AbstractIntroductionMethodologyInitial ComparisonReFS MBRReFS VBRFSRSMACE TimesReFS Metadata BlockReFS MFTReFS Folder Naming ProcessDrive LabelsRecycle BinDesktop.ini FileSecurity IdentifierFolder Analysis.doc Analysis.txt Analysis.exe AnalysisReferencesAboutMisc Forensics

Boot Records

VBR - Volume Boot Record

The next data (and differences) in the file systems are at offset 0x0100000, which is where the VBR starts.

ReFS

ReFS doesn't appear to have a VBR. Shown below is all the data in this sector. There are only 64 bytes used here, which compared to NTFS and FAT is a minuscule amount of data. NTFS fills the next 10 contiguous sectors and FAT uses/allows for use of six of the next nine sectors.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100000  00 00 00 52 65 46 53 00 00 00 00 00 00 00 00 00 46 53 52 53 00 02 33 C2 00 00 9E 00 00 00 00 00  ...ReFS.........FSRS..3Â..ž.....

000100020  00 02 00 00 80 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 1C 55 C4 56 55 C4 34  ....€.....................UÄVUÄ4

 

A likely explanation for the lack of VBR and subsequent code, is because that currently ReFS drives cannot be used as bootable drives (Arghire, 2012). This would be a sensible reason for there being no Volume Boot Record on the file system. The Resilient File System doesn't have a Jump Instruction (first three bytes), but does have an OEM ID afterwards (four bytes highlighted in orange).

One would speculate that by leaving the Jump Instruction blank, Microsoft have the capability to enable ReFS to be used as a boot drive in future.

In NTFS the next 25 bytes is taken up by the Bios Parameter Block (BPB) is and then the Extended BPB follows this for 48 bytes. There is no similarity here between ReFS and NTFS, in fact, ReFS data actually stops during what would be the Extended BPB.

FSRS - File System Recognition Structure

In place of the BPB, in ReFS there is the text "FSRS". This stands for "File System Recognition Structure". A search through the hexadecimal of the NTFS and FAT file systems for "FSRS" returned nothing. Upon further research it can be found that Microsoft own the patent for "File System Recognition Structure" (Publication Number: US8200895 B2) (Christiansen et al., 2012). An explanation states that it "may allow an operating system to identify a partition of a storage device as having a valid file system, even if the operating system does not know how to access the file system a priori".

There is an entry in Microsoft's MSDN documentation for File System Recognition Structure (Microsoft, 2011). Here it states it contains file system recognition information (stored in the VBR). The File System Recognition data structure allows an operating system to recognise a storage media contains a valid, but undefined, file system. Applications will be able to access the structures on the file system through the file system control request (Microsoft, n.d.c).

Microsoft documentation highlights the fact that the FSRS data structure must be in the first sector of a logical disk: "This data structure, if present on logical disk sector zero…" (Microsoft, n.d.d). This enables the operating system to recognise the data structure and alert the user that it is a valid file system, despite being unrecognised by the local machine. File System Recognition Structure is not available on the NTFS and FAT file systems.

Having read all this information and interpreted the content using the table below, it shows that the FSRS completely replaces what would be the VBR. The length of the FSRS (highlighted in green below), like the identifier, is stored in little endian, meaning the length of this structure is 512 bytes, the same as the NTFS VBR. After these 64 bytes shown, however, the remaining data of the 512 bytes is set to zero.

 

Type

Offset

Length

Contents

Description

Jmp

0x00

3 bytes

00 00 00

Jump instruction

FsName

0x03

4 bytes

53 65 46 53

File system name

MustBeZero

0x07

9 bytes

00 00 00 00 00 00 00 00 00

Reserved space containing all zeros

Identifier

0x10

4 bytes

46 53 52 53

Structure identifier. Little endian.

Length

0x14

2 bytes

00 02

The number of bytes in the structure

Checksum

0x16

2 bytes

33 C2

 

 

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100000  00 00 00 52 65 46 53 00 00 00 00 00 00 00 00 00 46 53 52 53 00 02 33 C2 00 00 9E 00 00 00 00 00  ...ReFS.........FSRS....ž.....

000100020  00 02 00 00 80 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 1C 55 C4 56 55 C4 34  ....€.....................UÄVUÄ4

 

This information fills a gap in current research. Joachim Metz began investigating Resilient File System in 2013 and in Section 2.1 of his investigation report he speculates the structure and the meaning of the values in the Volume Header of ReFS, highlighting the "FSRS" field as unknown (Metz, 2013, pp. 1).

 

NTFS

Below is the VBR of the NTFS drive. The first three bytes is the Jump Instruction (Carrier, 2005) (coloured in grey), followed by the OEM ID in the next eight bytes (highlighted in blue). From offset 0x0100054 up until offset 0x0100183 is the NTFS executable assembly code (Sedory, 2009) (highlighted in aqua). The boot signature (55 AA) resides at the end of the block (in yellow). Before this signature are error messages (orange), which can be seen in the furthermost right column in plaintext. Each separate error message is split by the bytes 0D 0A.

 

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100000  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 00 00  ËR.NTFS    ..........ø..?.Ÿ.....

000100020  00 00 00 00 80 00 80 00 FF E7 9F 00 00 00 00 00 00 00 04 00 00 00 00 00 02 00 00 00 00 00 00 00  ....€.€.ŸçŸ.....................

000100040  F6 00 00 00 01 00 00 00 57 EC 59 18 20 5A 18 EA 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07  Ö.......WÌY. Z.ê....ú3ÀžƉ¼.|ûhÀ.

000100060  1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB  ..hf.ˈ...f.>..NTFSuA»ªU˜.r..û

000100080  55 AA 75 06 F7 C1 01 00 75 03 E9 DD 00 1E 83 EC 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13  Uªu.÷á..u.ÉÝ..ƒÌ.h..´HŠ...‹Ô..˜.

0001000A0  9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8  ŸƒÄ.žX.rá;...£..á.....Z3û¹. +È

0001000C0  66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 4B 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D  .......žÂŸ...ÈK.+Èwï¸.»˜.f#Àu-

0001000E0  66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 68 07 BB 16 68 52 11 16 68 09 00 66 53 66 53 66  f.ûTCPAu$.Ù..r..h.».hR..h..fSfSf

000100100  55 16 16 16 68 B8 01 66 61 0E 07 CD 1A 33 C0 BF 0A 13 B9 F6 0C FC F3 AA E9 FE 01 90 90 66 60 1E  U...h¸.fa..˜.3À¿..¹Ö.ÜÓªÉþ...f`.

000100120  06 66 A1 11 00 66 03 06 1C 00 1E 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00 B4 42 8A 16 0E  .f¡..f.....fh....fP.Sh..h..´BŠ..

000100140  00 16 1F 8B F4 CD 13 66 59 5B 5A 66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16 0F 00 8E C2 FF  ...‹Ô˜.fY[ZfYfY..‚.........žÂŸ

000100160  0E 16 00 75 BC 07 1F 66 61 C3 A1 F6 01 E8 09 00 A1 FA 01 E8 03 00 F4 EB FD 8B F0 AC 3C 00 74 09  ...u¼..faâ¡Ö.È..¡ú.È..ÔËÝ‹Ɖ¬<.t.

000100180  B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 72 6F 72 20 6F 63  ´.»..˜.ËÒâ..A disk read error oc

0001001A0  63 75 72 72 65 64 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 63 6F 6D 70 72 65 73 73 65 64 00 0D  curred...BOOTMGR is compressed..

0001001C0  0A 50 72 65 73 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F 20 72 65 73 74 61 72 74 0D 0A  .Press Ctrl+Alt+Del to restart..

0001001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 01 A7 01 BF 01 00 00 55 AA  ......................Š.§.¿...

 

Following this sector, is code for the "bootmgr". This is the Windows boot sequence manager, which reads the boot configuration data, and then uses it to choose which Operating System to boot the machine into. The "bootmgr" was brought in at the time of Windows Vista, and superseded the previous version of "ntldr". Once again, in this sector there is an error message preceded by 0D 0A.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100200  07 00 42 00 4F 00 4F 00 54 00 4D 00 47 00 52 00 04 00 24 00 49 00 33 00 30 00 00 D4 00 00 00 24  ..B.O.O.T.M.G.R...$.I.3.0..Ô...$

000100220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

000100240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 C0 00 90 05 00 4E 00 54 00  ......................ÉÀ....N.T.

000100260  4C 00 44 00 52 00 07 00 42 00 4F 00 4F 00 54 00 54 00 47 00 54 00 07 00 42 00 4F 00 4F 00 54 00  L.D.R...B.O.O.T.T.G.T...B.O.O.T.

000100280  4E 00 58 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 0A 41 6E 20 6F  N.X.T.......................An o

0001002A0  70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 20 77 61 73 6E 27 74 20 66 6F 75 6E 64 2E 20 54 72  perating system wasn't found. Tr

0001002C0  79 20 64 69 73 63 6F 6E 6E 65 63 74 69 6E 67 20 61 6E 79 20 64 72 69 76 65 73 20 74 68 61 74 20  y disconnecting any drives that

0001002E0  64 6F 6E 27 74 0D 0A 63 6F 6E 74 61 69 6E 20 61 6E 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74  don't..contain an operating syst

000100300  65 6D 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9A 02 66 0F B7 06 0B 00 66  em.....................Š.f.·...f

000100320  0F B6 1E 0D 00 66 F7 E3 66 A3 52 02 66 8B 0E 40 00 80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00  .¶...f÷âf£R.f‹.@.€Ù.....ÖÙf¸....

000100340  66 D3 E0 EB 08 90 66 A1 52 02 66 F7 E1 66 A3 86 02 66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56  fÓÀË..f¡R.f÷áf£†.f...f3Òf÷Óf£V

000100360  02 E8 A2 04 66 8B 0E 4E 02 66 89 0E 26 02 66 03 0E 86 02 66 89 0E 2A 02 66 03 0E 86 02 66 89 0E  .È¢.f‹.N.f‰.&.f..†.f‰.*.f..†.f‰.

000100380  2E 02 66 03 0E 86 02 66 89 0E 3E 02 66 03 0E 86 02 66 89 0E 46 02 66 B8 90 00 00 00 66 8B 0E 26  ..f..†.f‰.>.f..†.f‰.F.f¸....f‹.&

0001003A0  02 E8 90 09 66 0B C0 0F 84 BF FD 66 A3 32 02 66 B8 A0 00 00 00 66 8B 0E 2A 02 E8 77 09 66 A3 36  .È..f.À.„¿Ýf£2.f¸ ...f‹.*.Èw.f£6

0001003C0  02 66 B8 B0 00 00 00 66 8B 0E 2E 02 E8 65 09 66 A3 3A 02 66 A1 32 02 66 0B C0 0F 84 8C FD 67 80  .f¸°...f‹...Èe.f£:.f¡2.f.À.„ŒÝg€

0001003E0  78 08 00 0F 85 83 FD 67 66 8D 50 10 67 03 42 04 67 66 0F B6 48 0C 66 89 0E 92 02 67 66 8B 48 08  x...…ƒÝgf.P.g.B.gf.¶H.f‰.'.gf‹H.

 

FAT32

As a comparison, the VBR of the FAT32 drive is below. Like the first three bytes of this sector in ReFS and NTFS, FAT has the Jump Code (grey) followed by the OEM ID (blue).  

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100000  EB 58 90 4D 53 44 4F 53 35 2E 30 00 02 08 3A 10 02 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 00 00  ËX.MSDOS5.0...:......ø..?.Ÿ.....

000100020  00 E8 9F 00 E3 27 00 00 00 00 00 00 02 00 00 00 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00  .ÈŸ.â'..........................

000100040  80 00 29 E5 59 5E 12 4E 4F 20 4E 41 4D 45 20 20 20 20 46 41 54 33 32 20 20 20 33 C9 8E D1 BC F4  €.)ÅY^.NO NAME    FAT32   3Éžñ¼Ô

000100060  7B 8E C1 8E D9 BD 00 7C 88 56 40 88 4E 02 8A 56 40 B4 41 BB AA 55 CD 13 72 10 81 FB 55 AA 75 0A  {žážÙ½.|ˆV@ˆN.ŠV@´A»ªU˜.r..ûUªu.

000100080  F6 C1 01 74 05 FE 46 02 EB 2D 8A 56 40 B4 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F B6  Öá.t.þF.Ë-ŠV@´.˜.s.¹ŸŸŠñf.¶æ@f.¶

0001000A0  D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 C9 66 F7 E1 66 89 46 F8 83 7E 16 00 75 39 83 7E 2A  ñ€Â?÷†˜À˜.Af.·Éf÷áf‰Føƒ~..u9ƒ~*

0001000C0  00 77 33 66 8B 46 1C 66 83 C0 0C BB 00 80 B9 01 00 E8 2C 00 E9 A8 03 A1 F8 7D 80 C4 7C 8B F0 AC  .w3f‹F.fƒÀ.».€¹..È,.ɨ.¡ø}€Ä|‹Ɖ¬

0001000E0  84 C0 74 17 3C FF 74 09 B4 0E BB 07 00 CD 10 EB EE A1 FA 7D EB E4 A1 7D 80 EB DF 98 CD 16 CD 19  Àt.<Ÿt.´.»..˜.ËΡú}ËÄ¡}€Ëß"˜.˜.

000100100  66 60 80 7E 02 00 0F 84 20 00 66 6A 00 66 50 06 53 66 68 10 00 01 00 B4 42 8A 56 40 8B F4 CD 13  f`€~...„ .fj.fP.Sfh....´BŠV@‹Ô˜.

000100120  66 58 66 58 66 58 66 58 EB 33 66 3B 46 F8 72 03 F9 EB 2A 66 33 D2 66 0F B7 4E 18 66 F7 F1 FE C2  fXfXfXfXË3f;Før.ÙË*f3Òf.·N.f÷ñþÂ

000100140  8A CA 66 8B D0 66 C1 EA 10 F7 76 1A 86 D6 8A 56 40 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 66 61 0F  Šêf‹Ɖfáê.÷v.†ÖŠV@ŠÈÀÄ..̸..˜.fa.

000100160  82 74 FF 81 C3 00 02 66 40 49 75 94 C3 42 4F 4F 54 4D 47 52 20 20 20 20 00 00 00 00 00 00 00 00  ‚tŸ.â..f@Iu"âBOOTMGR    ........

000100180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

0001001A0  00 00 00 00 00 00 00 00 00 00 00 00 0D 0A 44 69 73 6B 20 65 72 72 6F 72 FF 0D 0A 50 72 65 73 73  ..............Disk errorŸ..Press

0001001C0  20 61 6E 79 20 6B 65 79 20 74 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 00 00 00 00 00   any key to restart.............

0001001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 01 B9 01 00 00 55 AA  ........................¬.¹...

 

The next sector after this one in the FAT32 file system starts with 52 52 61 41, is all 0s until offset 0x01003E4. Here there are nine bytes; 72 72 41 61 FF F0 13 00 03, before blanks until the VBR signature (55 AA) at the end of the sector. The next sector is all 0s except for the boot signature. The following three sectors are completely blank. After these three, comes the backup VBR.

Backup VBR

At the end of the NTFS and ReFS drives, at offset 0x013FDFFE00, exists a backup of the VBR, first seen at offset 0x0100000. The VBR is identical to earlier in the file system, there is no difference at all. Again the one in NTFS fills the 512 bytes, whereas in ReFS it only consumes 64 bytes, containing the File System Recognition Structure. Bunting (2012) states that NTFS stores its backup copy of the VBR in the last sector of the partition. This is confirmed by the Microsoft support on how to recover a NTFS boot sector (Microsoft, 2007). The FAT32 drive does not have a backup at this location, as it has a VBR backup at sector 6 of the file system. This was one of the pieces of information disclosed by the fsstat command, which was ran earlier.