Information Communication Technology – WikiNote

Table of Contents

Forensics: What is the $MFT?

<2020-08-27 Thu>   DigitalForensics

What is the $MFT? The $MFT, Master File Table, is the most important file in a NTFS file system. It keeps track of all files on the volume, their logical location in folders, their physical location on the hard, and metadata about the files, including:

  • Created Date, Entry Modified Date, Accessed Date and Last Written Date, in the Standard Information Attribute.
  • The Physical and Logical Size of the file
  • Permissions (security access) for the file

All of this information is stored in an entry within the MFT, called (somewhat unsurprisingly) “MFT Entries“.

The MFT Entries are 1024 bytes, as standard. Every file and folder, has to have an MFT entry, to be recognized by the computer, including the MFT itself.

The first 16 entries of the MFT are reserved for NTFS system files, these include: $MFT, $MFT Mirror, and $BitMap.

The MFT can expand but it never contracts, under normal use. This is very important for computer forensics investigators, as it effects the recovery of data and identification of deleted files.

When a file is deleted the MFT entry is marked as ready to be re-used. This entry will continue to exist until it is overwritten by a new file. When a new file is to created on the hard drive it overwrites the next available MFT entry, if they are no spare entries ready to be overwritten then the MFT will start to expand.

If there are 100 entries in the MFT and one file, File X, is deleted and then 1,000 more files are immediately created then the MFT entry for File X would be overwritten. Though the contents of the file may exist on the hard drive, the MFT entry which includes the name, metadata, etc, would be overwritten.

There are 10,000 entries in the MFT. 1,000 are deleted and 2 new files are immediately added to the drive. Therefore 998 entries should be recoverable. Though if the data for the files is recoverable or not will depend on if they have been over written.

These numbers may sound unlikely, but with website data being cached and then cleaned out, temorpary files created from software installs, and then deleted, these sudden changes in file counts are not unlikely at all.

Note: The data for the file is seperate from the MFT Entry. This leads to several possibilities during deletion and subsequent use of a hard drive.

  1. The file is deleted but the MFT entry and the file data are 100% recoverable. The deleted file can be 100% recovered.
  2. The file is deleted and the MFT entry is recoverable but a portion of the file data is overwritten. This means that the file can only be partialy recovered.
  3. The file is deleted and the MFT entry is recoverable but the file data is 100% over written. The file is not recoverable, but informaiton about the file, name, dates, sizes, etc is.
  4. The file is deleted and the MFT entry and file data is 100% recoverable. The file is 100% lost. However forensic investigation could reveal a lot of information about the file, but not through the MFT, rather other forensic artefacts.
  5. The file is deleted and the MFT 100% overwritten but the file data has not been 100% overwritten. The remaining file can be carved out from the unallocated space on the hard drive. The ability to carve the data would depend on fragmentation, amount of recoverable data (it could be 100%) and nature of the file

There are other permutations, where the MFT entry is not 100% over written, leaving MFT file slack. More information on the MFT is available here. A good resource on the MFT, and NTFS in general is the book – File System Forensic Analysis

Note: this article is cited from "Where is your data"

Several first computer viruses

<2020-07-24 Fri>   NetworkSecurity


  • The first computer virus, called “Creeper system”, was an experimental self-replicating virus released in 1971. It was filling up the hard drive until a computer could not operate any further. This virus was created by BBN technologies in the US.
  • The first computer virus for MS-DOS was “Brain” and was released in 1986. It would overwrite the boot sector on the floppy disk and prevent the computer from booting. It was written by two brothers from Pakistan and was originally designed as a copy protection.
  • The Morris” was the first Computer virus which spread extensively in the wild in 1988. It was written by Robert Morris, a graduate student from Cornell University who wanted to use it to determine the size of the internet. His approach used security holes in sendmail and other Unix applications as well as weak passwords, but due to a programming mistake it spread too fast and started to interfere with the normal operation of the computers. It infected around 15,000 computers in 15 hours, which back then was most of the internet.

Since then, many new viruses have been introduced and the trend is growing exponentially every year. See more details in the article of A short history of computer viruses

A principle for network security

<2020-07-17 Fri>   NetworkSecurity

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

– —The Art of War, Sun Tzu

RSA conference 2020

<2020-07-16 Thu>   NetworkSecurity

  • The 5 Most Dangerous New Attack Techniques and How to Counter Them

The "C.I.A." security concepts

<2020-07-16 Thu>   NetworkSecurity

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for network security within an organization.

Case Study

  • Scenario I

    In an ATM system, users provide a bank card for account access and a personal identification number.

  • Scenario II

    In a survey system, you feedback what your feelings in the course to the teaching committee.

Running Linux in Windows Operating Systems

<2020-07-16 Thu>   NetworkSecurity

Build a test environment: Can Windows and Linux be integrated? Yes, WSL 2 is released for Windows 10 and Kali Linux is available on the Microsft Store. Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2

Some Software for Electronic Crime and Digital Forensics

<2020-07-16 Thu>   ICT DigitalForensics

OSForensics® provides one of the fastest and most powerful ways to locate files on a Windows computer. OSForensics Extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC.

Using advanced hashing algorithms OSForensics can create a digital identifier that can be used to identify a file. This identifier can be used both to verify a file has not been changed or to quickly find out if a file is part of a set of known files.

By looking at the contents of a file OSForensics can identify what kind of file it is and then figure out if the file has an incorrect extension. This can help locate “Dark Data” that the user has tried to conceal

By making a record of the details of the files on a hard drive a comparison can be then done at a later date to find out what has been changed. Extract text strings from binary data allowing you to find text hidden in otherwise unreadable chunks of information. Do this for both files found on the hard drive or directly from active memory of processes running on the system.

FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData® Forensic Toolkit® (FTK) is warranted. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence.

ProDiscover® suite of products addresses a wide range of scenarios handled by law enforcement organisations and corporate internal investigations. ProDiscover provides a rich set of features and toolkits for Computer Forensics and Incident Response. The product suite is also equipped with diagnostic and evidence collection tools for corporate policy compliance investigations and electronic discovery.

See the introduction of ProDiscover below:

AccessData® Registry Viewer™ lets you view the contents of Windows® operating system registries. Unlike the Windows Registry Editor, which can only display the current computer’s registry, Registry Viewer lets you view registry files from any computer. Registry Viewer gives you access to a registry’s protected storage. The protected storage can contain passwords, usernames, and other information that is not accessible in Windows Registry Editor. Registry Viewer provides several tools for obtaining and reporting important registry information. The Full Registry view shows all the contents of a registry file, while the Common Areas view displays sections of the registry that are most likely to contain significant data. From either view, you can select keys and subkeys to add to a report.

Autopsy® is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

Date: 2020-03-17 Tue 00:00

Author: YF Lin

Created: 2020-08-27 Thu 13:25