Difference between pages "New Technology File System (NTFS)" and "Encase image file format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External links)
 
(External Links)
 
Line 1: Line 1:
The '''New Technology File System''' ('''NTFS''') is a [[file system]] developed and introduced by [[Microsoft]] in 1995 with [[Windows]] NT. As a replacement for the [[FAT]] file system, it quickly became the standard for [[Windows 2000]], [[Windows XP]] and [[Windows Server 2003]].
+
The Encase image file format is used by [[EnCase]] used to store various types of digital evidence e.g.
 +
* disk image (physical bitstream of an acquired disk)
 +
* volume image
 +
* memory
 +
* logical files
  
The features of NTFS include:
 
  
* [[Hard-links]]
+
The format is (reportedly) based on [http://www.asrdata.com/SMART/whitepaper.html ASR Data's Expert Witness Compression Format].
* Improved performance, reliability and disk space utilization
+
Currently there are 2 version of the format; version 1 is a closed format and was succeeded by version 2 in EnCase 7, for which a format specification is available, but requires registration.
* Security [[access control lists]]
+
* File system journaling
+
  
== Time Stamps ==
 
  
NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.
+
The media data can be stored in multiple evidence files, which are called segment files.
 +
Each segment file consist of multiple sections, which has a distinct section start definition containing a section type.
 +
Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted by adding a base offset value in EnCase 6.
  
Additional information on how NTFS timestamps work when files are moved or copied is available here: [http://support.microsoft.com/kb/299648 Microsoft KB 299648]
 
  
=== Changes in Windows Vista  ===
+
EnCase allow to store the data compressed either using a fast or best level of compression.
 +
EnCase 7 no longer distinguishes between fast or best compression and just offers uncompressed or compressed.
  
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.
 
  
== Alternate Data Streams ==
+
Besides digital evidence the evidence files, or segment files, contain a header containing case information.
The '''NTFS''' file system includes a feature referred to as Alternate Data Streams (ADSs). This feature has also been referred to as "multiple data streams", "alternative data streams", etc. ADSs were included in '''NTFS''' in order to support the resource forks employed by the Hierarchal File System ([[HFS]]) employed by Macintosh systems.
+
The case information which entails date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password.
 +
* In EnCase 3 the case information header is stored in the "header" section, which is defined twice within the file and contain the same information.
 +
* As of EnCase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
  
As of [[Windows XP]] SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs.  The [[Windows]] Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).
 
  
Sysadmins should be aware that prior to Vista, there are no tools native to the [[Windows]] platform that would allow you to view the existence of arbitrary ADSs. While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible. Prior to this, tools such as [http://www.heysoft.de/Frames/f_sw_la_en.htm LADS] could be used to view the existence of these files.
+
The format adds error detection by storing the data with checksums (Adler32), for both the metadata as the data blocks, which are by default 64 x 512 byte sectors (32 KiB).
 +
As of EnCase 5 the number of sectors per block (chunk) can vary.
 +
EnCase 3F introduced an "error2" section that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero.
 +
Then EnCase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
 +
As of EnCase 5 the granularity of unreadable chunks can vary.
  
Microsoft FSRM (File System Resource Manager) also uses ADS as part of 'file classification'.
 
  
Examiners should be aware that most forensic analysis applications, including [[EnCase]] and ProDiscover, will display ADSs found in acquired images in red.
+
EnCase 3 can store a one-way hash of the data. For a bitstream it does so by calculating e.g. a MD5 hash of the original media data and adds a hash section to the last of the segment file.
 +
As of EnCase 6 the option to store a SHA1 hash was added.
  
== Advanced Format (4KB Sector) Hard Drives ==
 
NTFS does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 
  
== Transactional NTFS (TxF) ==
+
EnCase 5 and later have the option to store '''single files''' into the EnCase Logical Evidence File (LEF) or EWF-L01.
 +
This format changed slightly in EnCase 6 and 7.
  
According to MSDN Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction.
 
  
Several TxF related file-system-metadata files can be found in the file-system-metadata directory: \$Extend\$RmMetadata\. TxF also uses the MFT attribute $LOGGING_UTILITY_STREAM with the name $TXF_DATA.
+
In EnCase 7 the EWF format was succeeded by the EnCase Evidence File Format Version 2 (EWF2-EX01 and EWF2-LX01).
 +
EWF2-EX01 is at it's lower levels a different format then EWF-E01 and provides support for:
 +
* bzip compression
 +
* direct encryption (AES-256) of the data
  
TxF uses the [[Common Log File System (CLFS)]]
+
The same features are added to the new logical evidence file format (EWF2-LX01) with the exception of encryption.
 +
EWF2-EX01, EWF2-LX01 are not backwards compatible with previous EnCase products.
  
== External links ==
+
== See Also ==
* [http://en.wikipedia.org/wiki/NTFS Wikipedia: NTFS]
+
* [http://msdn.microsoft.com/en-us/library/bb968806%28v=VS.85%29.aspx MSDN on Transactional NTFS]
+
* [http://en.wikipedia.org/wiki/Transactional_NTFS Wikipedia on Transactional NTFS]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=12  Windows NTFS Metadata Extractor Utility] Free tool that can be run on Windows, Linux or Mac OS-X
+
* [http://sourceforge.net/projects/linux-ntfs/files/NTFS%20Documentation/ Linux-ntfs Documentation] Detailed documentation of the NTFS format by the Linux-NTFS driver creators.
+
* [http://support.microsoft.com/kb/140365 Default cluster size for NTFS, FAT, and exFAT]
+
  
[[Category:File Systems]]
+
[[EnCase]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://code.google.com/p/libewf/downloads/detail?name=Expert%20Witness%20Compression%20Format%20%28EWF%29.pdf Expert Witness Compression Format (EWF)].
 +
* [http://www.cfreds.nist.gov/v2/Basic_Mac_Image.html Sample image in EnCase, iLook, and dd format] - From the [[Computer Forensic Reference Data Sets]] Project
 +
* [http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246 EnCase Evidence File Format Version 2], requires registration
 +
* [http://code.google.com/p/libewf/downloads/detail?name=Expert%20Witness%20Compression%20Format%202%20%28EWF2%29.pdf Expert Witness Compression Format (EWF) version 2].
 +
 
 +
[[Category:Forensics File Formats]]

Revision as of 23:47, 4 July 2012

The Encase image file format is used by EnCase used to store various types of digital evidence e.g.

  • disk image (physical bitstream of an acquired disk)
  • volume image
  • memory
  • logical files


The format is (reportedly) based on ASR Data's Expert Witness Compression Format. Currently there are 2 version of the format; version 1 is a closed format and was succeeded by version 2 in EnCase 7, for which a format specification is available, but requires registration.


The media data can be stored in multiple evidence files, which are called segment files. Each segment file consist of multiple sections, which has a distinct section start definition containing a section type. Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted by adding a base offset value in EnCase 6.


EnCase allow to store the data compressed either using a fast or best level of compression. EnCase 7 no longer distinguishes between fast or best compression and just offers uncompressed or compressed.


Besides digital evidence the evidence files, or segment files, contain a header containing case information. The case information which entails date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password.

  • In EnCase 3 the case information header is stored in the "header" section, which is defined twice within the file and contain the same information.
  • As of EnCase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.


The format adds error detection by storing the data with checksums (Adler32), for both the metadata as the data blocks, which are by default 64 x 512 byte sectors (32 KiB). As of EnCase 5 the number of sectors per block (chunk) can vary. EnCase 3F introduced an "error2" section that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then EnCase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K. As of EnCase 5 the granularity of unreadable chunks can vary.


EnCase 3 can store a one-way hash of the data. For a bitstream it does so by calculating e.g. a MD5 hash of the original media data and adds a hash section to the last of the segment file. As of EnCase 6 the option to store a SHA1 hash was added.


EnCase 5 and later have the option to store single files into the EnCase Logical Evidence File (LEF) or EWF-L01. This format changed slightly in EnCase 6 and 7.


In EnCase 7 the EWF format was succeeded by the EnCase Evidence File Format Version 2 (EWF2-EX01 and EWF2-LX01). EWF2-EX01 is at it's lower levels a different format then EWF-E01 and provides support for:

  • bzip compression
  • direct encryption (AES-256) of the data

The same features are added to the new logical evidence file format (EWF2-LX01) with the exception of encryption. EWF2-EX01, EWF2-LX01 are not backwards compatible with previous EnCase products.

See Also

EnCase

External Links