NTFS File System - Overview

NTFS (New Technology File System) Overview

NTFS is currently the primary file system used by Windows XP. It was first introduced with Windows NT.

The Microsoft Windows XP Professional Resource Kit Documentation [Microsoft 04] is a comprehensive NTFS resource. The following excerpts are from the site.

NTFS replaces the FAT and uses a master file table (MFT), which is the first file on the disk. Records within the MFT are called meta-data and this contains information on all files located on the disk, including system files. A key advancement is the way files and directories are both stored on the disk with attributes that include security information. At format the MFT assigns logical cluster numbers (LCN) to the disk’s entire partition. These LCNs allow the OS to read and write data on the disk. Each LCN is similarly linked to a virtual cluster number (VCN) which allows files to extend beyond across the free disk space area of the hard drive.

NTFS File System Features

File and Folder Permissions

On NTFS volumes you can set permissions on files and folders that specify which groups and users have access, and what level of access is permitted. NTFS file and folder permissions apply to users on the local computer and to users accessing the file or folder over the network. File and folder permissions are maintained in discretionary access control lists.

Encryption

The encrypting file system (EFS) uses symmetric key encryption in conjunction with public key technology to protect files and folders. Encryption ensures that only the authorized users and designated recovery agents of that file or folder can access it. Users of EFS are issued a digital certificate with a public key and a private key pair. EFS uses the key set for the user who is logged on to the local computer where the private key is stored.

Users work with encrypted files and folders just as they do with any other files and folders. Encryption is transparent to any authorized users; the system decrypts the file or folder when the user opens it. When the file is saved, encryption is reapplied. However, intruders who try to access the encrypted files or folders receive an "Access denied" message if they try to open, copy, move, or rename the encrypted file or folder.

Larger Volume Size

The maximum NTFS volume size as implemented in Windows XP Professional is 232 clusters minus 1 cluster, which is approximately 256 terabytes with a max individual file size of about 16 terabytes. Under FAT32, the maximum volume size was 32Gig with a 4 Gig file. This has considerable impact on storage requirement for making forensic duplications and putting together fragmented files.

Multiple Data Streams

A data stream is a sequence of bytes. An application populates the stream by writing data at specific offsets within the stream. The application can then read the data by reading the same offsets in the read path. Every file has a main, unnamed stream associated with it, regardless of the file system used. However, NTFS supports additional named data streams in which each data stream is an alternate sequence of bytes as illustrated in the figure. Applications can create additional named streams and access the streams by referring to their names. This feature permits related data to be managed as a single unit. For example, a graphics program can store a thumbnail image of bitmap in a named data stream within the NTFS file containing the image.

A forensic examiner is particularly interested in these multiple data streams since they can hide data either intentionally or by coincidence. The data stream is an additional data attribute of a file.

Cluster Size

As described previously, the cluster size has also significantly increased with NTFS.