Course nine, the NTFS file system, and we're on module two. In module two, we're going to talk about the NTFS volume boot record. Now in the NTFS volume boot record, we'll see represented as dollar boot. And we talked about that when we saw our system metadata files, dollar boot was our boot sector, and this is going to be our volume boot record. It is sector 0 of the volume. Not the physical disk, but the volume we're looking at. And we can see the information contained in here, we're going to see our OEM ID or operating system, it's going to be NTFS. We're going to see our bytes per sector, our sectors per cluster. We're going to get total sectors in the volume, and the volume serial number. Now all this information is related to the volume structure and the size of the volume. Also contained in the volume boot record, we're going to get information regarding the master file table. We're going to get the starting cluster of the master file table, the starting cluster of the MFT mirror that backup copy of the first few entries of the master file table. And we're also going to see our master file table record size in clusters. This is what our volume boot record is going to look at it when we view it through a hex editor. You can see here right at offset 03, starts at OEM ID and if we look to the right and ask if we can see NTFS. If we go down to 0B, we could see our bytes per sector. And they're highlighted in red there, it's 0002, and remember that's going to be read little Indian. So the 02, 00. Right next to that highlighted in green, we see our sectors per cluster, that value is one byte long, so we don't need to worry about indian this. And if we go to offset 28 and remember we're counting from the start of the volume boot record, start at the data structure. So we go down two lines and over eight we could see here highlighted in yellow is going to be our total sectors in the volume, starts with EF, 6F, OF and then 0000000000. Again, that would be read little indian and that will give us the total sectors in the volume. Then we see down it offset 30 and we're talking about three lines down from the start of the volume boot records, you count one, two, three, you can see it highlighted in pink, it is A A, A4. And remember that will be read little indians, so that would be read A4, AA, and that will be the starting cluster of the master file table. Now in offset 38 highlighted in blue, it starts with 02 and then it just has 0000 all the way out the remainder of the bites. This is starting cluster of the master file table mirror and that will almost always be clustered two. And again it's read little indian, it will almost always be cluster two for your MFT mirror. Now if we go down to offset 40, so you would count four lines down, two, three, four, we can see our master file table record size. And that is highlighted again in pink and it starts with F6, 000000, again that will be read little indian and converted to decimal. We can see at offset 48 is going to be our volume serial number and that is again highlighted in yellow, four lines down eight bytes over we see 9F, 34, 03, 76, 70, 03, 76, B2. And we would read that little indian, and that is our volume serial number. And that serial number will be unique to this volume, so we'll identify this volume specifically. We're going to do a walk through of the volume boot record with active disk editor and take a look at it. The items you're going to need for the walk through we're going to need active disk editor and our NFTS VHD. The first thing we need to do is attach are NTFS VHD. So we're going to go to disk management. If you don't know where it is, is just down in your Windows Search, go ahead and type in disk And it should come up create and format hard disks and partitions, and that will bring up disk management. Once this management is open, we're going to go to actions attach VHD. We're going to navigate out to where you saved the VHD mine is on my desktop, and we're going to go ahead and attach the NTFS VHD, click open and it will attach. Once we're there, we're going to take a look at this. Remember the drive, the disk number and your volume letters. We want to go to the volume that is NTFS 200 megabits, the second volume on the disk. Mine is B, yours maybe a different drive letter. But this is the volume we're going to be looking at in active disk editor. So remember the disk number and the volume letter, the volume label. Okay, so now we're going to open up active disk editor and we're going to say open disk. We're going to look at volumes because we're looking at our NTFS volume, and mine was B the second volume in with a size of 200 mega bytes. And we're going to go ahead and click open. And it will open right to the volume boot record. If it did not, you can just go to navigation, boot sector and that'll take you to the volume but record. This is in sector zero of the volume, the logical volume, not the physical disk. And we're going to take a look at the structures we talked about in our PowerPoint. And we see we have the file system right here highlighted in green and it is NTFS and we can see that nasky over to the right it is NTFS. Now we're going to take a look at how many bytes per sector. And again, this is read little indian, so B02, 00, and that is 512 bytes per sector. And then highlighted in green at offset 0D, we have sectors per cluster, so we have eight sectors per cluster, and our sector size is 512 bytes. Now we want to take a look at offset 28, and we're going to talk about the total sectors in the volume. So we would go down two lines, one, two, and over eight, and this is going to give us the total number of sectors in our volume. And again, it is read little indian, so it would be read from right to left and it tells us the total number of sectors. In this case it's 409,599. So that's how many sectors are in this volume. So that's all the data we want to account for when we're doing our exam. Now we need to know the starting cluster of the MFT, and that is down at offset 30. So we would count three lines down one, two, three. This is a starting cluster of the master file table, it starts a cluster number 17,066. We go over to offset 38, and this is the starting cluster of the MFT mirror, and as we expect it is cluster two. Again, this would be read little indian and that would be cluster two. Now we want to take a look at the MFT, the master file table record size, and that will be down at offset 40. And now again we're counting from the start of the volume boot record, the start of the data structure down four lines, one, two, three, four. And this is going to tell us the clusters per file record, and that is F6 and we can see it is 246. Now we want to take a look at the volume serial number and that would be an offset 48. So we're already at 40, so if we just go over to offset 48 we can see the volume serial number in hexadecimal. And if we're going to translate that to decimal we would need to read a little indian and translate it to decimal. But the volume serial number is unique to that volume. So this will be helpful to us in forensics. Anything that identifies something uniquely is helpful in forensics. So that's the information that was contained in the NTFS volume boot record, this is where it is, and this is how we would read it. In our next section we are going to talk about the master file table. End of block.
