Validadores estándares de Symfony

Before learning the different file system structures, you need to understand the different parts in a partitioned hard drive.

Master Boot Record (MBR)

The master boot record (MBR) is the first sector (512 bytes) of the hard drive.

It contains the boot code and information about the hard drive itself. The MBR contains the partition table, which includes information about the partition structure in the hard disk drive. The MBR can tell where each partition starts, its size, and the type of partition. While performing forensics analysis, you can

verify the existing partition with the information in the MBR and the printed size of the hard drive for a match. If there is some missing space, you can assume a potential compromise or corruption of the system.

The Master File Table (MFT)

The first sector (512 bytes) of each partition contains information, such as the type of the file system, the booting code location, the sector size, and the cluster size in reference to the sector.

If you formatted the partition with FAT or NTFS, some sectors at the beginning of the partition will be reserved for the master file table (MFT), which is the location that contains the metadata about the files in the system. Each entry is 1 KB in size, and when a user deletes a file, the file’s entry in the MFT is

marked as unallocated. On the other hand, the file’s information still exists until another file uses this MFT entry and overwrites the previous file’s information.

Data Area and Free Space

The rest of the partition space after the file system’s area has been reserved will be available for data. Each unit of the data area is called a cluster or block. If files are deleted from the hard drive, the clusters that contain data related to this file will be marked as unallocated. Subsequently, the data will exist until new data that is related to a new file overwrites it.

The following are a few facts about clusters:

Allocated cluster: Holds data that is related to a file that exists and has an entry in the file system’s MFT area.

Unallocated cluster: A cluster that has not been connected to an existing file and may be empty or “not empty,” thus containing data that is related to a deleted file and still hasn’t been overwritten with a new file’s data.

When you run a backup tool for the system, it backs up only the files that exist in the current file system’s MFT area and identifies its related cluster in the data area as allocated. Typically, when you back up your hard drive, the backup software compresses the data. On the other hand, when you are collecting a forensic image, the size of the collected image must be exactly equal to the size of the source.

FAT

The File Allocation Table (FAT) was the default file system of the Microsoft DOS operating system back in the 1980s. Then other versions were introduced, including FAT12, FAT16, FAT32, and exFAT. Each version overcame some of the limitations of the file system until the introduction of the New Technology File System (NTFS).

FAT partitions include the following main areas:

Boot sector, which is the first sector of the partition that is loaded in memory. The boot sector includes the following information:

Jump code, which is the location of the bootstrap and the operating system initialization code

Sector size Cluster size

The total number of sectors in the partition Number of root entries (FAT12 and FAT16 only)

The File Allocation Table (FAT), which is the actual file system

Another copy of the FAT table if the first FAT table has been corrupted Root directory entries

The address of the first cluster, which contains the file’s data The data area

One of FAT’s limitations is that no modern properties can be added to the file, such as compression, permissions, and encryption.

The number after each FAT version, such as FAT12, FAT16, or FAT32,

represents the number of bits that are assigned to address clusters in the FAT table:

FAT12: This is a maximum of 2^12 = 4,096 clusters.

FAT16: This is a maximum of 2^16 = 65,536 clusters.

FAT32: This is a maximum of 2^32 = 4,294,967,296 clusters, but it has 4 reserved bits, so it is actually 28 bits, which means a maximum of 2^28 =

268,435,456.

exFAT: This uses the whole 32 bits for addressing.

NTFS

NTFS is the default file system in Microsoft Windows since Windows NT and is a more secure, scalable, and advanced file system compared to FAT. NTFS has several components. The boot sector is the first sector in the partition, and it contains information about the file system itself, such as the start code, sector size, cluster size in sectors, and the number of reserved sectors. The file

system area contains many files, including the master file table (MFT). The MFT includes metadata of the files and directories in the partition. The data area holds the actual contents of the files, and it is divided in clusters with a size assigned during formatting and recorded in the boot sector.

MFT

NTFS has a file called $MFT. In this file is an entry for each file in the

partition. This entry is 1,024 bytes in size. It even has an entry for itself. Each entry has a header of 42 bytes at the beginning and a signature of 0xEB52904E, which is equivalent to FILE in ASCII. The signature also can be BAD, which in this case indicates that an error has occurred. After the header is another 982 bytes left to store the file metadata. If there is space left to store the file contents, the file’s data is stored in the entry itself and no space in the data area is used by this file. MFT uses attributes to stockpile the metadata of the file.

Different attribute types can be used in a single MFT entry and are assigned to store different information.

Timestamps, MACE, and Alternate Data Streams

NTFS keeps track of lots of timestamps. Each file has a timestamp for Modify, Access, Create, and Entry Modified (commonly referred to as the MACE

values).

NTFS includes a feature referred to as Alternate Data Streams (ADS). This feature has also been referred to as “multiple data streams” as well as

“alternative data streams.” ADS exists with the goal of supporting the resource forks employed by the Hierarchal File System (HFS) employed by Apple Macintosh systems.

Microsoft File System Resource Manager (FSRM) also uses ADS as part of

“file classification.”

Note

Cybersecurity forensics experts use tools such as EnCase and ProDiscover to collect evidence from systems. These tools display the ADS found in acquired images in red.

EFI

The EFI system partition (ESP) is a partition on a hard disk drive or solid-state drive whose main purpose is to interact with the Unified Extensible Firmware Interface (UEFI). UEFI firmware loads files stored on the EFI system partition to start the operating system and different utilities. An EFI system partition needs to be formatted with a file system whose specification is based on the FAT file system and maintained as part of the UEFI

specification. The EFI system partition specification is independent from the original FAT specification. It includes the boot loaders or kernel images for all installed operating systems that are present in other partitions. It also includes device driver files for hardware devices present in a system and used by the firmware at boot time, as well as system utility programs that run before an operating system is loaded. The EFI system partition also contains data files, including error logs.

The Unified Extensible Firmware Interface Forum at http://www.uefi.org has a lot of great information about Secure Boot, UEFI operations, specifications, tools, and much more.