In Course 9, we're going to discuss the NTFS file system. An overview of what we'll be covering in this course. We're going to talk about the data structures that make up the NTFS file system like the Volume Boot Record and the Master File Table. We're also going to take a look at the attributes that make up file entries in the Master File Table. We're going to cover NTFS date and time format. We're going to talk about file creation, what happens when we create a file in the NTFS file system and what happens when we delete it. We're also going to talk about the recovery limitations with NTFS. Course 9, Module 1, we're going to talk about the history of the NTFS file system. NTFS was originally a joint collaboration with IBM. It is compliant with what they call POSIX requirements. POSIX requires a certain amount of functionality from the file system, like the ability for a file to have more than one name or a hard link and also case-sensitive file naming. Neither FAT nor HPFS supports these features, which is another reason why a new file system was required for Windows NT. NTFS does support both hard links and case-sensitive naming. If you want to run in a POSIX compliant environment, you would need at least one NTFS disk partition on your computer. The first release was Windows NT, and that was Version 1.0 Windows NT 3.1. Then we went to Version 1.2 in Windows NT 3.51. These two versions offered some administrative controls as well as that POSIX requirements. We could also have compressed files and User Access Control, user access control. Each user had their own recycle bin and each user could have their own account. That is something we did not have with FAT. The modern version of Windows NTFS that you're going to see is Version 3.1, and that's with all installations of Windows XP and above. What we had here that we didn't have before was we now have rollback and more robust logging features, so we can recover our data and rollback our file system to a stable state. It can also handle larger volumes. When we got to Windows 8, we had some faster file recovery and we could use some cross-platform. We had those built-in applications that we could use cross-platform on cell phones and other devices. We went to Windows 10, we got a lot of extended logging features, a lot of rollback features, and a lot of logging, which is helpful to us as forensic examiners. Almost on any modern version of Windows, Windows Vista and above, are going to require an NTFS formatted volume to be installed on. When talking about NTFS, we need to remember, everything in NTFS is stored as a file. You'll hear that a lot throughout this course. When we talk about offsets, we're talking about offsets relative to the start of the data structure we're examining. If we're looking at the Volume Boot Record and we're talking about Offset 03, that would be from the start of the Volume Boot Record, not from the start of the physical disk. The entire logical volume is now considered a data area. Unlike FAT where we had a system area and a data area, in NTFS, the entire logical volume is considered the data area. We have something on NTFS called the Master File Table. The Master File Table is an index of every file on the entire volume, including itself. The Master File Table will include the NTFS system files, and those will begin with a dollar sign, and those are considered metadata files. These files get created when the NTFS volume is formatted. Metadata files. These are information about other files, external metadata. All the files are going to have a metadata file. The first 26 records in the Master File Table are going to be these metadata system files because even though everything is considered the data area, the file system still needs to operate. So you're going to need to have system files. Records 12-23 are reserved for future use and Records 24 through 26 are used for transaction logs and error recovery. The first user-created file will usually be somewhere around Record 35. When we talk about these metadata files, in this table, you can see the very first entry in the Master File Table will be zero and that will be a record for the Master File Table itself. The next entry, Entry 1, in the Master File Table will be the MFT Mirror, which is a backup of the first few entries of the Master File Table for recovery purposes. Then you can see the third entry will be $Volume. We can see Entry number 5 is represented by a dot. This is the root directory, the Root File Name Index. These would be a listing of files that are in the root of the directory, the root of the volume. Seven will be $Boot, and this is going to be our Boot Sector. Then we see Entry 11 is extended. These are going to contain our extended attributes. I've talked about the ones that are highlighted. If you can see, there were several others. The ones that are not highlighted, like LogFile, simply keeps track of logging for rollback purposes. Bitmap. We talked about bitmaps when we talked about the exFAT file system. This is what tracks cluster allocation. BadClus obviously keeps track of the bad clusters on the volume. We have Secure and UpCase. Secure keeps track of security features and UpCase keeps track of upper and lowercase. This is for case-specific file naming. It'll convert upper to lowercase, so we can search the volume, but also allows case-specific file naming. We have one called Quota. Quotas can be put on how much data certain users are allowed to use. ObjectID. Each object does have an identifier that is recorded in ObjectID. Then we have Reparse, which would be a reparse point. The ones we highlighted are the ones we're going to talk about throughout this course. I just wanted to make you aware that there are 26 of them and these are our system metadata files. They are the first 26 entries in the Master File Table. In our next module, we're going to talk about the NTFS Volume Boot Record and discuss the information contained in the boot record and how we would read it.
