NTFS Concepts

Table of contents:

Introduction

NTFS was designed for reliability, security, and support for large storage devices. Scalability is provided by the use of generic data structures that wrap around data structures with specific content. This is a scalable design because the internal data structure can change over time as new demands are placed on the file system, and the general wrapper can remain constant. One example of a generic wrapper is that every byte of data in an NTFS file system is allocated to a file. We will be discussing the concept of an NTFS file in this chapter.

NTFS is a complex file system and, unfortunately, there is no published specification from Microsoft that describes the on-disk layout. High-level descriptions of the file system components have been published, but low-level details are sparse. Fortunately, other groups have published what they think the on-disk data structures are [Linux NTFS 2004], and those are included in this book and we use them to dissect a disk by hand. It should be stressed, though, that it is unknown if the data structures presented here are exactly what exists on-disk.

NTFS is standard in many Windows systems and becoming common in most of the free Unix distributions. The combination of no official specification and one dominant application that creates the file system makes it difficult to differentiate between the application-specific properties and the general properties of the file system. For example, there are other methods that could be used to initialize a file system that Microsoft does not use, and it is not clear if they should be considered "valid NTFS" file systems. Microsoft has made changes to the file system with each new release of Windows, and I have noted the differences here.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net