The New Technology File System (or NTFS) is a file system developed by Microsoft and is the primary file system being used by Microsoft Windows for quite some time. There are many files that are used to track metadata in the NTFS file system. One tool that the Sleuth Kit provides for us is the istat command. This command provides us with some really fantastic metadata information. But before we do that lets use the mmls command and take a look at our partitions.
$ mmls nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0020948759 0020948697 NTFS (0x07)
03: ----- 0020948760 0020971519 0000022760 Unallocated
Remember when working with the Sleuth Kit file based commands we need to point our commands to the correct partition and inode number. So lets look at this istat command.
$ istat -o63 nps-2008-jean.E01 4577
MFT Entry Header Values:
Entry: 4577 Sequence: 1
$LogFile Sequence Number: 20517559
Allocated File
Links: 1
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 279 (S-1-5-32-544)
Created: 2008-05-13 18:21:17 (EDT)
File Modified: 2008-05-13 18:21:17 (EDT)
MFT Modified: 2008-05-13 18:21:17 (EDT)
Accessed: 2008-05-13 18:21:17 (EDT)
$FILE_NAME Attribute Values:
Flags: Archive
Name: mdmati.PNF
Parent MFT Entry: 45 Sequence: 1
Allocated Size: 0 Actual Size: 0
Created: 2008-05-13 18:21:17 (EDT)
File Modified: 2008-05-13 18:21:17 (EDT)
MFT Modified: 2008-05-13 18:21:17 (EDT)
Accessed: 2008-05-13 18:21:17 (EDT)
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-2) Name: N/A Resident size: 86
Type: $DATA (128-3) Name: N/A Non-Resident size: 77752 init_size: 77752
1227963 1227964 1227965 1227966 1227967 1227968 1227969 1227970
1227971 1227972 1227973 1227974 1227975 1227976 1227977 1227978
1227979 1227980 1227981
We can see that the istat command is used with an image offset of 63 bytes, pointing to out NTFS partition, and inode number 4577. So where does this command get this information from? This information is being pulled from the system file $MFT. MFT stands for Master File Table. The MFT is a file which stores its data in a RAW form. We are going to look at this raw data in my next post but lets prepare our system first.
HEXADECIMAL or hex is a common way to review stored data and is how we will be reviewing the Master File Table. I have written a blog post on what hex is here. Lets prepare a file that we can easily access with a hex editor a viewer later on.
$ icat -o63 nps-2008-jean.E01 0 > mft.raw
We have just created a file called mft.raw that is a copy of the $MFT from our E01 file which we can review with a hex editor. We have used hd in the past but lets use something a little more powerful.
$ sudo apt-get install ghex
Alright, we have prepared our system to review the copy of the $MFT that we created. I am not giong to get into manually parsing this right now but if you are interested in viewing the contents of this file now you can use the following command:
$ ghex mft.raw
We will review this further in the next post. Until next time, ENJOY!
HEXADECIMAL or hex is a common way to review stored data and is how we will be reviewing the Master File Table. I have written a blog post on what hex is here. Lets prepare a file that we can easily access with a hex editor a viewer later on.
$ icat -o63 nps-2008-jean.E01 0 > mft.raw
We have just created a file called mft.raw that is a copy of the $MFT from our E01 file which we can review with a hex editor. We have used hd in the past but lets use something a little more powerful.
$ sudo apt-get install ghex
Alright, we have prepared our system to review the copy of the $MFT that we created. I am not giong to get into manually parsing this right now but if you are interested in viewing the contents of this file now you can use the following command:
$ ghex mft.raw
No comments:
Post a Comment