The NTFS File System

GIAC Certified Forensic Examiner Objective:

Fundamental Digital Forensics

The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.

Overview

This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

This lab investigates the New Technology File System (NTFS) which is one of the most commonly used file systems by the Microsoft Windows operating system. The NTFS is robust and includes many useful features such as the ability to set security permissions on files and folders.

OUTCOMES:

In this lab, you will learn to:

Examine the NTFS File System
Use a HEX Editor to explore an NTFS Partition
Verify and view the image details
Analyze an NTFS Partition With Autopsy

Courses

Digital Forensics Fundamentals Skill Lab

Key terms and descriptions

NTFS

The acronym NTFS stands for New Technology File System. The NTFS File System was originally introduced with the Windows NT. NTFS is a journaling file system which means it keeps a log of changes being written to the disk. If a computer is shut down improperly, it will have a better chance of recovery if it has a journaling file system. Files and folder access can be restricted with the security feature of NTFS. Starting with Windows 2000, Microsoft included the Encrypted File System, or EFS, as an NTFS feature. EFS allows users to encrypt files to protect against unauthorized access.

EFS

A feature of the NTFS file system that allows you to encrypt files and folders. The feature became available on the NTFS file system starting with Windows 2000 and is still available today on Windows 10 and Server 2016.

ADS

An Alternate Data Stream, or ADS, is a feature of the NTFS file system that allowed compatibility with older versions of the Mac OS. The feature can be utilized by an individual who is attempting to hide data on their system with an NTFS volume.

timestomp

The timestomp command allows you to change file Modified, Access, and Created times. The command can only change MAC times on an NTFS volume.

$MFT

The Master File Table is basically like the Table of Contents for an NTFS volume.