Consistency Check

Consistency checks are used in an investigation to identify corrupt images or to detect tampering. This section covers some of the checks that can be performed on an NTFS file system image. The first check is the boot sector. An NTFS boot sector has little data in it, but Microsoft enforces that some of the unused values should be zero. I have found that there are frequently many unused clusters after the boot code in the $Boot file.

As with other file systems, the clusters that have been marked as bad in the $BadClus file should be examined because many hard disks fix the bad clusters before the file system recognizes them.

The $MFT file, the file for the MFT itself, only grows in size with Windows. An advanced attacker could try to make the table very long and hide data at the end of it, but they risk having the data overwritten when new files are created. The first 16 MFT entries are reserved, and several are not currently used. Metadata structures that are reserved and unused have historically been used with other file systems to hide data, and the same could occur with an NTFS file system.

Each cluster that is allocated must be part of a cluster run to a file. Every allocated NTFS cluster is part of a file or directory, and a consistency check should verify that. Each allocated MFT entry must have its in use flag and its bit in the $BITMAP attribute set. Each allocated MFT entry also must have a directory index entry for each of its file names. Even file system metadata files have a name in the root directory.

For each directory index entry and MFT entry, there are so many flags and options for each entry that it is not worth giving a list of every flag to check. One of the difficulties with NTFS is that it is very flexible and can support many options. Without an official specification, which value combinations are valid and which are invalid is unknown.