Skip to main content

Towards Enumeration of NTFS Using USN Journals Under UEFI

  • Conference paper
  • First Online:
Trustworthy Computing and Services (ISCTCS 2014)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 520))

Included in the following conference series:

  • 998 Accesses

Abstract

To manage and protect the increasingly files, file-system-status monitoring has become more useful nowadays. Since most of existing file-system -status monitoring systems are based on OS level, they still cannot take effect when malicious attacks manage to take control of computers during the booting process. So file-system-status monitoring systems before the OS booting has become an urgent requirement. A key problem of file-system-status monitoring systems is to enumerate all the files in the system. Considering NTFS file system is the most popular file system and UEFI has become a new standard specification of BIOS, we put forward an implementation of an enumeration engine of NTFS file system under UEFI using the USN journal, and experiments shows that our engine could enumerate all the files.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. UEFI Specification2.4.1. Avalible: http://uefi.org/specifications

  2. UEFI Technology: say hello to the windows 8 bootkit. Avalible: http://www.saferbytes.it/2012/09/18/uefi-technology-say-hello-tothe-windows-8-bootkit/

  3. Heasman J.: Hacking the Extensible Firmware Interface (2007). http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf

  4. Jinqian, L., Yue, Z.: The main data structure of NTFS file system. J. Comput. Eng. Appl. 19(2), 116–130 (2003)

    Google Scholar 

  5. MSDN: Volume Management Control Codes. http://msdn.microsoft.com/en-us/library/aa365729(v=vs.85).aspx

  6. En., K.Z. Gao., C.Q.: Analysis and implementation of NTFS file In: 2010 Second International Workshop on System Based on Computer Forensics Education Technology and Computer Science (ETCS), Issue Date: 6–7 March 2010

    Google Scholar 

  7. Bulygin, Y., Furtak, A., Bazhaniuk, O.: A Tale of One Software Bypass of Windows 8 Secure Boot. Black Hat, USA (2013)

    Google Scholar 

  8. Sergeev, A., Minchenkov, V., Yakovlev, A.: Too young to be secure: Analysis of UEFI threats and vulnerabilities. In: Proceedings of the 14th Open Innovations Association (FRUCT) (2013)

    Google Scholar 

  9. Wen-bin, T., Yue-fei, Z., Jia-yong, C.: Research on attack method of unified extensible firmware interface. J. Comput. Eng. 38(13), 99–101 (2012)

    Google Scholar 

  10. Chifflier, P.: UEFI and PCIbootkits. PacSec2013

    Google Scholar 

  11. Tang-Wenbin, C-Xi.: Analysis and Detection of UEFI Bootkit. Computer Science[J], October 2012

    Google Scholar 

  12. Si-yuan, F., Gong-shen, L., Jian-hua, L.: Research of malicious code defense technology based on UEFI firmware. Comput. Eng. 38(9), 117–120 (2012)

    Google Scholar 

  13. Zhengwei, J., Xiaozhen, W.: UEFI malicious behavior detection model based on minimal attack tree. Comput. Eng. Appl. 48(32), 14–17 (2012)

    Google Scholar 

  14. Everything searching engine. Avalible: http://www.voidtools.com/

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zilu Zhang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhang, Z., Shi, J., Hu, L. (2015). Towards Enumeration of NTFS Using USN Journals Under UEFI. In: Yueming, L., Xu, W., Xi, Z. (eds) Trustworthy Computing and Services. ISCTCS 2014. Communications in Computer and Information Science, vol 520. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47401-3_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-47401-3_22

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-47400-6

  • Online ISBN: 978-3-662-47401-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics