Abstract
To manage and protect the increasingly files, file-system-status monitoring has become more useful nowadays. Since most of existing file-system -status monitoring systems are based on OS level, they still cannot take effect when malicious attacks manage to take control of computers during the booting process. So file-system-status monitoring systems before the OS booting has become an urgent requirement. A key problem of file-system-status monitoring systems is to enumerate all the files in the system. Considering NTFS file system is the most popular file system and UEFI has become a new standard specification of BIOS, we put forward an implementation of an enumeration engine of NTFS file system under UEFI using the USN journal, and experiments shows that our engine could enumerate all the files.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
UEFI Specification2.4.1. Avalible: http://uefi.org/specifications
UEFI Technology: say hello to the windows 8 bootkit. Avalible: http://www.saferbytes.it/2012/09/18/uefi-technology-say-hello-tothe-windows-8-bootkit/
Heasman J.: Hacking the Extensible Firmware Interface (2007). http://www.ngssoftware.com/research/papers/BH-DC-07-Heasman.pdf
Jinqian, L., Yue, Z.: The main data structure of NTFS file system. J. Comput. Eng. Appl. 19(2), 116–130 (2003)
MSDN: Volume Management Control Codes. http://msdn.microsoft.com/en-us/library/aa365729(v=vs.85).aspx
En., K.Z. Gao., C.Q.: Analysis and implementation of NTFS file In: 2010 Second International Workshop on System Based on Computer Forensics Education Technology and Computer Science (ETCS), Issue Date: 6–7 March 2010
Bulygin, Y., Furtak, A., Bazhaniuk, O.: A Tale of One Software Bypass of Windows 8 Secure Boot. Black Hat, USA (2013)
Sergeev, A., Minchenkov, V., Yakovlev, A.: Too young to be secure: Analysis of UEFI threats and vulnerabilities. In: Proceedings of the 14th Open Innovations Association (FRUCT) (2013)
Wen-bin, T., Yue-fei, Z., Jia-yong, C.: Research on attack method of unified extensible firmware interface. J. Comput. Eng. 38(13), 99–101 (2012)
Chifflier, P.: UEFI and PCIbootkits. PacSec2013
Tang-Wenbin, C-Xi.: Analysis and Detection of UEFI Bootkit. Computer Science[J], October 2012
Si-yuan, F., Gong-shen, L., Jian-hua, L.: Research of malicious code defense technology based on UEFI firmware. Comput. Eng. 38(9), 117–120 (2012)
Zhengwei, J., Xiaozhen, W.: UEFI malicious behavior detection model based on minimal attack tree. Comput. Eng. Appl. 48(32), 14–17 (2012)
Everything searching engine. Avalible: http://www.voidtools.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, Z., Shi, J., Hu, L. (2015). Towards Enumeration of NTFS Using USN Journals Under UEFI. In: Yueming, L., Xu, W., Xi, Z. (eds) Trustworthy Computing and Services. ISCTCS 2014. Communications in Computer and Information Science, vol 520. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47401-3_22
Download citation
DOI: https://doi.org/10.1007/978-3-662-47401-3_22
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47400-6
Online ISBN: 978-3-662-47401-3
eBook Packages: Computer ScienceComputer Science (R0)