Notifications
Clear all

NTFS Filesystem

3 Posts
3 Users
0 Likes
963 Views
(@mhibert)
Posts: 12
Active Member
Topic starter
 

Guys, could you please direct me what books and documentation i can read to deeply dive in understanding of NTFS filesystem?

Thank you!

 
Posted : 06/11/2017 12:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

NTFS is a "bad beast", largely undocumented (and partially mis-documented).

Besides the (obvious)
http//www.ntfs.com/ntfs_basics.htm

And the reknown books by Brian Carrier and the Windows Internals by David A. Solomon Mark E. Russinovich and Alex Ionescu, to have some understanding of the way it works, to delve deeper the best thing is IMHO to "dirty one's hands" by using (and perusing) Joakim Schicht's tools
https://github.com/jschicht?tab=repositories
and the Linux (third party) tools implementation.

Once you will have become familiar with the structures and their functioning (and parsing) , you will be able to find on the Internet (including here on Forensic Focus) specific pages/resources for specific aspects, particularly (but not only) related to Forensics.

You will soon learn how there are two very different aspects of NTFS analyzing/parsing, one related to the filesystem itself, and the other one related on how (sometimes "queerly") different versions of Windows (and related programs) actually use (or abuse) the NTFS, the latter being (still IMHO) the most complex part.

jaclaz

 
Posted : 06/11/2017 3:26 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

NTFS can be an intimidating file system to learn because much of it is officially undocumented and there are consequently many dark corners that are not well understood. However, the basics are pretty simple and once you have grasped them most aspects of the file system follow a similar pattern.

The heart of NTFS is the Master File Table. This contains a record for every file in the file system. Each record is composed of several "attributes" which describe the file. Some attributes are ubiquitous whilst others are rarely used. If you learn the structure of the MFT and the common attributes (especially $FILE_NAME and $STANDARD_INFORMATION) you will be a long way there.

I would suggest starting the little "official" documentation that is available from Microsoft

https://msdn.microsoft.com/en-us/library/bb470206(v=vs.85).aspx

Then reading the excellent book by Sammes and Jenkinson

Forensic Computing A Practitioner's Guide

and then complementary analysis by Brian Carrier

File System Forensic Analysis

Finally, you may find the cheat sheet by Michael Wilkinson useful

NTFS Cheat Sheet

If you have any more difficulties post back here. I'm sure lots of people will help answer more specific questions.

Jim

www.binarymarkup.com

 
Posted : 07/11/2017 9:39 am
Share: