Difference between pages "Network forensics" and "New Technology File System (NTFS)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Deep-Analysis Systems)
 
(Added stub on time stamps)
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
The '''New Technology File System''' ('''NTFS''') is a [[file system]] developed and introduced by [[Microsoft]] in 1993 with [[Windows]] 3.1. As a replacement for the [[FAT]] file system, it quickly became the standard for [[Windows 2000]], [[Windows XP]] and [[Windows Server 2003]].
  
There are both open source and proprietary network forensics systems available.
+
The features of NTFS include:
  
== Open Source Network Forensics ==
+
* [[Hard-links]]
 +
* Improved performance, reliability and disk space utilization
 +
* Security [[access control lists]]
 +
* File system journaling
  
* [[Wireshark]]
+
== Time Stamps ==
* [[Kismet]]
+
* [[Snort]]
+
* [[OSSEC]]
+
* [[NetworkMiner]] is [http://sourceforge.net/projects/networkminer/ an open source Network Forensics Tool available at SourceForge]
+
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
* [[DataEcho]]
+
* [[ntop]]
+
  
== Commercial Network Forensics ==
+
NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.
  
===Deep-Analysis Systems===
+
=== Changes in Windows Vista  ===
* WildPackets OmniPeek [[OmniPeek]]
+
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
* Mera Systems [http://netbeholder.com/ NetBeholder]
+
* [http://www.infowatch.com InfoWatch Traffic Monitor]
+
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
+
  
===Flow-Based Systems===
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired.
* Arbor Networks
+
* GraniteEdge Networks
+
* Lancope http://www.lancope.com/
+
* Mazu Networks http://www.mazunetworks.com/
+
  
===Hybrid Systems===
+
== Alternate Data Streams ==
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
The '''NTFS''' file system includes a feature referred to as Alternate Data Streams (ADSs).  This feature has also been referred to as "multiple data streams", "alternative data streams", etcADSs were included in '''NTFS''' in order to support the resource forks employed by the Hierarchal File System (HFS) employed by Macintosh systems.
* Q1 Labs http://www.q1labs.com/
+
  
== Tips and Tricks ==
+
As of [[Windows XP]] SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs.  The Windows Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).
  
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
Sysadmins should be aware that prior to Vista, there are no tools native to the [[Windows]] platform that would allow you to view the existence of arbitrary ADSs.  While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible.  Prior to this, tools such as [http://www.heysoft.de/Frames/f_sw_la_en.htm LADS] could be used to view the existence of these files.
  
== See also ==
+
Examiners should be aware that most forensic analysis applications, including EnCase and ProDiscover, will display ADSs found in acquired images in red.
* [[Wireless forensics]]
+
* [[SSL forensics]]
+
  
* [[IP geolocation]]
+
== External links ==
* [[Tools:Network Forensics]]
+
* [http://en.wikipedia.org/wiki/NTFS Wikipedia: NTFS]
* [[Tools:Logfile Analysis]]
+
[[Category:Disk file systems]]
 
+
[[Category:Network Forensics]]
+

Revision as of 09:03, 25 October 2007

The New Technology File System (NTFS) is a file system developed and introduced by Microsoft in 1993 with Windows 3.1. As a replacement for the FAT file system, it quickly became the standard for Windows 2000, Windows XP and Windows Server 2003.

The features of NTFS include:

Time Stamps

NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.

Changes in Windows Vista

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired.

Alternate Data Streams

The NTFS file system includes a feature referred to as Alternate Data Streams (ADSs). This feature has also been referred to as "multiple data streams", "alternative data streams", etc. ADSs were included in NTFS in order to support the resource forks employed by the Hierarchal File System (HFS) employed by Macintosh systems.

As of Windows XP SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs. The Windows Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).

Sysadmins should be aware that prior to Vista, there are no tools native to the Windows platform that would allow you to view the existence of arbitrary ADSs. While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible. Prior to this, tools such as LADS could be used to view the existence of these files.

Examiners should be aware that most forensic analysis applications, including EnCase and ProDiscover, will display ADSs found in acquired images in red.

External links