Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Digital Forensics > The Windows NTFS File System > Flashcards

The Windows NTFS File System Flashcards

1
Q

NTFS File System Features - Data Streams:

A

Files can consist of multiple attributes. NTFS object attributes, which in turn are represented as streams. The default stream represents normal file contents. Each stream can have different allocation and file sizes and can be locked separately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NTFS File System Features - Indexing:

A

File attributes are indexable and do not require linear searches for attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NTFS File System Features - Remapping:

A

When used on a fault-tolerant file system, read failures will result in sectors being marked bad and a new instance being created from another fault-tolerant copy. If no good copy can be allocated, NTFS will mark the sector as bad, but cannot retrieve the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

NTFS File System Features - Hard Links:

A

Supported for files, but not for directories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NTFS File System Features - Symbolic Links:

A

Supported for files and directories, dynamic strings interpreted at run time - implemented as reparse points that can also span volumes and arbitrary non-local file systems. Older version of NTFS supported only junctions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NTFS File System Features - Compression and Sparse Files:

A

NTFS implements entropy encoding compression natively. Sparse files are also supported, i.e. for large files space is not allocated immediately for file areas that are empty when marked explicitly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NTFS File System Features - Change Logs:

A

NTFS can notify applications of changes to selected areas and also explicitly supports change journals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NTFS File System Features - Volume Quotas:

A

Both hard and soft quotas can be tracked on a per-user basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NTFS File System Features - Encryption:

A

The EFS provides file-level encryption but cannot encrypt files needed during the boot process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NTFS File System Features - POSIX Semantics:

A

Case-sensitive file names and traversal permissions provided in compliance to POSIX 1003.1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The Change Journal can track file system events:

A
  • Implemented as a sparse meta-data file
  • This tracks information on added, deleted and modified files
  • Once a pre-configured maximum size is reached, NTFS will mark disk space for the oldest portions as empty
  • The log file is global and shared among applications
  • Access is via specific Win32 API calls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Unlike FAT, NTFS is proprietary:

A
  • This has made it difficult to develop reliable compatible implementations
  • Ability to conduct forensic analysis is also affected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The top-level structure for NTFS file systems begins with volumes…

A

Which may be on a single disk or distributed across multiple disks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NTFS represents all data in files, including its own meta-data. These are retained in…

A

Meta-files, which are not made visible by the NTFS file system driver. This allows the file system to be extended easily with new features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The core of the NTFS data structure is the…

A

Master File Table (MFT) containing an array of file records, each 1KByte in size irrespective of cluster size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

NTFS Structure - Each volume contains a set of…

A

Metadata files as well as entries for all user files

17
Q

For most files, a single MFT record is sufficient, but files with many attributes may require additional space. A base file record then stores…

A

Locations of all other MFT entries

18
Q

On mounting a volume, the NTFS FSD reads the metadata structures and constructs the…

A

In-memory data structures

19
Q

The volume boot sector provides the…

A

Physical address of the MFT

20
Q

The MFT is always the first entry, while the second record…

A

Points to a MFT mirror located elsewhere on disk

21
Q

The MFT mirror does not contain…

A

All records but only metadata records to help in case of a corrupt MFT

22
Q

The transaction log directory contains the TxF base log file log container files. The number of logs depends on the size of transaction log. Atleast two files always exist…

A

Kernel Transaction Manager (KTM) log stream and the TxF log stream

23
Q

All files in an NFTS volume are uniquely identified by a 64-bit value:

A
  • This consists of a file and a sequence number
  • The file number is the position of the record in the MFT minus one
  • The sequence number is incremented on each re-use of a MFT entry
24
Q

Files are considered as structured entities containing attribute/value pairs:

A
  • Actual payload data is considered the Unnamed Data Attribute
  • Each attribute is stored as a separate stream of bytes within the file
25
Q

Where possible, NTFS attemps to pack all file attributes in the MFT record:

A
  • Entries within the MFT entry are called resident attributes
  • Each attribute begins with an Attribute Header followed by a Attribute Value
  • Attrivute headers are always resident, values may not be
  • For entries that do not fit into an MFT record, runs or extents are allocated
  • Each file may have multiple runs associated with it
  • Files with large numbers of attributes may require multiple MFT entries
  • Sparse files can simply be encoded by populated runs
26
Q

Creating and Writing a NTFS File Steps:

A

1) Read volume boot sector to determine MFT location
2) Read first MFT entry, determining MFT layout
3) Allocate MFT entry for file
4) Initialise MFT entry with $Standard_Information, set flag as In Use
5) Given file size, find free clusters in MFT $Bitmap, set corresponding $Bitmap fields to 1 for allocated clusters
6) Write file content to cluster, updating $Data attribute with starting address of cluster run and run lengths
7) Read root directory, traverse index and find matching directory
8) Read $INDEX_R00T for directory
9) Once correct index entry is found, create new index entry and re-sort index tree

Each step is entered in $LogFile as these are taken

27
Q

Although user data is not protected from failures, volume consistency is maintained using a journalling mechanism:

A
  • All volume-altering operations are logged and form transactions
  • As a side effect, cache flushing intervals can be extended over non-transactional systems as volume consistency can be ensured
28
Q

Actual log operations are not performed directly by NTFS but by the Log File Service (LFS):

A
  • The LFS received requests from the NTFS driver
  • Read, write and flush operations by the LFS run through the Cache Manager
  • Actual Volume Operations are performed by the FSD
29
Q

The steps involved in ensuring transactional integrity of volume data are:

A

1) The NTFS FSD calls he LFS to record a volume-altering transaction
2) NTFS modifies the volume
3) The cache manager at some point requests the LFS to flush the log file
4) After flushing the log file, volume changes are written out

30
Q

The log used by the LFS is circular, cycling through sequence numbers while retaining…

A

A restart area in a fixed location to ensure that after a system failure, outstanding records can be identified. LFS retains two copies of the restart area

31
Q

The fault detection mechanisms flag inconsistencies between…

A

Meta-data sets and result in a requirement to run chkdsk

32
Q

Other recovery mechanisms availble in NTFS make use of lower-level features:

A
  • NTFS responts to “bad sector” notifications by re-mapping clusters containing bad sectors
  • This typically means splicing a brief run of new clusters into the MFT for an affected file
33
Q

Instead of file-system checks, NTFS also provides self-healing from Kernel 6.0 onwards:

A
  • On detecting corruption flags, a worker thread will try to repair file system damage based on logs
  • The spotfix mechanism described earlier deals with problems that cannot be handled online, some repairs will still require off-line volumes
34
Q

NTFS utilises a number of more complex data structures and optimisations, making analysis somewhat more difficult besides not having a fully documented on-disk structure

A
  • Indices (B-Trees) are used to provide sorted data structures
  • Data structures are often more dynamic and likely to be re-used and re-allocated
  • Relevant information may be retained in the MFT, log files, directory structures, the cluster bitmap and actual attributes
  • Retaining short data attributes in the MFT entry makes it easier to recover short files on NTFS volumes
35
Q

On deletion of a file in an NTFS volume, the following steps are executed:

A

1) MFT is located
2) First MFT entry is read to determine and reconstruct MFT layout
3) Root directory is read, index travered and directory entry found
4) Directory hierarchy is traversed as needed
5) For the target directory, the $Index_Root structure is read to identify the target file
6) Target file name is removed from index and data structure is re-balanced
7) MFT entry is un-allocated, In-Use flag is zeroed
8) Corresponding MFT $Bitmap entries are zeroed

Digital Forensics (26 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions