Part 3 of 5

File System Analysis

🕑 180-210 minutes 📖 Advanced Level 📋 Module 4

Introduction

File system analysis is at the heart of disk forensics. Understanding how file systems organize, store, and manage data enables forensic examiners to recover deleted files, uncover hidden data, and reconstruct user activity. This part focuses primarily on NTFS, the dominant file system in Windows environments.

📚 Learning Objectives

By the end of this part, you will understand NTFS architecture and key structures, analyze the Master File Table (MFT) for forensic evidence, recover deleted files using MFT analysis, and examine slack space and alternate data streams for hidden evidence.

File System Overview

A file system provides the structure for organizing and accessing data on storage media. Different operating systems use different file systems, each with unique forensic implications.

Common File Systems

File System OS Max File Size Forensic Notes
NTFS Windows 16 EB Most common, rich metadata, journaling
FAT32 Universal 4 GB Simple structure, easy recovery, no journaling
exFAT Universal 128 PB Flash drives, SD cards, limited metadata
ext4 Linux 16 TB Journaling, extents, deleted inode recovery
APFS macOS 8 EB Encrypted, snapshots, clones
HFS+ macOS (legacy) 8 EB Catalog file, resource forks
🔍 Why Focus on NTFS?

NTFS is used on the vast majority of Windows systems, which dominate enterprise and personal computing. Its rich metadata structure - including timestamps, ownership, permissions, and journaling - provides extensive forensic artifacts. Understanding NTFS is essential for any digital forensics professional.

NTFS Architecture

NTFS (New Technology File System) was introduced with Windows NT and has become the standard for Windows operating systems. It offers advanced features including journaling, encryption, compression, and access control.

Key NTFS Structures

Boot Sector

Located at the first sector of the partition, the boot sector contains:

  • BIOS Parameter Block (BPB) with volume geometry
  • Cluster size (typically 4KB)
  • Location of the MFT
  • Location of MFT mirror
  • Volume serial number

Master File Table (MFT)

The MFT is the core structure of NTFS. It contains a record for every file and directory on the volume, including metadata and pointers to file data.

$LogFile (Journal)

NTFS maintains a transaction journal that records changes to the file system. This can be invaluable for understanding recent activity.

$Bitmap

Tracks which clusters are allocated (in use) and which are free. Analyzing the bitmap helps identify unallocated space.

Master File Table (MFT) Analysis

The MFT is the most important forensic artifact in NTFS. Every file and directory has at least one MFT entry (record) containing all metadata and, for small files, the file data itself.

MFT Record Structure (1024 bytes typical)
MFT Entry Header FILE signature, flags, sequence number
$STANDARD_INFO
Type 0x10
$FILE_NAME
Type 0x30
$DATA
Type 0x80
$ATTRIBUTE_LIST
Type 0x20
$SECURITY_DESC
Type 0x50
$INDEX_ROOT
Type 0x90

Key MFT Attributes

$STANDARD_INFORMATION (0x10)

Contains essential timestamps and file flags:

  • Creation time (C)
  • Modification time (M)
  • MFT entry modification time (E)
  • Access time (A)
  • File attributes (hidden, system, archive, etc.)

$FILE_NAME (0x30)

Contains the file name and parent directory reference. Also has its own set of timestamps (often called "fn" timestamps). Multiple $FILE_NAME attributes may exist (short name, long name).

$DATA (0x80)

Contains the actual file content. For small files (typically under 700 bytes), data is stored directly in the MFT entry (resident). Larger files have data runs pointing to clusters on disk (non-resident).

Resident vs Non-Resident Data

Small files stored entirely within the MFT entry (resident) can be recovered even if their clusters have been overwritten. The MFT acts as a secondary location for small file data. This is a crucial recovery opportunity that forensic examiners should always check.

NTFS Timestamps

NTFS maintains multiple timestamps which can reveal file manipulation attempts.

Created (C)
When the file was first created on this volume
Modified (M)
When file content was last changed
Accessed (A)
When file was last opened/read
Entry Modified (E)
When MFT entry was last changed
🔍 Timestamp Analysis

Compare $STANDARD_INFORMATION timestamps with $FILE_NAME timestamps. They should generally align. Significant differences can indicate timestamp manipulation (timestomping) - an anti-forensics technique. The $FILE_NAME timestamps are harder to modify, making them more reliable for detecting manipulation.

System MFT Entries

The first 16-24 MFT entries are reserved for system files:

Entry File Purpose
0 $MFT The MFT itself
1 $MFTMirr Backup of first 4 MFT entries
2 $LogFile Transaction journal
3 $Volume Volume information
4 $AttrDef Attribute definitions
5 . (root) Root directory
6 $Bitmap Cluster allocation bitmap
7 $Boot Boot sector
8 $BadClus Bad cluster list
9 $Secure Security descriptors
10 $UpCase Uppercase table
11 $Extend Extended attributes

File Recovery Techniques

When files are deleted in NTFS, the MFT entry is marked as unused but not immediately overwritten. This creates opportunities for recovery.

How NTFS Deletion Works

  1. File's MFT entry is marked as available (flag changed)
  2. File's clusters are marked as free in $Bitmap
  3. File name removed from parent directory index
  4. Actual data remains on disk until overwritten

MFT-Based Recovery

Recovery from MFT entries is often successful because:

  • MFT entries retain file name and timestamps
  • Data run information (cluster locations) remains intact
  • Small files may have resident data preserved
  • MFT is usually at start of volume, less likely to be overwritten

Recovery Challenges

  • MFT entry reuse: New files may overwrite deleted entry
  • Cluster reuse: New data may overwrite file content
  • Fragmented files: Data runs may be partially overwritten
  • Encrypted files: EFS encryption prevents content recovery without keys
💡 Recovery Success Factors

Recovery is most likely when: the file was recently deleted, the volume has significant free space, the system hasn't been heavily used since deletion, and the file was not encrypted. On SSDs with TRIM, deleted file recovery is often impossible.

Slack Space Analysis

Slack space is the unused space within allocated clusters. It can contain remnants of previously deleted files or other data fragments.

File Data
Actual file content
RAM Slack
Sector padding
File Slack
Cluster remainder

Types of Slack Space

RAM Slack (Sector Slack)

When a file doesn't fill its last sector completely, the remaining bytes are padded. In older systems, this padding came from RAM and could contain sensitive data. Modern systems typically zero-fill this area.

File Slack (Drive Slack)

The remaining sectors in the last cluster allocated to a file. This space contains whatever data was previously in those sectors - potentially fragments of deleted files.

Forensic Value of Slack Space

  • May contain portions of previously deleted files
  • Could reveal file fragments even after formatting
  • Might expose data the user thought was deleted
  • Can be used intentionally to hide small amounts of data
🔍 Slack Space Analysis

Use forensic tools like EnCase, FTK, or Autopsy to extract and analyze slack space. Keyword searches across slack can reveal evidence even when the original files are gone. Consider the cluster size - larger clusters mean more potential slack space per file.

Alternate Data Streams (ADS)

NTFS supports multiple data streams within a single file. The default stream contains the file content, but additional streams can exist invisibly.

How ADS Works

Every file has a default $DATA attribute (unnamed stream). Additional named streams can be attached using the colon syntax:

  • file.txt - accesses default stream
  • file.txt:hidden - accesses alternate stream named "hidden"

Legitimate Uses of ADS

  • Zone.Identifier - marks files downloaded from internet
  • Thumbnail cache data
  • Summary information for Office documents
  • Resource forks when copying from Mac volumes

Forensic Concerns

  • Can be used to hide malware or stolen data
  • Not visible in normal directory listings
  • File size shown doesn't include ADS size
  • Most users unaware of their existence
Always Check for ADS

Forensic tools should enumerate all data streams. In Windows, use 'dir /r' to list streams or PowerShell's Get-Item -Stream. Forensic suites like Autopsy and FTK automatically detect and display alternate data streams.

NTFS Journal ($LogFile)

The NTFS journal records all file system transactions. It's primarily used for crash recovery but provides valuable forensic information.

Journal Contents

  • File creates, deletes, and renames
  • Attribute changes
  • Directory modifications
  • Transaction timestamps

Forensic Applications

  • Reconstruct recent file activity
  • Recover file names of deleted files
  • Establish timeline of events
  • Detect anti-forensics attempts
💡 Journal Limitations

The journal is a circular log of limited size (typically 64MB). Older entries are overwritten by new ones. On busy systems, relevant entries may be lost within hours or days. Analyze the journal early in the investigation.

📚 Key Takeaways
  • NTFS is the dominant Windows file system with rich forensic artifacts
  • The MFT contains metadata for every file including deleted files
  • Compare $STANDARD_INFORMATION and $FILE_NAME timestamps to detect manipulation
  • Deleted files can often be recovered from MFT entries and unallocated clusters
  • Slack space may contain remnants of deleted data
  • Alternate Data Streams can hide data invisibly within files
  • The $LogFile journal provides recent file system activity
  • Small resident files in the MFT have enhanced recovery potential
Previous: Disk Imaging Techniques Next: Data Carving