Encryption

NTFS support encryption where it keeps file or folder safe from intruders who are unauthorized to access them. When a file or folder encrypted by NTFS, it cannot be access by unauthorized user where there receive error message if they try to open, copy, move, delete or rename the encrypted file or folder. When file encrypted, it is actually transparent for authorized user and any applications. If authorized users access the encrypted file or folder, it will be decrypted automatically without interaction with the user. After the file or folder saved, NTFS re-encrypted the file. Indeed, all encryption / decryption process are occur automatically as long as you mark the file or folder as encrypted.

What is encryption actually? Encryption is a process that converts the data into a secret code to hide its substance and ensure the data security. When you encrypted a file or folder for a first time, a key pair randomly generated which contain of private and public key. This key is used to encrypt and decrypt the file or folder. The technology that allows files to be encrypted in NTFS file system called Encrypting File System (EFS) and it is available in MS Windows 2000 and later operating systems. Why is EFS created? NTFS allows object permission to restrict the access to the file or folder from unauthorized user. Although it can protect the file or folder but if the attacker gains physical access to computer, for instance, they removed the hard-disk and mounted it on other Windows system, any user with administrator privileges can take ownership of the partition ignoring the previous permission. This is when the Encrypting File System (EFS) plays the role to protect the file being read by unauthorized user. The essence of EFS is that, encrypted file or folder only can be viewed by the creator of the file. For creator, the encrypted file appears as normal file and they are not required to go through any decryption procedure to view the file contents. The decryption process is done automatically. Other user including the Administrator also cannot view the encrypted file as the only want who can view is the one who encrypted the file. Unlike, NTFS object permission, although you have the administrator privileges and intend to change the file's ownership, the fact is you still won't be able to read the encrypted file as you weren't the one who originally encrypted the file. NTFS ensure the security of the file from physical attacker because only appropriate user can gain the access on the encrypted file.

I'll show you on how to use EFS on Windows XP. Before using EFS you need to create your own account with password protected. When you encrypted a file, it is only accessible to your account and other users have no access to this encrypted file. Bear in mind, lock your workstation when you are away as failing to do so means that other user can access to your data. It is strongly recommended that you designate a specific folder to store all the encrypted data in your account as all files that are created in or moved to this folder obtain the encrypted attribute. Let's say that you created an encryption folder to stores all the encrypted data in this folder. To encrypt a folder and its current content, follow these steps:

1. Right-click the folder and click Properties.

2. In the properties dialog box, click Advanced.

3. In Advanced Attributes dialog box, check on Encrypt contents to secure data check box and then click OK. Please take note that NTFS cannot support compression and encryption at the same time meaning that you can only check either compression or encrypted at a time.

4. Click OK once again to close the Advanced Attributes dialog box.

5. In Confirm Attribute Changes, select option to apply changes to the folder only or the folder, sub folder and file. (Only appear for folder encryption that contains file but not in file encryption)

After you encrypted the folder, the folder name color will be changed into green. To decrypt a encrypt folder or file, just follow the same step but unchecked Encrypt contents to secure data check box in the Advanced Attributes dialog box. EFS also enable the encrypted file to be share by multiple users where you can give individual users permission to access an encrypted file. Unfortunately, this ability only support encrypted file only but not on folder encrypted. Before you can add additional user on a file, you need to encrypt it first. Bear in mind EFS only support access for multiple user but not for a groups of user in an encrypted file. To encrypt a file for multiple users, follow these steps (apply to windows XP and above):

1. Right-click the encrypted file and click Properties.

2. In the properties dialog box, click Advanced.

3. In Advanced Attributes dialog box, Click Details to add additional users.

4. In Encryption Details dialog box, click Add. The Encryption Details dialog box shows users that can access the file and data recovery agent for the file.

5. In Select User dialog box, you can select which user certificate you want to have an access to the file. If you do not see the user click Find User to search Active Directory. Select which user certificate you want to have an access to the file. If the intended user's certificate is not found, they need to send you a copy of their certificate. You need to import the certificate and add them to the encrypted file.

6. After you select the user, click OK until you closed all the dialog box.

EFS uses users' certificate to identified users that can access the encrypted file. As mention earlier, when you encrypt your first file, a key pair randomly generated which contain of private and public key. You need to back up your certificates as if you lost or damaged it, and then there is no way for you to recover the encrypted data. You can store the backup certificates at the secure location. The backup certificates can be import when you lost or damaged your certificates. To backup certificates, follow these steps:

1. Start Microsoft Internet Explorer.

2. On the Tools menu, click Internet Options

3. On the Content tab, click Certificates

4. Click Personal tab

5. Select intended certificate. Note that when you encrypted your first folder, a certificate was generated. Make sure the selected certificate shows Encrypting File System in the Certificate Intended Purposes. This is certificate that generated earlier.

6. Click Export to start the Certificate Export Wizard, and click Next

7. Click Yes, export the private key and click Next

8. Click Enable Strong protection, and click Next

9. Type your password. (To protect the private key)

10. Specify the path where you want to save it. You can save to a floppy disk, CD or other removable storage. Click Next and then Finish.

To import the certificates, follow the same steps as backup certificates but Click Import on a certificates dialog box. After that, follow these steps:

1. The Certificate Import Wizard appeared and you need to specify the file and path location of the certificates that you want to import. Click Next

2. Type the password of the certificate that you want to import. Check on the Mark this key as exportable, to allow you backup your certificate (Enable you to export the certificate) Click Next.

3. Select Place all certificates in the following store, and then click Next

4. Click Finish to complete the import wizard.

EFS can give a different results when you moving, copying and saving an encrypted files. When you copy an encrypted file to a medium that not support EFS, such as floppy disk (FAT file system), the encryption is removed. Please remember that encryption process is an attribute based and for that reason encryption will be removed in a medium that not support this attribute. When you encrypted a folder which contains no data, any files that are placed into the folder are encrypted. Bear in mind, the file only accessible to user who transfer or create the file within this folder. For instance, if user A encrypted a blank folder and user B created a file within the folder, only user B can view the data but not user A. Although user A created the encrypted folder, but user B are the one who place the file or encrypted the file. This cause only use B can view the data.

On the other hand, when you encrypted a folder which already contains data, you will be prompt whether to encrypt the files in the folder or not. Let's suppose that user choose to encrypt the file that contains in the folder. The files that contain in the folder only can be view by the user who encrypted the folder. File that copy in this folder only can be view by the user who encrypted the folder but not by the user who place the file in this folder. Ok, now let's suppose that user who encrypted the folder choose to not encrypt the existing files. The files remain unencrypted and accessible to anyone who can access the folder, but if user renames the existing file, then the file will become encrypted.

In general, when you copy a file, it will inherit the EFS properties of the target location. If you move a file, it will not inherit the EFS properties of the target location. EFS can be performed on a file and folder but not on a volume. You also cannot encrypt system's root directory.

Technorati : EFS, Encryption, certificates, security
Del.icio.us : EFS, Encryption, certificates, security
Ice Rocket : EFS, Encryption, certificates, security
Flickr : EFS, Encryption, certificates, security
Zooomr : EFS, Encryption, certificates, security
Buzznet : EFS, Encryption, certificates, security
Riya : EFS, Encryption, certificates, security
43 Things : EFS, Encryption, certificates, security

NTFS Compression

Compression is to decrease the object size and reduces the amount of allocated space in the volume to stores the object. NTFS support compression on a file, folder and even the NTFS volume itself. Unfortunately, NTFS only support compression for cluster that not greater than 4KB only. Compression is not available for NTFS volume that uses cluster that more than 4KB.

NTFS does not need other compressed/decompressed program such as WinZip or winrar to read or written the compressed file in NTFS. User can open a compress file without need to decompressing them first. The decompression of the file is done by NTFS automatically and copies it into memory. If user closed or saved the file, NTFS automatically compressed the file back and stored in the volume. In other word, compression and decompression was done automatically by NTFS itself without user's interference. Unfortunately, this caused NTFS performance decrease because NTFS need to perform the compression or decompression before opening or closing the file. Bear in mind that compressed file or folder only remain compressed in NTFS volume, and if it's copy to FAT volume, the compression will be lost. NTFS compression also cannot be done to file or folder that has been encrypted.

If you want to compress file or folder in NTFS volume, these are the step you need to do:

·Right-click the file or folder and then click properties.

·On general tab, Click Advanced.

·Check on Compress contents to save disk space check box, and then click OK

·In the properties box, click OK again.

·In Confirm Attribute Changes, select option to apply changes to the folder only or the folder, sub folder and file. (Only appear for folder compression not in file compression)

To compress a drive also required the same step such as:

·Right-click the file or folder and then click properties.

·Check on Compress drive to save disk space check box, and then click OK

·In the properties box, click OK again.

·In Confirm Attribute Changes, select option to apply changes to the C: only or the C, sub folder and file.

You can compress only a folder without compressing it content such as sub folder and file inside the folder. This can be done by selecting apply changes to folder only option in the Confirm Attribute Changes windows.

NTFS compression can also set the display of compression file in color. The steps are:

·Go to folder options under tools menu in windows explorer.

·On the view tab, Check the Show encrypted or compressed NTFS files in color check box.

After you compress the file or folder, file name color will be change from black to blue for example. By that, we can identify that this files or folder are compressed.

When a file or folder in NTFS volume is moved within the same NTFS volume, they retain their compression state regardless of the compression state of the folder it is moved to. For instance, when you moved a compressed file to uncompressed folder, it retains compressed although it is moved to uncompressed folder.

When a file or folder in NTFS volume is copied within the same NTFS volume, the original compression state islost and inherits the compression state of the destination folder. For instance, when you copy uncompressed file to a compressed folder, the uncompressed file become compressed because it inherit the compression state of the destination folder.

When you copied a file to a folder that already contains the same file within the same NTFS volume, the copied file inherits the compression state of the target file (File that you want to replace). For instance, lets say you want to copy file named 'A' which its compression state is compressed to a folder contains the same file named 'A' but the compression state is uncompressed. The same file within the folder will be replaced and the compression state of the file inherits the compression state of the target file which is uncompressed.

When you copy or move files and folders between NTFS volume (Example, drive C: to drive D), the files and folders inherits the compression state of the destination folder. If you copy a compressed file or folder in an NTFS volume to FAT volume, the compression state lost and become uncompressed. This is because unlike NTFS, FAT does not support compression. However, if you want to copy a file or folder from FAT volume to NTFS volume, it inherits the compression state of the destination folder. Bear in mind, that NTFS compression is different with the compressed (zipped) folder. Compressed (zipped) folder is not NTFS features. This feature is provided by the windows itself which is Windows XP Professional.

Technorati : compressed drive, compressed file, compressed folder, compression
Del.icio.us : compressed drive, compressed file, compressed folder, compression
Ice Rocket : compressed drive, compressed file, compressed folder, compression
Flickr : compressed drive, compressed file, compressed folder, compression
Zooomr : compressed drive, compressed file, compressed folder, compression
Buzznet : compressed drive, compressed file, compressed folder, compression
Riya : compressed drive, compressed file, compressed folder, compression
43 Things : compressed drive, compressed file, compressed folder, compression

NTFS Features

Compare with the previous file system, NTFS provides more features that improve the security, space efficiency, reliability and data integrity of the disk volume. NTFS new features made it is suitable to in a network environment. As network becomes bigger and more users are connected, more security and data efficiency must be provided. Among the features of NTFS that will be discussed are:

• NTFS Compression features
  
• It is a file-based compression that allows a file or folder to be compressed (reduce space needed to store file) and can be read and written by any windows-based application. This compression is handled by the operating system itself.
  
• NTFS Encryption
  
• NTFS can automatically encrypt and decrypt the file data to provide an additional level of security for files and directories.
  
• NTFS Object Permission
  
• NTFS enable user to set permission on file or folder for security purpose. This features used to control the access level for particular user or group to file or folder. Permission can be set by Administrator, file or folder's owner and any user or group that have full control permission to the file or folders.
  
• Disk Quotas
  
• Give administrator ability to track and control disk space usage in the volume on a per volume basis or per user basis. Disk quotas can only be set on a volume (drive C and D for example) but not on a file or folder.
  
• NTFS Journalizing
  
• Provides a persistent log for every change made to files or folders and other object in NTFS volume. The changes that recorded including adding, deleting or modifying files or folders. When the record size exceeds the limit size, older records are deleted.
  
• Sparse file
  


• This features enable volume to use file system space efficiently, where it allow program to create large files which contains of non meaningful data (zero data) and meaningful data (non-zero data). Only meaningful data are allocated in the disk space and the non meaningful data is not allocated in the disk space

All of these features will be discuss in the next post where it will be discuss features by features.

Technorati : ntfs advantages, ntfs features
Del.icio.us : ntfs advantages, ntfs features
Ice Rocket : ntfs advantages, ntfs features
Flickr : ntfs advantages, ntfs features
Zooomr : ntfs advantages, ntfs features
Buzznet : ntfs advantages, ntfs features
Riya : ntfs advantages, ntfs features
43 Things : ntfs advantages, ntfs features

NTFS Architecture

When you press a start button on a computer, system BIOS started and search for first boot device. This first boot device can be set by user by entering the BIOS setup. Normally, the first boot device is a hard disk. As mention in previous topic, a formatted hard disk contains a Master Boot Record (MBR). A master boot record contains "master boot code" and partition table for the hard disk. When MBR is loaded, master boot codes are executed and search for partition table to find which partition is active or bootable. After detect an active partition, a boot sector that located at the first logical sector of the active partition, loaded in memory. This boot sector contains an executable code and data that required by the code, to determines the disk structure before loading an operating system.

When an executable codes within a boot sector are executed, it provides information to locate the NTLDR. NTLDR consist of ntldr.dll file which switches the CPU to protected mode and start the file system. NTLDR then find and reads the content of boot.ini file to start the operating system. Before starting the operating system NTLDR need to load system file driver of NTFS by executing the ntfs.sys file. After that NTLDR also need to loads the system device drivers that uses by the computer by executing the ntoskrnl.exe. This provides information about which system device drivers to load and the load order. Then, an operating system is running on the hard disk. All of the previous process loading an operating system is done in kernel mode. A kernel mode is a processing mode that allows code to directly access hardware and memory in the system.

Technorati : ntfs architecture, ntfs flow
Del.icio.us : ntfs architecture, ntfs flow
Ice Rocket : ntfs architecture, ntfs flow
Flickr : ntfs architecture, ntfs flow
Zooomr : ntfs architecture, ntfs flow
Buzznet : ntfs architecture, ntfs flow
Riya : ntfs architecture, ntfs flow
43 Things : ntfs architecture, ntfs flow

NTFS Components (Cont2)

D) File System Data / Area

NTFS view every each of file and folder in the volume as the file attribute . This file attribute including file name, security information and also the data. Each of file attributes are identifies by an attribute type code and optional attribute name .

As mention earlier, each file or folder exist in NTFS volume recorded on Mft as file or folder records. What actually is this file and folder records? It is the file attribute for each file as well as the partition of that file record within the Mft. Unfortunately, not all of file attribute can fit within Mft. If the file attribute can fit within the Mft, it is called resident attributes. For instance, file attribute such as file name and time stamp always be resident attribute. On the other hand, if the file attributes does not fit the Mft, it is called non-resident attributes. Non-resident attributes stores a portion of the file attribute within Mft and the remaining are stores in other cluster outside the Mft. NTFS creates the attribute list table to describe the location of the attribute records. Figure 6 illustrated File Attributes Types.

Attribute Type	Description
Standard Information	Information such as access mode, timestamp and link count
Attribute List	Locations of all attribute records that not fit in MFT record
File Name	Name of the file.
Data	File data that contain file attributes.
Object ID	Unique file identifier.
Logged Tool Stream	Data stream that logged to NTFS log.
Reparse Point	Used for mounted drives and mark special file for the particular file.
Index Root	Used to implement folder and other indexes
Index Allocation	Used to implement the B-tree structure for large folders and other large indexes
Bitmap	Used to implement the B-tree structure for large folders and other large indexes
Volume Information	Contains volume version

Figure 6 File Attributes Types

Technorati : file attribute, file system
Del.icio.us : file attribute, file system
Ice Rocket : file attribute, file system
Flickr : file attribute, file system
Zooomr : file attribute, file system
Buzznet : file attribute, file system
Riya : file attribute, file system
43 Things : file attribute, file system

NTFS Component (Cont)

B) Master File Table

Every file that exists in NTFS volume must be recorded in Master File Table (MFT). MFT consist of 16 records that describe MFT itself (metadata) , MFT minor record , log file and or folder records for each file or folder exists in NTFS volume. Figure 5 illustrated MFT metadata files stores in MFT.

System File	File Name	MFT Record	Description
Master file table	$Mft	0	Allocates at least one file record for each file or folder here. If the file or folder is too large to fit within a single record, other file records are allocated too.
Master file table copy	$MftMirr	1	This is a duplicate copy of first four records of the MFT as a backup if failure happened in MFT.
Log file	$LogFile	2	Contain information that can restore metadata consistency after a system failure.
Volume	$Volume	3	Contain information about volume
Attribute definitions	$AttrDef	4	Contain information about attribute name, numbers, and description.
Root file name index	.	5	The root folder
Cluster bitmap	$Bitmap	6	Identify the free and unused cluster in the volume.
Boot sector	$Boot	7	Contain BPB used to mount the volume.
Bad cluster file	$BadClus	8	Identify bad cluster for the volume
Security file	$Secure	9	Contain unique security descriptor for all files
Up case table	$Upcase	10	Converts lowercase characters to matching Unicode uppercase characters.
NTFS extension file	$Extend	11	Used for optional extension
		12-15	Reserved for future use.

Figure 5 MFT metadata files

Both $Mft and $MftMrr data segment location are recorded in the boot sector . If the $Mft data corrupted, NTFS read the boot sector to find where is the location of $Mftmrr and use the $Mftmrr information. Mft is not located at a predefined sector and because of that, it can be relocated if the current location identified as bad sector. Normally a duplicate Mft are located at the logical center of the NTFS volume.

C) Master File Table Copy

NTFS duplicate file $Mft record in the volume as Mftmrr and located the file in the logical center of the hard disk. However not all of the info are duplicated; only first four records of the Mft are recorded. If Mft record corrupted , NTFS reads the boot sector to find where the Mftmrr located in the hard disk. After located it, NTFS read the information and correct the data by written back information from Mftmrr to corrupted Mft record.

Technorati : metadata, mft, mft copy
Del.icio.us : metadata, mft, mft copy
Ice Rocket : metadata, mft, mft copy
Flickr : metadata, mft, mft copy
Zooomr : metadata, mft, mft copy
Buzznet : metadata, mft, mft copy
Riya : metadata, mft, mft copy
43 Things : metadata, mft, mft copy

NTFS Components

A) Partition Boot Sector

When a hard disk is formatted, a Master Boot Code (MBR) is created. MBR contain executable code called “Master boot code” that will be loaded into memory by system BIOS. This code scans the partition table that consists in MBR as well to find which partition is active . After find the active partition or bootable partition in boot sector, it is load to memory . Figure 4 illustrated boot sector section on NTFS Volume.

Byte Offset	Field Length	Field Name
0x00	3 bytes	Jump Instruction
0x03	8 bytes	OEM ID
0x0B	25 bytes	BPB
0x24	48 bytes	BPB Extended
0x54	42 bytes	Bootstrap code
0x01FE	2 bytes	End of sector marker

BPB & Extended BPB Components

Byte offset	Field Length	Field Name
0x0B	2 bytes	Bytes Per Sector
0x0D	1 byte	Sector Per Cluster
0x0E	2 bytes	Reserved Cluster
0x10	3 bytes	Must be 0
0x13	2 bytes	Must be 0
0x15	1 byte	BPB Media Descriptor
0x16	2 bytes	Must be 0
0x18	2 bytes	Not used by NTFS
0x1A	2 bytes	Not used by NTFS
0x1C	4 bytes	Not used by NTFS
0x20	4 bytes	Must be 0
0x24	4 bytes	Not used by NTFS
0x28	8 bytes	Total sector
0x30	8 bytes	Logical cluster number for the file $MFT
0x38	8 bytes	BPB Extended Logical cluster number for the file MFTMRR
0x40	1 byte	Cluster per MFT record
0x41	3 bytes	Not used by NTFS
0x44	1 byte	Cluster per Index buffer
0x45	3 bytes	Not used NTFS
0x48	8 bytes	Volume serial number
0x50	4 bytes	Not used by NTFS

Figure 4 Boot sector section on NTFS

On NTFS volume, First 16 sectors are allocates for the boot sector and bootstrap code . When boot sector loads into memory, Master Boot Record (MBR) transfers the CPU execution to the boot sector which executes the CPU instruction that stored as ‘Jump Instruction' in the boot sector. After that, read OEM ID that identifies the name and version number of operating system consists in NTFS volume. Following the OEM ID is the BPB which are information about:

• Bytes per Sector (size of sector in the hard disk)
• Sector per Cluster (Amount of sectors in a cluster)
• Media Descriptor (info about type of media being used)

The data field in BPB forms an extended BPB which provides information such as:

• Total sector (total sector in the hard disk)
• Logical Cluster number for $MFT file (Identify MFT location in the volume)
• Logical Cluster number for $MFTMRR file (Identify MFTMRR location in the volume)
• Cluster per MFT record (The size of each record for each file or folder that created on NTFS volume)
• Volume serial number

Technorati : Boot sector, Partition, boot disk
Del.icio.us : Boot sector, Partition, boot disk
Ice Rocket : Boot sector, Partition, boot disk
Flickr : Boot sector, Partition, boot disk
Zooomr : Boot sector, Partition, boot disk
Buzznet : Boot sector, Partition, boot disk
Riya : Boot sector, Partition, boot disk
43 Things : Boot sector, Partition, boot disk

NTFS Physical Structure

When a hard disk is formatted, a Master Boot record (MBR) is created. MBR consist of executable code called Master Boot Code and Partition Table information of the disk.

NTFS cluster size is depending on the size of the volume. However, when formatting NTFS volume, you can specify the cluster size up to 64Kb. If you did not specify the cluster size, default cluster size is used. Figure 3 illustrated the cluster size base on volume size.

Volume Size	Cluster Size
7MB – 512MB	512
512MB – 1024MB	1KB
1025MB – 2GB	2KB
2GB – 2TB	4KB

Figure 3 Cluster size for each volume size.

NTFS disk space efficiency actually determine by the cluster size of NTFS volume because it uses smaller cluster size than FAT file system. The smaller the cluster size, the more efficient the disk is because unused space in cluster that have been used cannot be use to store file. NTFS also support more clusters which is nearly unlimited and it able to create larder volume up to 2Tb.

When a hard disk is formatted with NTFS file system, it can be divided into four components which are:

• Boot sector


• Master File Table


• Master File Table Copy


• File system data

Every part of this component builds NTFS file system. Bellow is the illustrated of NTFS file system Components.

Technorati : mbr, ntfs cluster size
Del.icio.us : mbr, ntfs cluster size
Ice Rocket : mbr, ntfs cluster size
Flickr : mbr, ntfs cluster size
Zooomr : mbr, ntfs cluster size
Buzznet : mbr, ntfs cluster size
Riya : mbr, ntfs cluster size
43 Things : mbr, ntfs cluster size