Disk Forensics In Cyber Security | NTFS Forensics | TryHackMe NTFS Analysis
The article is an in-depth forensics guide on how to analyze the NTFS (New Technology File System) in Windows using forensic tools. It…
The article is an in-depth forensics guide on how to analyze the NTFS (New Technology File System) in Windows using forensic tools. It explores disk structure, file recovery, and forensic analysis techniques to detect changes in the file system, such as deleted, modified, or renamed files.
NTFS File System Components
MFT (Master File Table): Stores metadata of all files/directories.
MFT Mirror: A backup of MFT for data integrity.
Log File: Tracks changes in the file system.
Bitmap File: Monitors cluster allocations.
Boot Sector: Helps locate the OS.
Bad Cluster File: Detects bad sectors that may be hiding data.
USN Journal: Logs file changes (creation, deletion, modifications).
Understanding File System Structures & Metadata
If you’re getting into digital forensics, understanding NTFS (New Technology File System) is crucial. It’s the default file system for Windows and contains a wealth of forensic artifacts that investigators use to track file system activity, recover deleted files, and analyze data manipulation.
NTFS Structure: The Building Blocks
Think of NTFS as a giant library, where every file and folder is a book and the system keeps detailed records of their contents, locations, and changes.
💡 Fun Fact: The MFT is like a table of contents for your hard drive — it holds information about every file, even if it’s deleted!
Understanding the Master File Table (MFT)
- The MFT is a crucial component in NTFS, storing metadata for every file and directory.
- Forensic analysts use the MFT to track deleted files, recover lost data, and analyze timestamps (created, modified, last accessed).
- The MFT is part of the Partition Boot Sector (PBS), essential for locating the operating system at boot time.
MFT Mirror amp; Log File
The Log File (Journal) keeps a history of file system changes, helping to reconstruct events in forensic investigations.
The MFT Mirror is a backup of the original MFT and is used for integrity verification.
If the main MFT is corrupted, forensic analysts use the mirror to restore data.
User Journal (USN Journal) ; File System Change Tracking
Investigators use command-line tools to parse these records and generate forensic timelines.
The USN Journal records changes made to files and directories, making it useful for forensic analysts.
The two key files in the USN Journal are:
Max File — Designates the maximum journal size.
J File — Contains actual forensic data, detailing changes in files, directories, and attributes.
NTFS Forensics
Forensic analysts use specialized tools like FTK Imager, Autopsy, and Sleuth Kit to extract and analyze NTFS artifacts.
What Can Be Investigated?
✔️ Deleted Files Recovery: Even after deletion, files may still exist in slack space or MFT records.
✔️ File Modification History: The USN Journal logs changes made to files.
✔️ Tracking Unauthorized Access: By analyzing file timestamps (creation, modification, last access).
✔️ Hidden Data Detection: Attackers may use ADS (Alternate Data Streams) to store secret data inside files.
NTFS Timestamps: The Digital Fingerprints
Every file in NTFS has four main timestamps:
MACB Timestamps: (Modification, Access, Creation, Birth)
- M (Modified) — Last time the file’s content changed.
- A (Accessed) — Last time the file was opened.
- C (Changed) — Last time the metadata (e.g., permissions) was modified.
- B (Birth) — Original file creation time.
💡 Cool Trick: Even if an attacker modifies or deletes a file, the timestamps in NTFS can reveal when and how it happened!
Analyzing NTFS with FTK Imager
🔹 Step 1: Mount the Disk Image (Using tools like FTK Imager)
🔹 Step 2: Extract Key NTFS Files (MFT, LogFile, USN Journal)
🔹Step 3: Analyze File Changes (Using Timeline Explorer)
🔹 Step 4: Recover Deleted Files (Using Slack Space & Unallocated Space)
🔹 Step 5: Report Findings (Documenting changes, deletions, and hidden files)
What is an Alternate Data Stream (ADS)?
🔹 Normally, when you save a file in NTFS, it has a default data stream (the main content). 🔹 But NTFS allows additional “hidden” streams to be attached to the same file without affecting its size. 🔹 This is called an Alternate Data Stream (ADS).
Think of it like: A book with invisible pages — the main text is normal, but hidden pages contain secret notes!
Using Forensic Tools for Investigation
MFT Parser & Timeline Explorer to view detailed file history.
Filtering techniques to identify renamed, deleted, or modified files.
Tracking deleted files & using slack space for data recovery.
Examining index allocation table to analyze directory structures.
Data Recovery Techniques
Using FTK Imager to recover deleted files.
Exporting unallocated space for deeper forensic analysis.
Mention of Scalpel for data carving and recovering lost files.
Recovering Deleted Files ; Examining Slack Space
- Deleted files are often recoverable if they are still referenced in the file system.
- Forensic tools analyze the Slack Space, which may contain remnants of deleted or moved files.
- NTFS maintains metadata even after file deletion, allowing recovery if the MFT is intact.
Analysts use tools to extract and analyze NTFS components like:
- Index Allocation Table (I30 file) — Tracks file locations and movements.
- Master File Table Export — Helps recover lost metadata for deleted files.
Investigators identify files marked as deleted, moved, or renamed and attempt restoration.
Examining Unallocated Space for Hidden Data
- Unallocated Space may contain deleted files that forensic tools can carve out.
- Tools like Scalpel are used for deep analysis of unallocated storage areas.
- Investigators export the unallocated space as a separate image file for further examination.
💡Interesting Facts amp; Insights:
- The MFT is crucial for forensic investigations — if it’s corrupted, file recovery becomes nearly impossible.
- Even deleted files leave traces in the slack space, USN journal, and index allocation table.
- ADS (Alternate Data Streams) can be used to hide malicious data inside files.
- Network sniffers like Wireshark can be detected in NTFS analysis.
- Attackers use anti-forensic tools like Disk Wiper to erase their traces.
TryHackMe NTFS Analysis| Room Answers
Room answers can be found here.
