» File System Where is Your Data?

File Systems: MBR and Volume Boot Record (Basic)

August 23, 2008 — 585

On a standard hard drive (with a sector size of 512), the first sector, Sector 0, is known at the MBR – Master Boot Record.

The MBR contains 4 entries about the locations and type of the logical partitions (e.g NTFS, FAT) on that physical hard drive, one of which is “active” and small piece of code (446 bytes) called the primary bootloader. The bootloader is 446 bytes long and the information describing the partitions is 64 bytes long (total 510 bytes). The final two bytes of the first sector, sometimes known as the “magic number”, is the hex value of 55AA.

MBR tells the computer the location and nature of the first active partition, which is commonly at Sector 63.

The first sector in a partition – which the MBR points to – is known as the volume boot sector, boot block, volume boot record or by some companies as the “BPB”, and contains information about the partition, including:

Block size
Size of the partition (size in blocks)
The volume serial number
The type of partition (e.g NTFS/FAT, etc)
Where the MFT is (if its an NTFS)
Where the MFT Mirror is (if its an NTFS)
Location of the NTLDR or NTLoader (discussed later) – normally be straight after at sector 64.

The last sector of the partition is a mirror of the volume boot sector, and can be used for data recovery purposes.

As Sector 1 to Sector 62 are not used, they can often by blank, however manufactures like HP and Dell sometimes write information about the machine in there, e.g serial numbers, model, etc. These could, in theory, be relevant forensic artifacts.

A good resource on the MFT, and NTFS in general is book – File System Forensic Analysis

Posted in File System. Tags: MBR. No Comments »

File System: MFT Entries (Basic)

August 22, 2008 — 585

The MFT, as previously stated is the primary file in the NTFS file system. This file points to the locations of the other files on the computer.

Within the MFT are “entires”, each entry contains information about the file it points to. These entries provide a variety of information about file it points to – including:

File Name, File Size, dates about the file included – Created, Modified, Written and Accessed, location of the data of the file. Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with “File0″ or “File*”, with the information following that.

The first 16 MFT entries within the MFT are reserved, and as they point to key NTFS artefacts these include $BitMap and $Log. The first two entries of the MFT are $MFT – which desribes the MFT. This may seem odd, but it needs to be done. Everything with the NTFS is a “file”, so the MFT, which contains all the information about files, e.g word docuemtns and emails, is also a file. Therefore MFT has an entry within itself that desribes is size, location, etc. The second entry with in the MFT is the $Mirror. The MFT Mirror is a back up of the first 16 MFT entries, that are stored just in case there is a problem with the primary MFT entries.

A more detailed article on the MFT entries will follow.

A good resource on the MFT, and NTFS in general is book – File System Forensic Analysis

Posted in File System. Tags: File Systems, MFT. No Comments »

RAIDs: Introduction

August 17, 2008 — 585

RAID – Redundant Array of Independent Drives or Redundant Array of Inexpensive Drives.

A RAID is a method of storing data that uses more than one disk to appear as a single disk. There are several different types of RAID which utilize multiple disks in different ways. By arranging the disks in different ways different RAIDs have different benefits, including:

Increasing the size of storage
Increasing speed of the storage media
Increasing the resilience/reliability of the storage

How are RAIDs connected to a computer?

There are a variety of different ways of building a RAID and attaching it to a computer, but they fall into two main categories– Software RAIDs and Hardware RAIDs.

Hardware RAID: A hardware RAID is a dedicated unit that the hard drives are placed into. This unit then attaches to a computer (normally a server) via one of several connections (normally SCSI or Fiber). The RAID unit then “presents” the RAID unit to the computer. For example, the RAID unit may have 8 HDD drives in, e.g 500GB in size, but the computer would only see 1* 4 TB (Terra byte) drive, as the RAID has combined 8*500GB drives to form 1 4000GB/4TB drive. The computer does not know, or care that there are only 8 drives and will see 1 logical unit presented by the RAID.

Software RAID

A software RAID is where a host computer does all the work of converting multiple drives into a RAID. For example a user can place multiple drives into Windows XP Pro computer, and then request that Windows combine them together – using the Dynamic Disk function. The net result is that the user is presented with “volume” that can consist of multiple drives.

To the end user the Software and Hardware RAID may appear the same, i.e multiple drives are taken and presented as a single drive. The difference is cost and reliability. A dedicated RAID unit, without any drives, can easily costs over £2,000, just for a 8 drive bay, with a SCSI connector (without any drives). This is a dedicated unit that will handle all the requests in relation to the RAID, it can manage the volumes, record activities on the RAID, and alert the administrator to the errors. A software RAID, such as the one mentioned on windows will run on any hardware, as long as Windows XP is installed, it is simply not in the same level of performance. For home use, a software RAID is perfectly fine. For business a dedicated RAID is normally required for speed and reliability.

Types of RAID

The drives in a RAID can be arrange in several different manners, however the three main ways in which they are used are as follows:

RAID 0 – This is also known as a “stripe” and takes a minimum of two disks to work. This spreads the data across the drives, e.g 2*250 GB hard drives would appear as 1*500 GB hard drive. If multiple reads and writes are occurring at the same time – e.g two people accessing different hard files, then a strip will be faster to access than a single hard drive. This is because the data can be accessed from multiple locations at the same time. i.e there are two heads reading at the same time rather than one. However, there is no “redundancy” in the a RAID 0. Therefore is one drive fails all of the data could be lost.

RAID 1 – This is also known as a “mirror” and takes a minimum of two disks to work. This is the simplest of RAIDs to understand, for every disk in the RAID another disk is an exact mirror, e.g if there are 2*500 GB hard drives, the RAID unit presents just 1*250 GB hard drive. The other is not “seen” by the user, but it constantly replicates the primary disk.This means that if one hard drive fails, the other one will take over, it is quite possible that an end user would not be aware that a hard drive had failed and they could continue working as normal. While a mirror is highly resilient, is is inefficient in its use of media, as there is a 100% redundancy.

RAID 5 – This requires a minimum of 3 disks. This has the benefits of both RAID 0 and RAID 1, and less of the disadvantages. In a RAID 5 the data is spread across the disks, have one drive acts as “spare”. This means there is an increased size, and increased speed, and increased redundancy.

For example, a RAID unit with an 8*500 GB disks in a RAID 5 array would present a single 3500 GB (3.5TB) volume to the host computer (7*500). One of the 500 GB drive drives does not count to the volume size as it provides redundancy. However, and this is were the RAID 5 is very clever, all of the spare data is not stored on a single hard drive (as it could not do that), rather it is spread across all of the other drives, evenly, taking up a total of 1 drive out of the unit. This means that if any one drive on the RAID 5 fails, the system can continue without any noticeable effect to the user (though, depending on the RAID access times may decrease). The RAID 5 achieves this by using something called “parity”, this is a more detailed topic and will be covered later this month.

Posted in File System. No Comments »

File System: MFT (technical)

August 11, 2008 — 585

MFT – The Master File Table, this is the first and key file, in an NTFS file system. For a very basic understanding of the MFT please read this post

All files are referenced through the MFT, including itself.

Within the MFT, the MFT It is given position “0”, and the name $MFT. It is just above $MFT_Mirror, position “1”. The MFT Mirror, is a copy of the first 16 entries of the MFT, which is there to help the file system deal with errors/corruption.

Each MFT entry is (as standard) 1024 bytes long, or 2 sectors, and contains information about the file it references.

This includes:

The file name
Directory the file belongs to
Dates: Created, Modified, Access, Entry modified – the last time the MFT entry was modified for that file
File Size
File permissions
Physical location of the file. This gives the location or locations of the file within NTFS file system on the hard drive. Remember that a file within an NTFS system does not need to be contiguous, and it can be split into different sections around the hard drive. All of those different sections are referenced within the MFT entry, in a section called “Index” or “Data”.

If a file is very small, just a few bytes, e.g a cookie, there is no need for the the MFT entry to have a index directing the computer to the location of the cookie (as the directions could be longer than the file), instead it can fit the small file in the MFT entry – where the index or directions would normally be. This type of data is called “resident” data, other entries, where the data is stored elsewhere on in the NTFS are called “non-resident”.

Resident data can be very interesting, because it can allow for “slack” within an MFT entry. Here is how.

Example

A small text file is created on an windows XP computer, with an NTFS file system, This means that an MFT Entry is written, with resident data. Due to the size of the file, in this case, this takes up the whole of the 1024 bytes.

A few weeks later the text file is deleted, and a new file created. In this case the MFT entry is overwritten, therefore deleting all information about the original file (e.g date, location, size, etc). Other artifacts, link files, registry entries, etc, may tell you about the file, but the MFT entry has not been overwritten. However, the new file is a non-resident contiguous file. This means that the entry is relatively short, and does not take up much space, as such the entire MFT entry is now only 600 bytes long. This means there is 424 bytes remaining of the “old” entry – this is slack, or more specifically;y MFT slack. As the remaining area is at the end of the MFT entry, this will be the data of the original text file. This data could last there for a very long time, as nothing will write into that location until the new file is deleted, or becomes very large.

In the example give an investigator could only find that information with a keyword search, and if he did find it he would not be able to say what the name of the document was, or when it was created or deleted (unless there was other supporting information). However, if your lucky, it may be the perfect evidence.

Note:

The dates for the MFT do not change, i.e the creation, access, and modification date for $MFT are always the same – the date it was created/formatted.

A good resource on the MFT, and NTFS in general is the book – File System Forensic Analysis

Posted in File System. Tags: Evidence. No Comments »

File System: MFT (basics)

August 11, 2008 — 585

MFT – The Master File Table, this is the first, and key file, in an NTFS file system. All files are referenced through the MFT and it behaves like an index system or library card system for all files – similar to the old File Allocation Table, in FAT.

By referencing the MFT the computer can find the other files. Below is a basic example of how this works.

When the computer wants to find a file goes to the MFT and looks down the list to find the file (they are not in alphabetical order). When it comes to the entry for the file it then reads across and gets more information from within the MFT entry for that file.

The MFT entry will tell it information such as – the full name of the file, the date the file was created, modified and accessed, the directory it is in, how big the file, and where it is on the hard drive. (remember the name of the file is not in the file on the hard drive, that’s just the file itself, but the name is kept in the MFT).

A more technical article on the MFT is available here.

Posted in File System. No Comments »

Hard Drives: Cluster

August 10, 2008 — 585

On a standard Windows PC a cluster on a hard drive is comprised of 8 sectors. It is the smallest unit that a file system can address.

The word standard is emphasized here, as there are numerous variations, e.g a RAID attached to a Windows server could have a very different cluster settings. But for for a standard Win 2000/XP with an NTFS file system there is a single hard, the standard is 8 sectors, which is 4 KB.

This means that for a file that is “non-resident data” the smallest physical size it will take up on a hard drive will be 4 KB.

For example if a file is just 2048 bytes long, e.g a text file with 2048 characters, then the file will still be given 4 KB (4096 bytes) of space, as this is 1 cluster and this is the smallest unit that the file system can handle.

Equally if file is 5000 bytes long (i.e just over cluster) it will be allocated 2 clusters – 8 KB.

The remaining space – between the end of the logical file, and the end of the physical space given, e.g between the 2048th btye and the end of 1 cluster, or between the 500th byte and the end of the second cluster is known as “slack”.

Posted in File System. No Comments »