We’ll get started at 19:05
file systems && autopsy
comp6445 week03
File systems
- FAT32
- NTFS
- Ext
- Autopsy
FAT32
- File Allocation Table (FAT)
- Directory Entries (DE)
FAT: linked list of statuses of all clusters
| status | indicates |
|---|---|
0x?0000000 | free cluster |
0x?0000002 | cluster in use (value is next cluster for file) |
0x?FFFFFFF | cluster in use EOF marker |
Deleted files
- what happens to file contents when a file is deleted
- what else happens (specifically in FAT?)
Deleted files
- what else happens (specifically in FAT?)
- first character in filename changed to
0xe5 - all clusters in FAT replaced with
0x00
- first character in filename changed to
why are these important
NTFS
$MFT (DEs of NTFS)
$BITMAP (FATs of NTFS)
Everything is a fileā¢
Everything in a file is an attribute
Extents
- Similar to Cluster Runs
- A contiguous area of storage reserved for a file
Alternative data streams
- Also a file attribute
- Honestly pretty stupid, not honored by other FSs
- Originally used to provide compatibility with Macs
- Now mostly used to hide malware lol
read more here
Deleted files
- what happens for NTFS
Deleted files
- what happens for NTFS
$MFTmarks$FILEentry as available$DATAattribute read,$BITMAPupdated to show cluster runs no longer used- nothing is wiped/deleted from
$MFTor clusters
until the FILE entry is overwritten, the data is still there
Ext
TODO
Autopsy
TODO
Random extra stuff
I found another wierd file on my computer, you can download it here
Walkthrough
Any questions about last week’s investigation
Investigation
Any questions so far?