SlideShare a Scribd company logo

NTFS Forensics

N
nullowaspmumbai

-- NTFS internals -- Extended Attributes -- Malware artifacts in UsnJrnl -- Demo

Technology
1 of 18
Download to read offline
NTFS Forensics
Speaker’s profile MALLA REDDY DONAPATI Security Enthusiast, Consultant & Forensicator Chapter Moderator – null Mumbai https://null.co.in/ M.Sc Information Security & Computer Forensics (University of East London ) dmred1
Agenda • Introduction • NTFS internals • Alternate Data streams • Extended Attributes • Malware artifacts in UsnJrnl • Demo
NTFS – New Technology File System • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, …) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points.
Why NTFS forensics ? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like Existence of hidden timestamps, Logs and Deleted / Leftover Metadata • Leverage NTFS artifacts in memory for efficient malware analysis
NTFS Basics • Everything is a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
Physical Layout of NTFS Volume
Master File Table - $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $STANDARD_INFORAMTION • $FILE_NAME • $DATA
Reading an MFT Entry
Understanding File Storage
Timestamps on NTFS • 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ? • caution: • The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access. (Source: msdn.microsoft.com )
Alternate Data Stream • Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
Extended Attributes • Extended Attributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system • EA • EA_INFORMATION • ZeroAccess rootkit uses this feature to hide a whole PE file as well as shellcode in services.exe that loads the PE file
$UsnJrnl • Is a change journal file • Records when changes were made to the files and directories • Located at $Extend$UsnJrnl and the actual entries are located at $UsnJrnl:$J alterante data stream • Information contained in each entry : • Time of change • Reason for change • File/Directory’s name • File/Directory MFT record number • File record number of the file’s parent directory • Security ID • Update Sequence Number of the record • Information about the source of change
NTFS ..??
references • http://www.slideshare.net/null0x00/ntfs-forensics • http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html • https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter- 11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf

Recommended

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 

Recommended

Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensicsChaitanya Dhareshwar
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensicsn|u - The Open Security Community
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file systemkeshav546
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsJyothishmathi Institute of Technology and Science Karimnagar
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating systemtittuajay
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 

More Related Content

What's hot

Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file systemkeshav546
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating Systemnishant24894
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating systemtittuajay
 

What's hot (20)

Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Intro to cyber forensics
Intro to cyber forensicsIntro to cyber forensics
Intro to cyber forensics
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Fat 32 file system
Fat 32 file systemFat 32 file system
Fat 32 file system
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
file system in operating system
file system in operating systemfile system in operating system
file system in operating system
 

Viewers also liked

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 
July132000
July132000July132000
July132000CTIN
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...OWASP Turkiye
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallationHarleen Johal
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Mark Matienzo
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
Nra
NraNra
NraCTIN
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics00heights
 
G Infomgnt
G InfomgntG Infomgnt
G InfomgntCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 

Viewers also liked (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
July132000
July132000July132000
July132000
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Capturing forensics image
Capturing forensics imageCapturing forensics image
Capturing forensics image
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Windows nt istallation
Windows nt istallationWindows nt istallation
Windows nt istallation
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
Nra
NraNra
Nra
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
G Infomgnt
G InfomgntG Infomgnt
G Infomgnt
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Citrix
CitrixCitrix
Citrix
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 

Similar to NTFS Forensics

AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
ITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemSneh Prabha
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1Pavan Illa
 
Chap1_Part2.pptx
Chap1_Part2.pptxChap1_Part2.pptx
Chap1_Part2.pptxNMohd3
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisDon Caeiro
 
Lecture 9 file system
Lecture 9 file systemLecture 9 file system
Lecture 9 file systemTanveer Malik
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 

Similar to NTFS Forensics (20)

AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Windows file system
Windows file systemWindows file system
Windows file system
 
ITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemITFT_File system interface in Operating System
ITFT_File system interface in Operating System
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Lecture 6
Lecture 6Lecture 6
Lecture 6
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
 
Lecture 1
Lecture 1Lecture 1
Lecture 1
 
Chap1_Part2.pptx
Chap1_Part2.pptxChap1_Part2.pptx
Chap1_Part2.pptx
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and Analysis
 
Lecture 9 file system
Lecture 9 file systemLecture 9 file system
Lecture 9 file system
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Ext filesystem4
Ext filesystem4Ext filesystem4
Ext filesystem4
 
NTFS Forensics.pptx
NTFS Forensics.pptxNTFS Forensics.pptx
NTFS Forensics.pptx
 

More from nullowaspmumbai

ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniquesnullowaspmumbai
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updatednullowaspmumbai
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning nullowaspmumbai
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

More from nullowaspmumbai (20)

Xxe
XxeXxe
Xxe
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
 
Switch security
Switch securitySwitch security
Switch security
 
Radio hacking - Part 1
Radio hacking - Part 1 Radio hacking - Part 1
Radio hacking - Part 1
 
How I got my First CVE
How I got my First CVE How I got my First CVE
How I got my First CVE
 
Power forensics
Power forensicsPower forensics
Power forensics
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniques
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cve
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updated
 
Commix
Commix Commix
Commix
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning
 
Dll Hijacking
Dll Hijacking Dll Hijacking
Dll Hijacking
 
Abusing Target
Abusing Target Abusing Target
Abusing Target
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

NTFS Forensics

  • 2. Speaker’s profile MALLA REDDY DONAPATI Security Enthusiast, Consultant & Forensicator Chapter Moderator – null Mumbai https://null.co.in/ M.Sc Information Security & Computer Forensics (University of East London ) dmred1
  • 3. Agenda • Introduction • NTFS internals • Alternate Data streams • Extended Attributes • Malware artifacts in UsnJrnl • Demo
  • 4. NTFS – New Technology File System • Introduced in 1993 for Win NT 3.1 • Default file system for NT based OS (Win NT, 2K, 2K3, XP, …) • Feature list includes journaling, encryption, compression, sparse file support, disk quotas, reparse points.
  • 5. Why NTFS forensics ? • To understand its format and inner-working • To device effective file recovery strategies for deleted / lost data • To find forensically useful artifacts like Existence of hidden timestamps, Logs and Deleted / Leftover Metadata • Leverage NTFS artifacts in memory for efficient malware analysis
  • 6. NTFS Basics • Everything is a file, even the core file system internals • The internal files are always hidden from user view Hidden files and folders in NTFS
  • 7. Hidden Internal Files Filename Description $MFT Master File Table $MFTMirr Backup of first 4 records of MFT $LogFile Transaction log file $Volume Volume related information, usually empty $AttrDef $AttrDef Table listing MFT attribute names and numbers . Root folder on NTFS $Bitmap Map showing which clusters on volume are in use $Boot Boot code used during bootstrap $BadClus Map of bad clusters $Secure Security descriptors and ACLs are listed here $Upcase Keeps all lowercase to uppercase character mappings $Extend Optional extensions listed here (This is a folder)
  • 8. Physical Layout of NTFS Volume
  • 9. Master File Table - $MFT • Consists of 1024 byte records • Has an entry for every file and folder including itself • Records can be identified by header “FILE” • A record consists of header and attributes • All metadata is stored in attributes • Common attributes: • $STANDARD_INFORAMTION • $FILE_NAME • $DATA
  • 10. Reading an MFT Entry
  • 12. Timestamps on NTFS • 64 bit Timestamp • Number of 100 Nanosecond intervals since 1st January 1601 • 1 second = 0x989 • 4 Timestamps • Created • Modified • Accessed • MFT Entry Modified - ? • caution: • The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access. (Source: msdn.microsoft.com )
  • 13. Alternate Data Stream • Every file has single $Data stream, but NTFS allows multiple data streams • A place to store (hide) data, which is not displayed by Windows Explorer or command line ‘dir’ view. • Intended to store extra file metadata • Used by IE, Outlook Express, AV programs • Exploited by malware to hide malicious tools
  • 14. Extended Attributes • Extended Attributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system • EA • EA_INFORMATION • ZeroAccess rootkit uses this feature to hide a whole PE file as well as shellcode in services.exe that loads the PE file
  • 15. $UsnJrnl • Is a change journal file • Records when changes were made to the files and directories • Located at $Extend$UsnJrnl and the actual entries are located at $UsnJrnl:$J alterante data stream • Information contained in each entry : • Time of change • Reason for change • File/Directory’s name • File/Directory MFT record number • File record number of the file’s parent directory • Security ID • Update Sequence Number of the record • Information about the source of change
  • 17.
  • 18. references • http://www.slideshare.net/null0x00/ntfs-forensics • http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html • https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter- 11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf