File deletion in a NTFS Filesystem
Hello, in this article, we will be looking, on a high-level at the processes that occur when we delete a file in a NTFS Filesystem. We will talk about what happens when:
Let's start!
Before diving into all the processes involved in the deletion of a file, let's talk a bit about one of the most important file and feature of a NTFS file system: The Master File Table or $MFT located at the root directory of the filesystem (C:\ for example). The Master File Table acts as a database that indexes and tracks all the files and directories on the volume. Each file on a NTFS volume has a unique record in the MFT called MFT entry. That entry contains metadata about the file (filename, timestamps, size) and a pointer to the clusters containing the file's data. MFT entries are updated when objects are modified or deleted.
That's been said, let's answer our first question: What happens when a file is placed in the recycle bin?
When a file is placed in the recycle bin, the $FILE_NAME attribute which stores the name of the file or directory, along with additional metadata like timestamps is modified:
Then, a new file is also created. It has the same name as the $R file and but begins with $I. If a file is recovered from the Recycling Bin, its "$I" value will remain in the Recycle Bin while the "$R" file will be moved and renamed back to it's original position. The $I file contains metadata about the deleted file like the file name, the file size, the time at which it was deleted, the original location so that if the user decides to restore the file the OS still has info about the original location/folder where the file was. Each time you put a file in the recycle bin, it will create a new $I file. So it's possible to have many $I file for the same file. On a forensic point of view, it could be interesting. If an object has be put in the Recycle Bin then restored and then deleted, we could still get some artifacts in the Recycle Bin even if it has been emptied.
The actual file contents themselves will be stored within the $R file.
Nonetheless, the recycle bin can be used for malicious activities by hackers to try to avoid detection and to establish persistence. Even though the Recycle Bin is a non executable zone via Windows Explorer, files in it can still be executed through command line, used as startup entry, listed as service...
Let me show you through an example. I put a pcap file named "dns" in the Recycle Bin.
As shown above, I can only watch the properties when I double click on the file in the GUI Recycle Bin.
Let's access the Recycle Bin using command line
From the image above, we can see that my pcap file has been renamed to $RL8A0B5 and a $IL8A0B5 file has been created. That $I file contains information about the original location of my dns.pcap file as shown bellow.
领英推荐
Let's try to execute the $RL8A0B5 file.
We can see from the screenshots above that we were able to execute the pcap even though it was in the Recycle Bin.
Make sure to inspect your Recycle Bin times to times. Attackers can use it against you.
Let's talk now about the things happening when you delete a file (We are not talking about Recycle Bin anymore). When a file is deleted from the system, his MFT entry is marked as free and may be reused. ?However, the information about the file remains in the MFT, allowing it to be recovered if necessary. So basically, as long as this MFT entry is not reused by another object, we can still get information about the deleted file by parsing the MFT. In practical terms, on a high-level:
Those are, on a high-level, the activities in the background in a NTFS that occur when we are in the process of deletion of an object.
I hope you enjoyed the read! This is my first ever article and hopefully not the last.
Linkedin: www.dhirubhai.net/in/steven-dejean
References:
Systems Administrator | Oracle DBA & Data Analyst | Junior Penetration Tester | IT Security & Forensic Analyst
2 个月Very educative indeed Sir! Please Steven Dejean, I would appreciate if you provide me some guidance on this: I have an NTFS Boot sector file in Hexdump and I was able to identify the exact location of the NTFS Boot sector from the GPT (i.e. using the GPT starting LBA address to deduce the start of the NTFS partition volume). I have equally identify the location of the MFT in the NTFS Boot sector (i.e. bytes 48–55) Now, how would I identify, navigate and reach the exact location of MFT entry for the root folder from the beginning of the MFT indicated above. And how would I reach the exact location of the MFT entry for a specific File FROM the?root folder MFT entry? Does it go through any intermediate clusters? And finally, from the MFT entry of that file, how would I reach its contents using the same process. - Thank you very much. I would really appreciate your guidance and input.
Blue Teamer | Cybersecurity Analyst | Network & Security Engineer | aspiring DFIR professional
1 年Very Informative your article Steven Dejean. I have a question : the file that has been deleted can be recovered until his MFT entry still free if I'm not wrong. If the MFT entry of this file has been reused by another file, can we still recover it ??
Analyst @CrowdStrike | Red Team Enthusiast | CISSP (Associate), AWS & eJPT
1 年Great job with your first article on your blog. I definitely hope that this won't be your last.
Cybersecurity Analyst | Hackerlab 2022 Finalist
1 年Congratulations uncle ??????well explained
Penetration Tester | CRTP | eCPPTv2 | eJPT
1 年very good and insightful ??