Knowledgebase: E3
Fylesystem Properties (NTFS)
Posted by Jack H. Ward, Last modified by Jack H. Ward on 05 February 2018 03:59 AM

Filesystem/Folder Properties

When you click the node, its properties are displayed in the Properties pane. Depending on the type, the nodes have the following properties:

 

Property name

Comments

File system node (NTFS)

Bytes per File Record

Number of bytes for each record in the MFT (master file table)

Cluster per File Record

Number of clusters for each record in the MFT.

MFT Data Length

Length of the MFT in bytes

MFT Start Cluster

The cluster from which the MFT starts

MFT2 Start Cluster

The cluster from which the MFT mirror starts

MFT Zone End

The first and the last clusters of the MFT zone.

When an NTFS volume is first set up, the operating system reserves about 12.5% of the disk space immediately following the MFT; this is called the "MFT Zone".Regular files and directories will not use this space until and unless the rest of the disk volume space is consumed, but if that occurs, the "MFT Zone" will be used.

MFT Zone Start

Bytes per Cluster

Number of bytes per cluster in the logical disk

Bytes per Sector

Number of bytes per sector in the logical disk

Sectors Number

The number of sectors in the logical disk. Please note, that even if a folder is added as evidence this value corresponds to the entire logical disk.

Total Cluster Number

The number of clusters in the logical disk. Please note, that even if a folder is added as evidence, this value corresponds to the entire logical disk.

Version

The version of the NTFS file system.

There are several versions of NTFS: v1.2 is used with Windows NT 3.51 and Windows NT 4.0, v3.0 is used with Windows 2000, v3.1 with Windows XP and Windows Server 2003. Sometimes the latest versions are marked as v4.0, v5.0 and v5.1 according to versions of Windows NT.

Volume Serial Number

The serial number of the disk volume.

Subfolder node (NTFS)

File System Attributes

Archive

This property is True for the folders that were not archived.

When the backup software backs up ("archives") the file, it clears the archive bit (makes it zero). Any software that modifies the file subsequently, is supposed to set the archive bit. Then, the next time that the backup software is run, it knows by looking at the archive bits which files have been modified, and therefore which need to be backed up.

Compressed

This property is True if the folder is compressed.

NTFS can compress files using a variant of the LZ77 algorithm (also used in the popular ZIP file format).

Directory

This property is True for the folders.

This is the property that differentiates between entries that describe files and those that describe subdirectories within the current directory.

Encrypted

This property is True if the folder is Encrypted.

Files and folders in the NTFS filesystem can be encrypted with  the help of EFS (encrypting file system). It is a file system driver that provides filesystem-level encryption in Microsoft Windows (2000 and later) operating systems. The technology enables files to be transparently encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.

Hidden

This property is True if the folder is Hidden.

Hidden files are hidden from an ordinary directory listing.

No Content Sorted

This property is True if the Windows Indexing Service is not allowed to index the folder, otherwise the property is False.

Windows indexing service is an operating system level service that maintains an index of most of the files on a computer and updates them without user intervention.

Offline

If this attribute is False, the folder will not be physically available while working offline. When working in network environment with files stored remotely, they are only physically available while a connection to this remote data storage persists. After turning off the remote computer or disconnecting the portable device from the network, files stored remotely become physically unavailable.

However, with synchronization tools it is possible to create local copies of those network files. In this case, files cached locally are marked offline which means that they are not original files while it is still possible to work with them.

Read Only

This property is True if the folder is Read Only.

The Read Only folders cannot easily be edited or deleted.

Reparse Point

This property is True if the folder is a reparse point.

When the object manager parses a file system name lookup and encounters a reparse attribute, it knows to reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows 2000. Each filter driver examines the reparse data to see if it is associated with that reparse point and, if that filter driver determines a match, then it intercepts the file system call and executes its special functionality. Reparse points are used to implement Volume Mount Points, Directory Junctions, Hierarchical Storage Management, Native Structured Storage and Single Instance Storage.

Sparse File

This property is True for sparse files. It's always False for folders.

System

This property is True for the system folders.

The System file property is used to tag important folders that are used by the system and should not be altered or removed from the disk.

General properties (displayed in the group with the Folder name)

Allocated size (bytes)

This value is 0 for folders.

Complete File Size (bytes)

This value is 0 for folders.

Creation Time

Folder creation time

DOS

DOS folder name (8 characters)

File Size (bytes)

This value is 0 for folders.

Deleted

This property is Yes for deleted folders that were restored.

Last Access Time

Time of last access to the folder

Last Change Time

Time of last change of the MFT record concerning the folder

Last Modification Time

Time of the last folder modification

MFT Number

Number of the MFT record for the folder

Namespace

The namespace to which the folder name belongs

Windows

Windows folder name



File properties are displayed in the Properties pane when the file is selected from the Data View pane. File properties are displayed both for existing and deleted files.

Each file in evidence with an NTFS filesystem has the following properties:

Property

Comments

Filesystem Attributes

Archive

This property is True for the files that were not archived.

When the backup software backs up ("archives") the file, it clears the archive bit (makes it zero). Any software that modifies the file subsequently, is supposed to set the archive bit. Then, the next time that the backup software is run, it knows by looking at the archive bits which files have been modified, and therefore which need to be backed up

Compressed

This property is True if the file is compressed.

NTFS can compress files using a variant of the LZ77 algorithm (also used in the popular ZIP file format).

Directory

This property is False for the files.

This is the property that differentiates between entries that describe files and those that describe subdirectories within the current directory.

Encrypted

This property is True if the file is Encrypted.

Files and folders in the NTFS filesystem can be encrypted with  the help of EFS (encrypting file system). It is a file system driver that provides filesystem-level encryption in Microsoft Windows (2000 and later) operating systems. The technology enables files to be transparently encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.

Hidden

This property is True if the file is Hidden.

Hidden files are hidden from an ordinary directory listing.

No Content Sorted

This property is True if the Windows Indexing Service is not allowed to index the file, otherwise the property is No.

Windows indexing service is an operating system level service that maintains an index of most of the files on a computer and updates them without user intervention.

Offline

If this attribute is false, the file will not be physically available while working offline. When working in network environment with files stored remotely, they are only physically available while connection to this remote data storage persists. After turning off the remote computer or disconnecting portable device from the network, files stored remotely become physically unavailable.

However, with synchronization tools it is possible to create local copies of those network files. In this case files cached locally are marked offline which means that they are not original files while it is still possible to work with them.

Read Only

This property is True if the file is Read Only.

The Read Only files cannot be edited or deleted in a common way.

Reparse Point

This property is True if the file is a reparse point.

When the object manager parses a file system name lookup and encounters a reparse attribute, it knows to reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows 2000. Each filter driver examines the reparse data to see if it is associated with that reparse point, and if that filter driver determines a match then it intercepts the file system call and executes its special functionality. Reparse points are used to implement Volume Mount Points, Directory Junctions, Hierarchical Storage Management, Native Structured Storage and Single Instance Storage.

Sparse File

This property is True for the sparse files.

Sparse files are files which contain sparse data sets, data mostly filled with zeroes. For efficient storage of sparse files the applications are allowed to specify regions of empty (zero) data. An application that reads a sparse file reads it in the normal manner with the file system calculating what data should be returned based upon the file offset.

System

This property is True for the system files.

The System file property is used to tag important files that are used by the system and should not be altered or removed from the disk.

Namespace

DOS

DOS filename (8 characters)

Namespace

The namespace to which the filename belongs.

Windows

Windows filename

NTFS

Deleted

This property is Yes for the deleted files that were restored.

MFT Number

Number of the MFT record.

Size (bytes)

Allocated size (bytes)

The allocated length of a file is the amount of disk space the file is taking up. It is a multiple of the cluster size.

Complete File Size (bytes)

Real file size.

File Size (bytes)

Size of the selected file. As a rule File Size is equal to the Complete File Size. But if the file contains ADS the File Size can be in times smaller than the Complete File Size.

Time

Creation Time

Time of file creation.

Last Access Time

Time of the last access to the file.

Last Change Time

Time of the last MFT record change.

Last Modification Time

Time of the last file modification.

After double clicking a file, it becomes parsed and appears in the Case Content tree.

The attributes of parsed NTFS files become parsed and can be viewed in the Data View pane in the grid.

The most common attributes  (these attributes are present in almost all files):

  • $DATA: Data stored in the file. The contents of the file can be viewed in the Hex, Text and File viewers. Please note: you will see the same data when you simply click the unparsed file in the Data View There is also the special attributes of the file contents such as: Compressed, Encrypted, Sparse file, Lowest VCN, Highest VCN, Valid Data length, Total allocated.  These attributes are displayed in the corresponding columns in the Data View pane.
  • $FILE_NAME: The name of the file including the extension. The file can have two filenames: DOS filename (8 characters) and Windows filename.
  • $FILE_SLACK: The file slack.  It can be viewed in the Hex and Text viewers.
  • $STANDARD_INFORMATION: File properties such as: Read only, Hidden, System, Volume ID, Archive, Device. This data in the parsed form is displayed in the corresponding columns of the Data View.
  • $OBJECT_ID: A unique ID assigned to the file. Object ID was introduced in Windows 2000. Every MFT Record is assigned a unique GUID.

An NTFS file can have more file attributes. All attributes of the parsed file are displayed in the Data View pane in the grid. Depending on the type of the parsed part, there will be file information in the corresponding columns.

 





Attachments 
 
 Filesystem properties (NTFS).png (15.10 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)