data attributes per file. Object ID: A volume unique identifier. Used by the distributed link tracking service. Logged Tool Stream: Similar to a data stream, but operations are logged to the NTFS log files. This is used by EFS. Reparse Point: Used for Symbolic Links (yes NTFS does have this capability), Junction Points, Volume Mount Points, Remote Storage Server. Index Root: Used to implement folders and other indexes (to be explained below). Index Allocation: Used to implement the B-tree structure for large folders or other large indexes (to be explained below). Bitmap: Used to implement the B-tree structure for large folders and other large indexes. Volume Information: Used only in the $Volume system file. Contains the volume version. As mentioned, with small files (usually no more than 1kb), the data resides in the MFT record as a resident attribute. In most cases the file is too large to fit in the MFT record. In these instances, the data attribute contains the VCN-to-LCN mapping information which points to the extent on the disk where the data resides as a non-resident attribute (an extent or data run is where the data is actually held on your hard disk). Using this map, the MFT points to the physical location of the extent by referring to the Logical Cluster Number(the LCN is simply a numbered ordering of all clusters on the volume) and the length of the extent. Each extent must consist of contiguous set of clusters on the disk. NTFS organizes the extents of each file logically (even though they may not be physically contiguous) by the assignment of a Virtual Cluster Number (VCN). For example, I have file A that is too large to fit in the MFT. NTFS writes the data attribute of file A onto the hard disk starting at LCN 127. The length of the file takes up 5 clusters - but cluster number 130 is bad or occupied. The File on disk would look like: data data data another file data data. A VCN to LCN description for this file would be clusters 0, 1, 2, 4, 5 to 127, 128, 129, 131, 132. The MFT would point to LCN 127 as the start of the run, identify it as VCN 0 and count the length of the run (3 clusters). It would then point to LCN 131 continuing the run, identify it as VCN 4 and count the length of the run (2 clusters).

Folders and the B+ Tree Data Structure Directories under NTFS are indexes that contain the filename attribute, file reference, timestamp and file size for the files organized by that index. Indexing and sorting the files speed directory access, there is no need for NTFS to organize the data every time you list the contents of the directory. The duplicate attributes in the index also save time - as the NTFS doesn't need to look up that information in the MFT every time the directory is accessed. Also, because the index contains the file reference (a 64bit number identifying each file) there is no need to search through the MFT for the file. When a directory grows too large to fit into the limited space of the MFT it expands from it's entry onto the file system. NTFS creates child indexes on the disk - referenced by the parent index in the MFT. To expand the directory structure onto the disk NTFS implements a B+ Tree data structure, expanding 'out' rather than 'deep', allowing for fast retrieval times. Possible Attacks on NTFS Any unauthorized modification of file attributes is an attack on the integrity of the Windows File system. This could include the modification of the security descriptors or the timestamp for a certain file. Another exploit within the windows file system would be the abuse of alternate data streams for a quick way to hide data. The virus Win2k.Stream is an example of this kind of abuse, so is my hide program. Security Descriptors could also be completely bypassed by using another ntfs driver to read the file system. The oft referred to ntpasswd utility uses this method to circumvent permissions when accessing the SAM file on an NTFS drive. Is there a need to attack the NTFS or the MFT itself? Programs rarely touch the file system directly. Any requests that you issue will be passed into kernel and then to the NT I/O manager. The I/O manager then calls the NTFS File System Driver which in turn accesses the file system. Because of this approach an attack on the file system becomes unnecessary. The cleaner method of attack, and one that you'll see in rootkits is to intercept the I/O request before it reaches the file system by either hooking into dispatch functions of the driver or setting up a file system driver filter. nabiy --- tools & links of interest: http://nabiy.freeshell.org/software.html http://home.eunet.no/~pnordahl/ntpasswd/ http://29a.host.sk/29a-5/29a-5.601 http://linux-ntfs.sourceforge.net/status.html#ntfstools http://gnuwin32.sourceforge.net/packages/ntfsprogs.htm http://www.sysinternals.com/ntw2k/source.shtml read comments (3) / write comment views: 6167 printer-friendly version

powered by The content and design of this site is 2004 by particular authors, the New Order team and Box Network ltd. For more informations about New Order contact Marek The privacy policy statement for box network

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information