search
LinkedinTryHackme

Metafiles, MFT, Journaling, ADS

hashtag
1. Key Concepts & Definitions

  1. Metafiles (NTFS metadata files)

    • In NTFS, several "special" metafiles store file system metadata: e.g., $MFT (Master File Table), $LogFile, $UsnJrnl, $Bitmap, etc.

    • These metafiles are themselves stored as MFT entries and are critical for understanding the structure, history, and changes on an NTFS volume.

  2. MFT (Master File Table)

    • The MFT is the core metadata structure in NTFS: each file or directory corresponds to an MFT record.

    • Each MFT record contains a set of attributes, such as: $STANDARD_INFORMATION (timestamps), $FILE_NAME, $DATA (the file’s content), and possibly others.

    • Attributes can be resident (stored inside the MFT record) or non-resident (stored elsewhere on disk, referenced by data runs).

  3. NTFS Journaling

    • $LogFile: NTFS maintains a journal for metadata changes. Before critical metadata changes are committed, they’re first written to $LogFile. This helps preserve consistency in case of crashes.

    • USN Journal ($UsnJrnl): Tracks changes to file system objects (create, delete, modify). It is often used in forensic analysis to reconstruct file activity.

  4. Alternate Data Streams (ADS)

    • ADS is an NTFS feature that allows a file to have multiple data streams. The default (unnamed) stream is usually :$DATA, but additional named streams can exist.

    • These streams are not visible in regular Explorer listings, and their size is not reflected in the standard file size shown to the user.

    • ADS can be used for legitimate metadata storage, but malicious actors may hide data (scripts, malware) in ADS.

hashtag
2. Forensic Value & Use Cases

  • Hidden Data & Steganography: ADS provides a covert storage channel. Investigators must check for ADS to uncover hidden payloads or evidence.

  • File Timeline & Recovery:

    • The MFT provides creation, modification, and metadata timestamps, which are essential for timeline reconstruction.

    • The USN Journal ($UsnJrnl) helps detect operations (file creation / deletion / modification) even if the file is deleted.

  • Crash / Anti-Forensics Investigation: The $LogFile journal can be used to detect incomplete operations or metadata rollback (e.g., due to system crash).

  • Metadata Anomalies: By analyzing MFT attributes, you can detect anomalies like mismatched timestamps, strange attribute usage, or suspicious attribute counts (e.g., many $DATA attributes in one record).

hashtag
3. Forensic Analysis Techniques & Tools

  1. MFT Analysis

    • Use tools like MFTECmd (Eric Zimmerman) to parse the MFT and extract attribute-level data like $STANDARD_INFORMATION, $FILE_NAME, $DATA, etc.

    • Manually review MFT records: identify resident vs non-resident attributes, timestamps, and metadata flags.

    • Look for zombie (deleted) MFT records to recover information about deleted files.

  2. Journal Parsing / Replay

    • Parse $LogFile to reconstruct metadata modification transactions. Because $LogFile is a transactional journal, it can help you understand what metadata changes (e.g., file renames, attribute changes) happened.

    • Use $UsnJrnl to build a record of file system changes (create, delete, modify). This is particularly useful for timeline reconstruction during investigations.

  3. Alternate Data Streams (ADS) Analysis

    • Enumerate ADS on files using tools: built-in Windows APIs (FindFirstStreamW / FindNextStreamW), or forensic tools like ADS Examiner.

    • Read the content of named streams and analyze it: sometimes ADS contain executables, scripts, or other hidden data.

    • If a file is deleted, its ADS streams may persist in the MFT record. ADS Examiner (or similar) can help locate ADS even for deleted files.

  4. Journaling Forensics

    • Use ESE-based tools or specialized parsers to interpret $UsnJrnl entries.

    • Reconstruct a timeline of file creations, modifications, and deletions.

    • Cross-correlate journal entries with MFT and log file data to validate sequence of events and detect anomalies (e.g., metadata changes that were not “committed” cleanly).

hashtag
4. Workflow for Forensic Investigation

Here’s a suggested workflow when investigating NTFS volume with interest in metafiles, MFT, journaling, and ADS:

  1. Image Acquisition

    • Capture a forensic image of the volume (bit-by-bit) to preserve all metadata, MFT, journal files, and ADS data.

    • Compute hashes for integrity.

  2. Initial Parsing

    • Parse the MFT using a tool like MFTECmd to extract the list of all files, their attributes, timestamps, and any additional data streams.

    • Export output to a CSV or timeline viewer.

  3. Journal Analysis

    • Extract and parse $UsnJrnl to list all file system events (create / delete / rename / modify).

    • Parse $LogFile (if feasible) to understand internal NTFS metadata operations (redo/undo records).

  4. ADS Enumeration & Extraction

    • Use ADS enumeration tools (or custom scripts) to find all ADS on the volume.

    • Extract the content of each ADS; analyze it (strings, file headers, binary content) to see if it contains malicious or suspicious data.

  5. Timeline & Correlation

    • Build a timeline combining MFT (file metadata), USN Journal (changes), and ADS activity.

    • Correlate with other artifacts: event logs, registry, prefetch, etc., to contextualize hidden data and file system activity.

  6. Anomaly Detection

    • Look for:

      • MFT record with many $DATA streams.

      • ADS with executable content.

      • Journal entries (USN) showing creation or deletion of metadata without corresponding MFT record changes.

      • Metadata timestamp inconsistencies (e.g., MFT MFT Changed vs Modified).

  7. Reporting

    • Document all found ADS, their parent files, and content.

    • Provide a timeline of metadata changes and suspicious activity.

    • Highlight any evidence of data hiding (e.g., via ADS), anti-forensic behavior (e.g., abnormal journal entries), or suspicious file system usage.

PreviousAnatomy of NTFSNextMACB Timestamps

Last updated