Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| NTFS - $I30 ($INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap) | Page | The NTFS index attributes $INDEX_ROOT and $INDEX_ALLOCATION are MFT attributes that represent directories and store index records. Each file in a directory is associated with an index record. The record contains information on the file it references in a $FILE_NAME (0x30) attribute: file name, size, parent directory and a set of MACB timestamps (copied from the MFT file record $STANDARD_INFORMATION of the file). |
MFT $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes. |
| NTFS - $LogFile | Page | The $LogFile is part of a journaling feature of NTFS, activated by default, which maintains a low-level record of changes made to the NTFS volume with very limited historical data (usually only of the last few hours). | <ROOT>\$LogFile |
| NTFS - $MFT, $MFTMir, and $Bitmap | Page | The Master File Table (MFT) is the main element of any NTFS partition and contain a file record for all existing (and very recently deleted) files written on the partition. The $MFTMirr file is the first entry in the MFT and contains the first 4 entries of the MFT as a recovery mechanism. The $Bitmap file tracks the allocation status (allocated or unused) of the clusters of the volume. |
<ROOT>:\$MFT <ROOT>:\$MFTMir <ROOT>:\$Bitmap |
| NTFS - $Secure | Page | The $Secure file contains the security descriptor for all the files and folders on a NTFS volume. | <SYSTEMDRIVE>:\$Secure |
| NTFS - MACB timestamps and timestomping | Page | On NTFS filesystems, each file posses (at least) two attributes that hold (among other information) Modification, Access, Change and Birth (MACB) timestamps: $STANDARD_INFORMATION and $FILENAME attributes. The $STANDARD_INFORMATION and $FILENAME timestamps are not updated similarly depending on the operation. Timestomping is the action of modifying the timestamps of a file, generally to evade detection. Timestomping may be detected using a number of techniques: - Identifying $STANDARD_INFORMATION timestamps older than $FILENAME timestamps. - Using UsnJrnl records. - Identifying non nano-second precise $STANDARD_INFORMATION timestamps. - Using MFT entry numbers. However each technique is prone to false-positives and false-negatives. |
A given file may be associated with up to 20 timestamps: $STANDARD_INFORMATION + 2 * $FILENAME + 2 * NTFS $I30 $FILENAME (duplicate $FILENAME for files with short and long names). |
| NTFS - UsnJrnl | Page | The USN Journal is a feature of NTFS, activated by default on Vista and later, which maintains a record of changes made to the NTFS volume. The $J stream stores the actual change log records, with usually historical data of the last few days. Each change log record is notably composed of: the timestamp, filename, and reason / operation of the change. |
$Max and $J named data streams under <ROOT>\$Extend\$UsnJrnl |
View on GitHub