Difference between pages "Upcoming events" and "New Technology File System (NTFS)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Scheduled Training Courses)
 
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
The '''New Technology File System''' ('''NTFS''') is a [[file system]] developed and introduced by [[Microsoft]] in 1995 with [[Windows]] NT. As a replacement for the [[FAT]] file system, it quickly became the standard for [[Windows 2000]], [[Windows XP]] and [[Windows Server 2003]].
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
The features of NTFS include:
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
* [[Hard-links]]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Improved performance, reliability and disk space utilization
|- style="background:#bfbfbf; font-weight: bold"
+
* Security [[access control lists]]
! Title
+
* File system journaling
! Due Date
+
! Website
+
|-
+
|DFRWS 2007 File Carving Challenge
+
|Jul 09, 2007
+
|http://www.dfrws.org/2007/challenge/submission.html
+
|-
+
|American Academy of Forensic Sciences 2008 Annual Meeting
+
|Aug 01, 2007
+
|http://www.aafs.org/abstracts/your_online_presentation_submiss.htm
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Aug 31, 2007
+
|http://www.dff-prague.com/News/article/sid=17.html
+
|}
+
  
== Conferences ==
+
== Time Stamps ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|Computer Security Institute NetSec '07
+
|Jun 11-13, Scottsdale, AZ
+
|http://www.gocsi.com/netsec/
+
|-
+
|2007 USENIX Annual Technical Conference
+
|Jun 17-22, Santa Clara, CA
+
|http://www.usenix.org/events/
+
|-
+
|Third Government Forum of Incident Response and Security Teams Conference
+
|Jun 25-29, Orlando, FL
+
|http://www.us-cert.gov/GFIRST/index.html
+
|-
+
|First International Workshop on Cyber-Fraud
+
|Jul 01-06, San Jose, CA
+
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
|-
+
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
|Jul 12-13, Lucerne, Switzerland
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|-
+
|BlackHat Briefings
+
|Jul 28-Aug 02, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|DefCon
+
|Aug 03-05, Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
|Sep 26-28, Milwaukee, WI
+
|http://www.byteoutofcrime.org
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Global Conference on Economic and High-Tech Crime (NW3C Membership Required)
+
|Oct 24-26, Crystal City, VA
+
|https://conference.nw3c.org/index.cfm
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18 2008, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|AAFS Annual Meeting
+
|Feb 18-23 2008, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|}
+
  
== On-going / Continuous Training ==
+
NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location or Venue
+
! Website
+
|-
+
|Basic Computer Examiner Course
+
|Computer Forensic Training Online
+
|http://www.cftco.com
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|}
+
  
== Scheduled Training Courses ==
+
Additional information on how NTFS timestamps work when files are moved or copied is available here: [http://support.microsoft.com/kb/299648 Microsoft KB 299648]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== Changes in Windows Vista  ===
! Title
+
 
! Date/Location
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.
! Website
+
 
! Limitation
+
== Alternate Data Streams ==
|-
+
The '''NTFS''' file system includes a feature referred to as Alternate Data Streams (ADSs). This feature has also been referred to as "multiple data streams", "alternative data streams", etc. ADSs were included in '''NTFS''' in order to support the resource forks employed by the Hierarchal File System ([[HFS]]) employed by Macintosh systems.
|SMART for Linux
+
 
|Jun 04-07, Austin, TX
+
As of [[Windows XP]] SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs. The [[Windows]] Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).
|http://asrdata.com/training/training2.html
+
 
|-
+
Sysadmins should be aware that prior to Vista, there are no tools native to the [[Windows]] platform that would allow you to view the existence of arbitrary ADSs. While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible. Prior to this, tools such as [http://www.heysoft.de/Frames/f_sw_la_en.htm LADS] could be used to view the existence of these files.
|AccessData BootCamp
+
 
|Jun 05-07, Albuquerque, NM
+
Microsoft FSRM (File System Resource Manager) also uses ADS as part of 'file classification'.
|http://www.accessdata.com/training
+
 
|-
+
Examiners should be aware that most forensic analysis applications, including [[EnCase]] and ProDiscover, will display ADSs found in acquired images in red.
|Advanced Data Forensics Topics
+
 
|Jun 11-13, Austin, TX
+
== Advanced Format (4KB Sector) Hard Drives ==
|http://asrdata.com/training/training2.html
+
NTFS does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|-
+
 
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
== Transactional NTFS (TxF) ==
|Jun 11-22, FLETC, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
According to MSDN Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction.  
|Limited to Law Enforcement
+
 
|-
+
Several TxF related file-system-metadata files can be found in the file-system-metadata directory: \$Extend\$RmMetadata\. TxF also uses the MFT attribute $LOGGING_UTILITY_STREAM with the name $TXF_DATA.
|AccessData Internet Forensics
+
 
|Jun 12-14 , Boise, ID
+
TxF uses the [[Common Log File System (CLFS)]]
|http://www.accessdata.com/training
+
 
|-
+
== External links ==
|Forensics Tools and Techniques
+
* [http://en.wikipedia.org/wiki/NTFS Wikipedia: NTFS]
|13-15 Jun, Mississippi State University
+
* [http://msdn.microsoft.com/en-us/library/bb968806%28v=VS.85%29.aspx MSDN on Transactional NTFS]
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
* [http://en.wikipedia.org/wiki/Transactional_NTFS Wikipedia on Transactional NTFS]
|Limited to Law Enforcement
+
* [http://www.tzworks.net/prototype_page.php?proto_id=12  Windows NTFS Metadata Extractor Utility] Free tool that can be run on Windows, Linux or Mac OS-X
|-
+
* [http://sourceforge.net/projects/linux-ntfs/files/NTFS%20Documentation/ Linux-ntfs Documentation] Detailed documentation of the NTFS format by the Linux-NTFS driver creators.
|Paraben Corporation - Handheld Forensic Course
+
 
|Jun 18-21, Potomac Falls, VA
+
[[Category:File Systems]]
|http://www.paraben-training.com/
+
|-
+
|AccessData Windows Forensics
+
|Jun 19-21, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Jul 09-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Jul 09-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Windows Data Forensics
+
|Jul 16-18, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jul 16-27, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Jul 17-19, Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jul 24-26, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Network Forensics and Investigations Workshop
+
|Jul 25-27, Washington, DC
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jul 31-Aug 02, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SARC Steganography Examiner Training
+
|Aug 04 - 05, Fairfax, VA (RCFG/GMU Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|SMART for Linux
+
|Aug 06-09, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|06-08 Aug, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|X-Ways Forensics
+
|Aug 06-08, Seattle, WA
+
|http://www.x-ways.net/training/seattle.html
+
|-
+
|Forensics Tools and Techniques
+
|08-10 Aug, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|File Systems Revealed
+
|Aug 9-10, Seattle, WA
+
|http://www.x-ways.net/training/seattle.html
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|09-10 Aug, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Aug 14-24, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Aug 13-15, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Network Forensics and Investigations Workshop
+
|Aug 13-15, Los Angeles, CA
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|Macintosh Forensic Survival Course
+
|Aug 13-17, Fredricksburg, VA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16 , Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|04-06 Sep, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|24-26 Sep, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|26-28 Sep, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|29-30 Oct, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|X-Ways Forensics
+
|Oct 22-24, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|05-07 Nov, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|07-09 Nov, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|13-15 Nov, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|03-05 Dec, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|05-07 Dec, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|}
+

Revision as of 03:27, 31 July 2012

The New Technology File System (NTFS) is a file system developed and introduced by Microsoft in 1995 with Windows NT. As a replacement for the FAT file system, it quickly became the standard for Windows 2000, Windows XP and Windows Server 2003.

The features of NTFS include:

Contents

Time Stamps

NTFS keeps track of lots of time stamps. Each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.

Additional information on how NTFS timestamps work when files are moved or copied is available here: Microsoft KB 299648

Changes in Windows Vista

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.

Alternate Data Streams

The NTFS file system includes a feature referred to as Alternate Data Streams (ADSs). This feature has also been referred to as "multiple data streams", "alternative data streams", etc. ADSs were included in NTFS in order to support the resource forks employed by the Hierarchal File System (HFS) employed by Macintosh systems.

As of Windows XP SP2, files downloaded via Internet Explorer, Outlook, and Windows Messenger were automatically given specific "zoneid" ADSs. The Windows Explorer shell would then display a warning when the user attempted to execute these files (by double-clicking them).

Sysadmins should be aware that prior to Vista, there are no tools native to the Windows platform that would allow you to view the existence of arbitrary ADSs. While ADSs can be created and their contents executed or viewed, it wasn't until the "/r" switch was introduced with the "dir" command on Vista that arbitrary ADSs would be visible. Prior to this, tools such as LADS could be used to view the existence of these files.

Microsoft FSRM (File System Resource Manager) also uses ADS as part of 'file classification'.

Examiners should be aware that most forensic analysis applications, including EnCase and ProDiscover, will display ADSs found in acquired images in red.

Advanced Format (4KB Sector) Hard Drives

NTFS does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

Transactional NTFS (TxF)

According to MSDN Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction.

Several TxF related file-system-metadata files can be found in the file-system-metadata directory: \$Extend\$RmMetadata\. TxF also uses the MFT attribute $LOGGING_UTILITY_STREAM with the name $TXF_DATA.

TxF uses the Common Log File System (CLFS)

External links