NTFS - $I30 ($INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap)

Overview

The NTFS index attributes are MFT attributes, of two distinct types, that index all the files / directories in a given directory (in a B-Tree data structure). Each directory is represented by one or more index attributes. The files and folders information displayed by the Windows Explorer are based on the index attribute(s) of the directory being accessed.

The entries (files or subdirectories) in a directory’s index attribute(s) are stored as index records structures, with one dedicated record for every entry. The index record structure contains a $FILE_NAME (0x30) attribute, in which are stored the information about the file or folder.

There is two types of index attributes:

• $INDEX_ROOT: for directories with a small number of entries. The $INDEX_ROOT attribute is always resident to the MFT and contains a small list of index records. A directory has at most one $INDEX_ROOT attribute.

• $INDEX_ALLOCATION: additional structure for larger directories, with no limitation on the number of entries. The $INDEX_ALLOCATION attribute is non-resident and contains one or more index records. The INDEX_ALLOCATION structure starts with the INDX signature. The $INDEX_ALLOCATION attribute should not exist without an associated $INDEX_ROOT attribute.

The $Bitmap attribute keep track of the index allocations.

The $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes are collectively reffered to as $I30.

Information of interest

Each index record contains information on the file it references in a $FILE_NAME (0x30) attribute:

• Filename and parent directory.

• File size.

• A set of MACB timestamps.

The $FILE_NAME attribute of a index record in a directory index attribute should be kept in sync with the MFT file record’s $STANDARD_INFORMATION attribute of the corresponding entry. However, disparities may sometime occur, with the index record referencing older information.

Due to their B-Tree data structure format and their frequent rebalancing, $INDEX_ALLOCATION attributes often contain a significant amount of slack space. Index records for deleted files no longer present in the MFT may be “carvable” from this slack space.

Tool(s)

• INDXRipper

References

• Digital Forensics Myanmar - NTFS Index Attributes

• 13Cubed - Windows NTFS Index Attributes ($I30 Files)

• 13Cubed - A File’s Life - File Deletion and Recovery

• DFIR.RU - MSUHANOV - $STANDARD_INFORMATION vs. $FILE_NAME

• SANS - Chad Tilbury - NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

• OSForensics - How to scan NTFS $I30 (directory) entries for evidence of deleted files