Thursday, June 4, 2009

Notes for Forensic Beginners’ Part1

Hello All,

I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.

I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.

However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.

So, Let’s start with NTFS Filesystem:-

Currently it is NTFS v3.1 for XP/2000/2003/Vista

NTFS: New Technology File System

formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.

Going a bit deeper,

NTFS consists of records and entries of MFT,

$MFT= Master File Table

The length of the $MFT within NTFS is 1024 bytes.

Standard Sector size within NTFS is 512 bytes

Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)

MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.

Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:

File Name, File Size, dates about the file included:-

Created=C

Entry Modified=M

Written=E

Accessed=A

ocation of the data of the file.(MACE)

Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.

The first 16 MFT entries within the MFT are reserved.

In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Posted by at
Labels: , , , , , ,

3 comments:

anand said...

Thanks for this beginners series . Waiting for the other parts too.

Also a blog on how to pursue a computer security career , what topics to master and what certification might help /would be great and helpful for the beginners in india.

also what is the present industry scenario in india ...

ThanksYou...

June 12, 2009 at 7:26 AM
Unknown said...

Please review on my site..

Our company is based on Professional Web Designers

http://www.webintechs.com

June 12, 2012 at 2:12 AM
Danny Danials said...

I have been using this app Asphalt Nitro Mod Apk (Car Unlocked / Money) : and downloaded and playing it regularly.

October 29, 2020 at 4:33 AM

Post a Comment

Subscribe to: Post Comments (Atom)