Windows File system

Overview
Understand file system Explore Microsoft disk structures Examine NTFS disks Understand Microsoft boot tasks Understand MS.DOS start up tasks

Understanding File systems

File system provides an OS with road map to the data on the disk Type of file system an OS uses determines how data is stored on the disk File system is directly related to OS

Understanding Boot sequence

CMOS complementary metal oxide semiconductor BIOS Basic Input/ output system The computer stores system configuration and date and time information in the CMOS when the power is off The Bios contain the programs that perform the input/output at the hardware level To avoid altering the evidence data on a windows/Dos PC, accessing the BIOS and CMOS settings is essential

Understanding Boot sequence

A booting to a hard disk overwrites and changes evidentiary data. Ensure that a computer looks for system information in drive A: by accessing the CMOS setup Monitor the subjects computer during the initial bootstrap to identify the correct keys to use to access the CMOS setup The bootstrap is contained in the ROM and tells the computer how to proceed As the computer starts, the screen usually displays the key/keys to press to open the CMOS setup screen. Eg: Popular BIOS uses DEL key as the system starts to access the CMOS- others Ctrl+Alt+Ins; Ctrl+A; Ctrl+S; Ctrl+F1; F2; F10

Understanding Boot sequence

On the CMOS setup screen the boot sequence for subject computer can be checked If necessary this can be changed there by the OS accesses drive A: before any other boot device on subjects computer Booting to hard disk overwrites data and changes evidentiary data

Examining FAT Disks

The FAT is original file structure database that Microsoft designed for Floppy disk FAT is used on file systems prior to windows NT and 2000 FAT database contains Filenames, directory names, date and timestamps, the starting cluster number, and attributes (archive, hidden, system and read only) of files on the disk PCs uses FAT to organize files on a disk so that the OS can find the files it needs FAT typically written to the outermost track on the disk.

Examining FAT Disks

There are 3 versions of FAT
FAT 12 FAT 16 FAT 32 and VFAT

FAT 12, FAT 16 , FAT 32

FAT 12- is used in Floppy disk- limited amount of storage FAT 16 - MS OS 3.0 WIN 95, - supports storage capacity up to 2.02 GB FAT 32 disks larger than 2 GB , (win 95, 98, ME, 2000 and XP) Fat 32 can handle upto 2 terabytes of data. One can have multiple partitions in FAT 16, FAT 32 or NTFS Clusters vary according to the size of hard disk and the file system

Drive Size 256 511 MB 512 1 GB 1-2 GB 2-8 GB 8-16 GB 16-32 GB More than 32 GB

No of Sectors 16 32 64 8 16 32 64

FAT 16 8 KB 16 KB 32KB N/A N/A N/A N/A

FAT 32 4 KB 4KB 4KB 4KB 8KB 16KB 32KB

Microsoft operating system allocate disk space for files by clusters This results in drive slack which is any space not used for active files Drive slack includes RAM slack and file slack Eg: Text doc contains 5000bytes of data in 1.6 GB HDD FAT 16 OS will reserve 1 cluster ( for a 5000bytes file) OS allocates 32000bytes or 64 sectors 1 sector = 512 bytes therefore for 64 sectors 64 x 512 = 32768 bytes The file uses upto 10 sectors or 5120 bytes Remaining 27,648 bytes is file slack space

EOF

RAM slack

End of 10th sector

File slack

64 sectors x 512 bytes = 32,768 bytes

 Purpose of so much space is to minimize fragmentation OS adds the extra data to the end of the file It lets file expand to this assigned cluster until it consumes the remaining reserved 27,000 bytes of space When you run out of space, the OS allocates another cluster for your file

Deleted Files
FAT Function is to record the physical location of the files on surface of the hard disk platter Eg: a file named Bank.doc is stored in C45, S67, H89 the file is saved to this location and when it is needed again the location is read from the FAT and data is retrieved from the relevant data of the hard disk surface

Deleted Files
When a file is deleted the first letter of the file name is overwritten and permanently lost but the pattern of magnetic particles in which the data is recorded is not immediately overwritten. The are is however marked as being available for another file to use and once this happens the data is permanently lost

Deleted Files
When a file is deleted The first letter is overwritten Location of the information remains Area occupied on the platter is marked as available Pattern of particles remains on platter
File name Bank letter.doc Graphic.jpg preadsheet. doc Location C64S89H5 C98S67H9 C38S45H2

NTFS
NTFS - New Technology File System designed for Windows Vista, XP, 2003, 2000. NTFS supports file-level security, compression and auditing. It also supports large volumes and powerful storage solution such as RAID. The most important new feature of NTFS is the ability to encrypt files and folders to protect your sensitive data.

NTFS
NTFS offers significant improvements over older FAT NTFS provides much more information about a file- including security features, file ownership, and other attributes of a file NTFS offers more control over files and folders In NTFS everything written to the disk is considered a file

NTFS
On NTFS disk, the first data set is the Partition Boot Sector [PBS] The PBS starts @ sector 0 of the disk and can expand up to 16 sectors Immediately after the PBS is the Master File Table [MFT] MFT is the first file on the disk and is similar to FAT in Microsoft's older version of OS

NTFS
MFT file is created @ the same time a disk partition is formatted as a NTFS Volume The MFT typically consumes about 12.5% of the disk when it is created. As the data is added the MFT can extend up to 50% of the disk Significant features of NTFS over FAT is that it consumes much less file slack space

Cluster sizes in an NTFS

Drive Size 0 512 MB 512 1 GB 1-2 GB 2 4 GB 4 -8 GB 8 -16 GB 16-32 GB Above 32 Clusters 1 2 4 8 16 32 64 128 Size 512 bytes 1024 bytes 2048 bytes 4096 bytes 8192 bytes 8192 bytes 32,768 bytes 65,539 bytes

NTFS
The cluster sizes are smaller for the smaller disk drives . This saves more space on all disks using NTFS NTFS uses Unicode, an international data format. Unlike, the ASCII 8bit configuration . Unicode uses 16 bit configuration

NTFS System Files

System Files - NTFS

Everything on a NTFS disk is a file The first file MFT, contains information about all the files on the disk This includes the system files used by the OS Win XP, 2000 and NT Within the MFT, the 1st 15 records are reserved for the system files Records within the MFT are referred to as meta-data

Meta data records in MFT

MFT file File Name record no 0 1 2 3 4 5 6 7 8 9 10 11 $MFT $MFTMirr $LOGFILE $VOLUME $ATTRDEF $ROOT $BITMAP $BOOT $BADCLUS $SECURE $UPCASE $EXTENDC Description

Master file table Copy of the first 16 records of the MFT List of file system transaction Information about the volume, including NTFS versions , volume name and volume creation time Table of attribute definitions Root folder Bitmap representation of used and unused clusters Boot record with boot strap loader code if the volume is bootable List of bad clusters in the volume Stores security descriptors Conversion table for converting lowercase to uppercase Enables file system extensions such as vol quotas

$MFT
File Name : $MFT System File : MFT Record Position: 0 Description : Base file record for each folder on the NTFS volume . Other record positions within the MFT will be allocated if more space is needed

$MFTMirr
File Name : $MFT 2 System File : MFT Record Position: 1 Description : The first four records of the MFT are saved in this position If a single sector fails in the first MFT, the records can be restored allowing for recovery of the MFT

$LogFile
File Name : $LogFile System File : Log File Record Position: 2 Description : Previous transaction are stored here to allow for recovery after a system failure has occurred in the NTFS volume

$Volume
File Name : $Volume System File : Volume Record Position: 3 Description : Information specific to the volume such as label and version as stored here

$Volume
File Name : $Volume System File : Volume Record Position: 3 Description : Information specific to the volume such as label and version as stored here

$AttrDef
File Name : $AttrDef System File : Attribute Definitions Record Position: 4 Description : A Table listing the attribute names, numbers and definitions

$
File Name : $ System File : root filename index Record Position: 5 Description : This is root folder on the NTFS volume

$Bitmap
File Name : $ Bitmap System File : Boot sector Record Position: 6 Description : A map of the NTFS volume showing which clusters are in use and which are available

$Boot
File Name : $ Boot System File : Boot sector Record Position: 7 Description : Used to mount the NTFS volume during the bootstrap process Additional code is listed here if this is the boot drive for the system

$BadClus
File Name : $ BadClus System File : Bad Cluster file Record Position: 8 Description : For clusters that have unrecoverable errors an entry of the cluster location is made to this file

$Secure
File Name : $ Secure System File : Security File Record Position: 9 Description : The unique security descriptor the volume are listed in this file. This is where the Access Control List(ACL) is maintained for all files and folders (directories) on the NTFS Volume

$Upcase
File Name : $ Upcase System File : Upcase Table Record Position 10 Description : This converts all lowercase characters to uppercase Unicode character for the NTFS Volume

$Extend
File Name : $ Extend System File : NTFS extension file Record Position 11 Description : Various optional extensions are listed here such as quotas, object identifiers, and reparse point data

 Record positions 12 15 are reserved for future use

NTFS Attributes
When NTFS was introduced by Microsoft, the way the OS stores the data significantly changed. All the files and folders (directories) have file attributes. Individual elements of a file such as Name, security information and even the data in the file are considered as attributes. Each of this attributes has a unique attribute type code Some type codes have names and codes

NTFS Attributes
NTFS attributes fall in two categories
Resident attributes Non Resident attributes

Attributes contained within the MFT are referred to as resident attributes. In windows 2000 and XP all the files and folder data are contained within the MFT. If more room is needed for growth, the MFT assigns an inode to the file attribute An inode links attribute records to other attribute records within the MFT

Attributes in MFT for windows and XP

Standard information
Time stamp data and link(inode)count information are listed here

Attribute list
Attributes that do not fit within the MFT are listed here. This lists the location of the non resident attributes

Filename
The long and short name for the file is contained here. Up to 255 Unicode bytes are available for long file names.

Security Descriptor
Ownership and who has access rights to the file or folder listed here

Attributes in MFT for windows and XP

Data
File data is stored here. Multiple data attributes are allowed for each file. When more space is needed for additional data an inode is assigned linking to a new MFT attribute record

Object ID
The volume unique file identifier is listed here. Not all the files will need this unique identifier

Logged tool stream

This field is used by the encrypted file system service that was implemented in windows 2000 and XP.

Reparse Point
This is used for volume mount points and for installable file system (IFS) filter drivers For the IFS it marks specific files that are used by the drivers

Attributes in MFT for windows and XP

Index root
Implemented for use of folders and indexes

Index allocation
Implemented for use of folders and indexes

Bitmap
Implemented for use of folders and indexes

Volume information
Used by the $Volume system file The volume version number is listed here

Volume Name
Used by the $ Volume system file