FDRecovery NTFS Report - Josh Dafoe's Website

_Written During August 2022_ _Published on May 09, 2024_ --- ##### Abstract The user of a machine may occasionally delete a file unintentionally. Recovering this data in a quick and easy manner for this user may be essential when that file is required to perform some immediate task. FDRecovery provides a data recovery solution for users who have unintentionally deleted files in the NTFS file system through utilizing existing metadata structures and file system features. When files are deleted in the NTFS file system, the file entry is marked as free. Fortunately though, the cluster pointers in that file entry are still maintained. Using this feature, we can follow the pointers in order to recover the file’s data. ##### Introduction When a file is deleted by some process on a storage device formatted with the NTFS file system, the file’s data are not altered in any way. The data still remain on the device in the same location as they previously were. The pointers to those data blocks are also maintained upon file deletion. Although this makes file recovery relatively simple, the location of these pointers must be known in order to locate them. FDRecovery is the implementation of an efficient, time-sensitive, file-level, automated data recovery tool based on this maintained metadata. Many other tools [1, 2, 3] have been implemented which search through all of the data on the storage device and recognize specific structures associated with specific file formats in order to recover those recognized files. This process is known as data carving [5] and the goal with these tools is typically to recover all files on a storage device. Although these tools are very comprehensive, they have certain limitations which make it desirable to explore other potential file recovery methods. First, these tools are only able to recover a limited number of file formats as they have to be able to recognize the structures associated with those formats. Secondly they are very slow and inefficient as in order to recover files (compared to metadata based solutions), they must search through the entire storage device. Third, recovering and identifying the desired files is not an option as there is no association between the file and its metadata, making it difficult for the tool to present options, and for the user to know which files contain the desired data. Our file recovery tool, FDRecovery, uses a metadata based file recovery solution. This provides a more efficient though less comprehensive file recovery tool which allows easier identification of the desired files, therefore it is also more applicable to the average user who may accidentally delete specific files which need to be recovered in a time-sensitive manner. ##### Background ###### NTFS Structure Overview The NTFS filesystem is organized into two different sections, the boot sector, and the files. The boot sector is the first sector on the partition and within it the sector size in bytes, and the number of sectors per cluster are defined. The cluster location of the $MFT (master file table) file is also contained in the boot sector. Following the boot sector is an area which contains file data. All file system metadata are stored within special files. One of these files is the $MFT, which contains the metadata associated with each file in the partition as a list. Them $MFT contains MFT entries associated with files, and they contain different attributes of that file. The attributes relevant to file recovery are the $FILE_NAME attribute and the $DATA attribute, which contain the file’s name and data pointers respectively. These can be used to find where on the storage device the files data are stored. [4] ###### NTFS File Deletion When a file is deleted in the NTFS file system, the data for that file are still maintained on disk. In order to retrieve those data after the file associated with them is deleted, the most intuitive approach would be to simply go back to the metadata associated with that file and find the data they point to on disk. In the case of the NTFS file system, this method is applicable. There is a change made to the metadata structures which make this more challenging yet possible despite these challenges. This change is to mark the file’s metadata in its MFT entry as free. The limited metadata changes make file recovery a fairly straightforward process. ##### FDRecovery Design ###### Deleted MFT Entry Identification The central problem with recovering a file in NTFS is finding the directory entry which contains the deleted file’s block pointers. FDRecovery presents all deleted files to the user as recovery options, therefore we must obtain a list of all deleted files. The features we will utilize to achieve this are that when a file is deleted, the MFT entry is marked as free. First, it is necessary to access the $MFT file. Its location can be discovered through looking at the metadata in the boot sector (bytes per sector, sector per cluster, and $MFT cluster number). Once the $MFT location is known, the first MFT entry will be that for the MFT itself. The cluster pointers in the $DATA attribute in this entry can be followed in order to find the remaining portions of the $MFT. Looking through these remaining entries and adding all that are marked as free to a list is the final step in identifying all deleted entries. Since the MFT entry still contains the file name in the $FILE_NAME attribute, we can present this to the user as well. ###### Recovery Process Once a list of MFT entries associated with deleted files is obtained using the above process, the user can select the files they wish to recover based on the file name. With the selected MFT entries, FDRecovery simply follows the pointers located in the MFT entry’s $DATA attribute to obtain the file’s data. ##### Limitations There are a few limitations that this recovery method has due to filesystem features. First, the recovered file may be corrupted or the metadata may be lost occasionally. This is because when a file is deleted, it is marked as free and a result of this is that newly created files may overwrite the data associated with the deleted file. We have also observed on one storage device that the data for deleted files were zeroed out. This caused the data to be unrecoverable in this case. We were not able to artificially reproduce this occurrence and are unsure as to what caused it. ##### References [1] CGSecurity. “Testdisk.” CGSecurity, CGSecurity, 27 Oct. 2019, https://www.cgsecurity.org/wiki/TestDisk. [2] CGSecurity. “Photorec.” CGSecurity, CGSecurity, 23 July 2019, https://www.cgsecurity.org/wiki/PhotoRec. [3] Foremost, http://foremost.sourceforge.net/. [4] “NTFS - Home.” Home - NTFS Documentation, https://flatcap.github.io/linux-ntfs/ntfs/index.html. [5] Pal, Anandabrata & Memon, Nasir. (2009). The evolution of file carving. Signal Processing Magazine, IEEE. 26. 59 - 71. 10.1109/MSP.2008.931081