NTFS Forensics and the Master File Table

Thank you Michael. I have been teaching digital forensics and ethical hacking at Eastern Florida State College for a year and a half. I am starting a PhD in the spring in Information Assurance.

Michael Whitlow yeah this was pretty in-depth!!
Btw nice, I didn't know you were studying that but I only came here cuz I'm a bored nerd

Thank you for the comment. This was the first video that I created for teaching when I initially bought editing equipment. I made a mistake in this video and I did not get the chance to correct the error in the video.

swiftlydoge27, the reason that you saw the "Dr. Evil comment in the ascii text was because one of the items you saw was most likely the MFT record for a Dr. Evil picture that is stored on this sample forensic image. I have another video where I manually recover that image by copying the hex code to a hex editor. SSD's, unlike traditional hard disks, usually save all of a file's clusters contiguously without fragmentation. Videos that have been deleted in SSD media are another matter. Usually if you recover a deleted video such as an mpg4 it will not play back due to file damage incurred during the recovery process. I consulted with a forensic detective friend of mine who said the same thing.

Thank you for your kind words. If you don't mind my asking, where are you getting your degree? Is this a masters or a B.S.? I just completed my PhD in Information Assurance last month and I am hitting the job market now in this rather poor COVID environment. My ideal job would be to get sponsors and I would spend all of my professional time producing videos. As a newly-minted doctor my research has been more focused in machine learning and social network analysis.

@@MrJdude39 To be specific, I am about done with my A.S in Cybersecurity, then I will start on my B.S in Cybersecurity with EC-Council. Did you achieve a B.S in the same field or a different field of study? I have been doing quite of bit of job searching and see more jobs for individuals with either a computer science B.S and/or with 5+ years experience. Congratulations on completing your PhD! I would be interested to know what that was like with regard to Information Assurance.

@@kso35 I used to teach a class in Digital Forensics at Eastern Florida State College. It was part of a two-year degree program in cybersecurity. In my experience, most organizations are not going to hire someone to cyber analyst or practitioner positions unless you have at a minimum a Bachelor of Science degree, some certs (CISSP is the industry favorite), and some experience. This eventuality could be circumvented if you already know someone in a management position who will hire you. I can tell you that based on my recent experience looking at cybersecurity jobs on LinkedIn, many of them want programming skills, knowledge of cloud-based platforms like AWS, and possibly experience with systems administrator skills like active directory. During my PhD dissertation research, I used languages like R and Python to leverage machine learning algorithms. I am trying to market those skills more than I am pure cybersecurity knowledge. Cisco certs in things like firewalls are also sought after.

@@kso35 In regards to your question about Information Assurance at the PhD level, you bring to the degree what you already accumulated in your prior education. You don't really learn much new stuff in classroom teaching as a PhD student. You take some classes in gathering and analyzing data. Also you learn about how to set up different types of research based on the type of study you wish to conduct. You also do an enormous amount of reading published journal articles. My background was Digital Forensics and information systems. I really didn't have much of a background in programming or in human behavior type studies which are the basis for many IA domains of research. I have an extensive background in languages which led me to text mining, which led me to sentiment analysis, which led me to machine learning. Those three areas all to some degree fall under the umbrella of social network analysis. If you are interested in my PhD research, I just uploaded a 25 minute video that covered part of my research on my youtube channel.

@@MrJdude39 Your background is extensive, I trust your expertise and content. I cannot thank you enough for responding to my feedback. It is motivating while I sit here sifting through videos to help me with my DFIR class. Where else might we find you? Linked in? IG? FB? If you prefer to stay more private, I completely understand! I am looking forward to learning as much as possible from you. I think once these channels get off the ground, they really do well. I really like Professor Messer, and ExplainingComputers YT channels. :)

James, are you taking digital forensics currently?

yeah, I'm CS student.😅

My programming background is not strong. I am starting a PhD in Information Assurance in January. Python programming is going to be a part of my research. Python is very popular in digital forensics.

that's strange though, python seems to be high level, I would never thought about its forensics capabilities. Good luck in your studies, those are fantastic topics indeed

James, Python is popular due to all of the existing libraries which are ready made for forensics applications. There are libraries for network sockets, hashing, metadata extraction, and E-mail analysis, among others. If you have ever used the Kali Linux penetration testing platform, many of the tools in it are written in Python. Ruby is another popular forensic language. The Metasploit Framework is written in it. You can write exploits in Ruby.

Well, hello again. I completed my PhD in Information Assurance at Nova Southeastern. I am now teaching pentesting and digital forensics at Norwich University in Vermont.

Thank you for the feedback. I might have misspoken during that segment while I was doing the demonstration. Thanks for pointing that out.

The easiest way that I know of how to recover an orphaned file would be to do a generic search by file type, i.e. .doc, .txt, .jpg, .mp3, etc. That will still take some time, but at least a search algorithm will know what it is looking for. If you try looking for an orphaned file simply using fragments of addressing information, it will truly be looking for a needle in a haystack. If you know what file type it is, the search algorithm will perform a file recovery by hexadecimal header tag (magic number).

Arenzoj
Arenzoj, Right now there are two textbooks that I know of which go into detail on the structure of NTFS. The first one is "File System Forensics" by Brian Carrier. The second one is "Forensic Computing" by Tony Sammes and Brian Jenkinson. Other than that you must consult any number of online references for NTFS. The problem with this study is that you have to study a number of different versions of NTFS. If you are using Windows 8.1 chances are that you are using NTFS v3.1 . If you are using an earlier version of Windows then some of the hex coding will vary I am currently putting together a forensic reference chart using Visio because I grow tired of having to refer to multiple sources for reference. I would suggest acquiring the two texts that I mentioned previously and also joining a technical blog where you can ask questions. I have done this recently when I was doing research on the Volume Boot Record and found it to be very useful.

·

The file data could be anywhere on the disk (almost anywhere). The master file table provides the memory address information for the clusters where they are stored. If you are searching through a traditional hard disk drive, the clusters might be fragmented, meaning that they could be scattered about the disk in multiple locations. If you are dealing with flash memory, usually all of the clusters are contiguous. There are also two copies of the MFT. I hope that this answers your question.

+icoscx Thank you for the complement. I am currently finishing my EnCase Certified Examiner cert. Next, I will be working on a Scott Moulton physical forensic data recovery course and certification. I will see what I can do, but my schedule is rather hectic right now. I teach Digital Forensics at a State College, so part of the course covers file system forensics which is what this video is. If you are interested, I have other forensics videos hosted at another server.

+Jonathan Adkins I would appreciate it if you'd share the videos.

+icoscx Here is a link to one of the videos that I did for my digital forensics class. If you click on my name it will take you to the rest of the videos.
vimeo.com/155712600

Arenzoj I teach at a state college and I am earning certifications so that in a year or so I can start my own consulting business. What you choose to specialize in will depend in part on what your interest is. There are three fundamental niches in Digital Forensics. These are 1)Data/Evidence Recovery 2)Network/Internet Forensics and 3)Malware Analysis. Within these three fundamental areas there are a plethora of sub specialties that you can choose. Which ones earn more money will depend on the area where you live. Everyone that I know of in this field eventually falls within one of these three areas when they find work. It is good to know a little something about all of these things, but it is impossible to be an expert in all of them.
I did graduate research in the area of data recovery, but I really enjoyed network forensics, so I pursued that for a couple of years. Now that I am teaching, I am primarily back with evidence recovery. I will be using EnCase and Cellebrite as part of a curriculum that will include a detailed look at hexadecimal codes. To do well in the area of Malware Analysis, you need to have a good background in computer science, i.e. programming, assembly, etc. I have done some basic work with the virus/malware field, but I don't have the tools or know-how to work with fuzzers and disassemblers.
I don't know what your academic history is, but I would suggest getting an undergraduate degree in an I.T. related field and then enroll in a forensics Masters program. Most of the detailed studies that you desire take place at the graduate level. From there, select industry certifications, i.e. CompTIA, E.C. Council, Cisco. The job market where you are will tell you what kind of jobs are available. Aside from law enforcement and a few very small security firms, nobody is hiring for my line of work. The closest I could find were Cisco network analyst jobs at Grummon and Harris. I plan to teach, both online and face to face, and start my own consulting business.

Jonathan Adkins Since we seem to be talking on the regular I will tell you a little about myself as well. My background is in law enforcement. I got a degree in criminal justice from a state college and decided to be a cop but it wasn't for me. From there I went into private investigation and my company said it could really use a digital forensic guy so I decided to go and get a few certifications. Once I complete my current certification I plan to go back to law enforcement for 2-3 years to get experience and then back to the private sector to eventually start my own private investigative company with a focus on digital forensics. Our talk has been very informative. Up until now I really thought I would have to master all 3 areas, its good to know that being an expert in one area is sufficient.

Arenzoj Thank you for the brief biography. If you don't mind my asking, where are you serving in law enforcement? After hearing what you just stated, I would suggest that you focus on the evidence/data recovery side of the house. Private investigators and detectives aren't going to be called upon to investigate most network related crime, nor are they going to be involved in malware analysis. All three niches DO however cross over on occasions. An example of this would be network related voyeurism.
Based on your basic profile, here is what I would suggest as a course of study. If you do not have the time to do a full academic immersion in this area or a masters degree, you should take some vendor specific training. In order to do forensic work as a detective you will need to invest in a number of tools if you wish to work in this field. At a bare minimum I would suggest investing in a tool like Cellebrite. With this tool you can extract data from mobile devices, everything from older handsets to smartphones and tablets. With Cellebrite's physical analyzer software will allow you to examine all of the contents of the devices. As a detective you will most likely be dealing with devices of this nature. If you get the full package, it will cost your firm around 14K which is why I call it an "investment." This is the same tool that most law enforcement and data recovery shops use. As far as the training, Cellebrite has web-based training for up to advanced users.
If you are only looking for generic training, I would suggest E.C. Council's "Computer Hacking Forensic Investigator" certification. That cert is focused more on the law enforcement angle of forensics. You can get a full training and testing package for a little over $1000 or so from E.C. Council. If you plan on pursuing forensics as a job, then you will have to invest in some of the tools to do the job, otherwise there is no point in doing it.

Jonathan Adkins I am not in sworn law enforcement anymore however when I was I was in North Carolina but am now I'm in Washington DC. Yes tools can be pretty expensive. To be honest with you Encase 7 looks a bit more attractive. I hear really mixed things on one hand previous versions of Encase had some crashing problems however that $3k price does look really good for a starting price and they say that Encase is the industry standard today. I am sure that Cellebrite is a better more all inclusive tool and in the long run I will probably eventually get both. But do you think Encase would be sufficient for someone just setting up shop? I have looked into E.C. Council CHFI. It seems pretty good and not too difficult from what I can initially tell. I am currently working on a cert but that will most likely be the next one that I get

Arenzoj You will need both EnCase AND Cellebrite to have a full working forensics shop. EnCase is primarily for desktop and laptop computers. It has a mobile forensics module that you can purchase separately, but it is clunky at best. Law enforcement does not use it. You would also have to purchase all of the adapters for the phones that you would be extracting data from. As a detective who specializes in digital forensics, you would need to have the capability to do the whole spectrum of device types. I had suggested Cellebrite, because more than likely you will run into a larger number of phones and smaller devices because that is what people carry with them every day. Even if you have EnCase, you will also have to acquire write blockers, along with cables that can facilitate with the data transfer. You will also need to have at least one workstation that is forensically sound and is fast enough to do this kind of work. That 3K will only get you the EnCase license and nothing else. That will not get you very far. At a minimum, a police forensic shop will have one FRED workstation. One license of EnCase. They also have another third party verification tool such as FTK for validation of findings. They usually have at least one Tableau hard drive duplicator. They have a write blocker (although the latest FRED workstations have the write blocker built into them). Then they have a full Cellebrite kit. The kit comes with the extraction device and all of the necessary cables for the known mobile devices. If you can only go with one option or the other to start with, in my humble opinion, you should go with the Cellebrite UFED and the Physical Analyzer software. You will find it much more difficult to deal with mobile devices using an EnCase solution,

Hello Lancer, I do not know of an easy way to extract the total number of MFT records in a volume. There are tools which allow you to interface with data structures like the master file table, the master boot record, the volume boot record and others. Here is one such tool: www.disk-editor.org/
There are also some DOS-based command line tools which can extract information about the MFT. You might also leverage a language such as Python or C++ to accomplish the task that you ask. Records get created, updated, and eventually overwritten when the associated file is deleted and the space is marked as available to the operating system.
I have spent the last two years working on a PhD in Natural Language Processing and machine learning so I have not been actively working in evidence recovery. I hope this helps you with your question.

@@MrJdude39 thank you for the response and a great video. It helped me greatly.

+Alex Ooi Hello Alex. Even though you can't access the data on the hard drive, does your computer at least assign it a drive letter? If it does, you can create a forensic image of the hard drive using FTK Imager. You could then use a free forensic tool like Autopsy to recover your photos.
Every computer is supposed to have two copies of the Master File Table. Did both MFT copies get corrupt on your drive?
There is another tool with a free 30 day trial called "ISO Buster" which can do data carving of image files and drives that are having file system woes. ISO Buster uses data carving, so it doesn't need the Master File Table. Here is the link: www.isobuster.com/download.php

This tutorial is not going on the assumption that you overwrote the entire disk before trying to examine it. If you did overwrite every sector with ones and zeroes, the MFT would in fact also be removed. I don't believe I made that claim in the video. You can prove that a file existed if you delete a file and the space that it once occupied got overwritten with new material. The MFT would have a record of its existence. If you are talking about flash based memory, that changes everything, because files clusters are not stored in the same manner, and once deleted, the amount of time before those clusters get overwritten could be much quicker than with a hard disk drive.

Hello. Thank you for the question. The codes may change with different/later versions of the the Windows file system, but here are the four general codes as I am familiar with them. A "00" code is a deleted file. A "01" is a file in use. A "02" is a deleted folder. A "03" is a folder in use.

@@MrJdude39 Thankyou for your response...really helpful.

@@MrJdude39 Offset 23 will always be 0x00. 0x02 and 0x03 are directory and consistent with offset 22.

Thank you, gazuza28. You can use your Windows calculator to convert hexadecimal to decimal. Simply change the calculator type to "Programmer" and enter the hex value, i.e. FA 04. The calculator will show you the equivalent values in decimal, octal, and binary. FA 04 is 64,004 in decimal.

Jonathan Adkins Thanks!!! & other Little question... how do you know FA 04 is equal to 1274 Clusters?

@@JcBthug The size of a cluster is usually 4096 bytes per cluster, which in hex is 1000. The cluster size can be changed manually but it is almost always left at the default size. You can find the cluster size in the master file table and in the volume boot record. You can also get the total number of clusters on the volume in the MFT. Long story short....if you go to the MFT to where the volume size by number of clusters is located, the value will be there in hex. If that value is 04FA that value in decimal is 1274 which means that there are 1274 clusters on the volume. Converting between hex and decimal is a way of life if you are doing digital forensics.

@@JcBthug since it is supposed to be read in little endian, 04 FA = (16^3)*0 + (16^2)*4 + (16^1)*15 + (16^0)*10

@@dheerajgadwala8874 You are correct. I merely converted directly from hex to decimal. If you are reading the hex value directly from memory, you would read it from right to left before converting it back to decimal as little endian requires.

Hello. I apologize for the rather late reply. I took a class with SANS last semester that covered automating cybersecurity tasks using Python. Unfortunately, I took the course live online in the middle of the semester and I ended up having one eye on my email inbox and the other on the instructor. I am not familiar with how to leverage C in order to accomplish what you are looking to develop. I do know that there are a number of libraries in Python that will do what you want. I just took a look at some of my notes from the SANS course, and you can take a look at the Python memprocfs library which will carve files from memory for you.

@@MrJdude39 Hi thank you for your reply. All good. I have actually started the project in C with available libraries and it's going well so far. Had to come back to the video to figure out the MFT's location using the Logical Cluster Number however all the resources, including this, suggest multiplying the LCN with the Cluster Size - however I am quite confused as the $MFT file is located in the first cluster after the MBR/Partition Boot Sector and not in the offset = (0x40000000 (similar to the result you had in this video)). Just trying to figure out this problem at the moment. Thank you for the previous reply!

@@dolbearrr I have found that there can be some differences in the location where artifacts such as the $MFT starts depending on the brand of media that you are using. For example, I teach a section in my digital forensics class currently on file system forensics. After I have calculated the byte-level offset where a file begins, I have to determine where the starting point is to make the jump to that byte-level offset. In one case, the starting point was the beginning of the master boot record. In another case, the starting point was the very beginning of the media, i.e. offset 0000000. The moral of the story is....sometimes locations for items forensically speaking can depend on the brand of the media your are analyzing. One suggestion....you could use Active@ Disk editor to identify the starting location of the $MFT and its copy. This way you have a point of reference.

+Randeep Bimbh Certainly. If you wish, you may E-mail me. My address is jdude35@hotmail.com . I currently just started a home training course in physical data recovery. I am learning how to recover data from damaged hard disk drives and solid state drives. When I finish that course, I plan on doing to videos for my forensics class. I teach primarily forensic data recovery and pentesting techniques.

Thank you sir for the email address, and i really want to ask some questions over there. but for now can you just ans this simple ques. which book would you refer me to study for Network forensics. since i need to prepare for my sub "Digital Forensics" and the network forensics is the only part where i am having trouble since most of the books dont cover this topic completely. if you could help me with that would be helpful sir.

+Randeep Bimbh I couldn't name a single book on network forensics that covers all of the essential topics. Most of my network forensics background comes from two graduate level classes that I took during my Masters degree. One of those classes was in "Incident Response." The other course was a general survey of everything ranging from penetration testing, data packet analysis, and malware analysis. I also got my C|EH (Certified Ethical Hacker) cert. I can't name a single book because I have seen books on Incident Response, various areas of penetration testing, books on packet analysis. If you can afford it, I would take the coursework for the C|EH. You could also find a lot of youtube videos from Wireshark which go over packet analysis. This branch of digital forensics is so very broad that I could not suggest one book that would sufficiently cover it all. Here is one book that I found that goes over some of the fundamentals of Incident Response. It is a place to start: www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/ref=pd_sim_14_3?ie=UTF8&dpID=51Q%2BGRGLE2L&dpSrc=sims&preST=_AC_UL160_SR127%2C160_&refRID=1H10X6EFV13SZC14SQSM
Like I said, this field is so large that it's probably best just to pick an area and get yourself familiar with it. Study Incident Response, Packet Analysis, Kali Linux, Metasploit, Python, Malware, Pentesting.
If you would like to ask me some more specific questions, please feel free to E-mail me.

+Jonathan Adkins thank you for your reply sir. and yes i am currently learning Kali linux, will be doin my ccna, np courses (in security) within next 6 months. yeah will those course help me. like if i have the cisco cert. will that help me in forensic field.
Yes i have some questions which i want to ask you, i would like to mail you. but as my univ exams are going on, right now i am unable to.
Thank you, for all the info you have provided me, and will provide me. :)

Arenzoj If you have any more questions, please feel free to ask.

Jonathan Adkins Thank you for the quick reply. I do have a few questions1) Which technical blogs would you recommend joining for computer forensics? 2) Is there a big difference which occurs between FAT12/16 and FAT32 during format?3) Where would you find artifacts on a computer to determine if a removable drive was used on it

Arenzoj 1) forum.hddguru.com/ This is a forum that I joined recently that has been very helpful for me. 2) FAT12 was used for floppy disks. FAT16 was originally used for older hard drives that were much smaller in size. FAT16 is still used, however, in many USB thumb drives. FAT32 came along when Windows 95 was released. One of the principal differences between FAT 12, 16, and 32 is the number of bits in each directory entry. FAT12 = 12, FAT16 = 16, FAT32 = 28. The particulars of the disk geometry are defined in the boot sector of the volume, i.e. at the very beginning (absolute offset 0). I need to refresh some of my knowledge concerning the more microscopic details of FAT as I have been spending a considerable amount of time detailing NTFS. Every time a new version of Windows is released, there are a number of changes to the hexadecimal coding that occur. I am currently in the process of creating an NTFS reference chart right now for Windows 7 and 8 since they use the same structure. Vista and XP have some differences in their Master Boot Record, Volume Boot Record, and Master File Table hex codes. The same can be said for the different kinds of FATs. I don't know if that answered your question concerning FAT, but my recovery skills in that area need to be reviewed. 3) To find out information about removable drives you would need to examine the registry. Exactly which registry keys you need to search will depend on the version of Windows that you are using. The registry maintains a list of devices that have been mounted on the device. These would include USB sticks, digital cameras, portable hard drives. Here is a page that can get you started....www.forensicmag.com/articles/2012/08/windows-7-registry-forensics-part-6
Hope this assists you on your search.
Jonathan Adkins

The first 30 or so records are administrative so they are system generated. After that, it depends on how many files and folders a user has on his/her computer. It is also possible for records to become eventually overwritten by the file system.

Thanks

Thank you for your comment. I have answered this issue a number of times in the comments section. This was the first video that I did when I started teaching and I made a mistake during the recording of the video. I am currently working on a PhD, so I do not have the time to go back and remake or edit this video. When you make a mistake during a live lecture, you can correct yourself on the fly. When you put it in video format, it is preserved, unfortunately.