Things you probably didn’t know about shadow copies

1. Shadow copies can contain invalid data

During the development of the parser for shadow copies, I observed many systems containing invalid data in shadow copies. For unknown reasons, some allocated files may contain null blocks instead of valid data blocks as well as blocks of data which should not be there.

Continue reading “Things you probably didn’t know about shadow copies”

NTFS: large clusters

A small addition to this post.

Starting from Windows 10 “Redstone 3” (Fall Creators Update), it’s possible to create an NTFS volume using one of the following cluster sizes: 128K, 256K, 512K, 1M, 2M. Previously, the largest supported cluster size was 64K.

format.png

Currently, I’m not aware of any third-party tools that support such large clusters: there is no support in the NTFS-3G driver, no support in the Linux kernel (#1, #2), no support in The Sleuth Kit, no support in RawCopy, no support in several proprietary forensic tools.

This update also changed the way how the “sectors per cluster” field (located in an NTFS boot sector) is treated. Previously, this was an unsigned byte and its value was treated literally. Now, this is a signed byte and its value is used as shown in the following pseudocode:

// Argument:
// - SectorsPerCluster: a signed byte (from the offset 13 in an NTFS boot sector).
// Return value:
// - A true number of sectors per cluster.
NtfsGetTrueSectorsPerCluster(SectorsPerCluster)
{
	if ((unsigned)SectorsPerCluster > 0x80)
		return 1 << -SectorsPerCluster
	else
		return (unsigned)SectorsPerCluster
}

This isn’t the same as the algorithm used when dealing with the “file record segment size” and “index record size” fields in an NTFS boot sector, note the edge case when the byte is equal to 0x80 (this corresponds to a negative value, but it’s still used as unsigned for backward compatibility, because 0x80 is used for 64K clusters).


A sample file system image can be found here.

NTFS: unallocated data marked as allocated

No operation on a file is allowed to include unallocated (deleted) data into the user-readable area of that file. Otherwise, an unprivileged program could read data from a deleted file even if such access was forbidden when this file was allocated.

But this is not an issue when dealing with files readable by privileged programs only (because such programs can read allocated and unallocated data from a file system directly). However, allocated files containing pieces of unallocated data are very rare (unlike the slack space, such data is a part of file’s data).

Continue reading “NTFS: unallocated data marked as allocated”

How the $LogFile works?

In the official NTFS implementation, all metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called write-ahead logging.

The logged metadata is stored in a file called “$LogFile”, which is found in a root directory of an NTFS file system.

Currently, there is no much documentation for this file available. Most sources are either too high-level (describing the logging and recovery processes in general) or just contain the layout of key structures without further description.

Continue reading “How the $LogFile works?”