Professional Documents
Culture Documents
Metadata Files: Excellent Reference: Ntfs/attrib.h
Metadata Files: Excellent Reference: Ntfs/attrib.h
Metadata Files: Excellent Reference: Ntfs/attrib.h
Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/
ntfs/attrib.h
Metadata Files
The metadata files in NTFS contain information used
to implement the file system structure.
Their names begin with $
The $ is usually hidden
With the exception of these $ files all the rest of the
MFT entries are for normal files and directories
Metadata Files
Files 0 15 are reserved for metadata files in the MFT, usually only the
first 12 are used by MS.
0
1
2
3
4
5
6
7
$Mft MFT
$MftMirr MFT Mirror
$LogFile Log File
$Volume Volume File
$AttrDef Attribute definition table
\ - Root directory
$Bitmap - Voume cluster allocation
file
$Boot Boot sector
$MFT
Entry 0
Master File Table
Contains an entry for every file
First entry in the MFT
Has a $BITMAP attribute
Its $DATA attribute contains the clusters used by the
MFT
Also has $STANDARD_INFORMATION and
$FILE_NAME attributes
$MFTMirr
Entry 1
Backup for the MFT
Second entry (entry #1) in the MFT
Has a non-resident attribute
$LogFile
Entry 2
Used as the NTFS journal
Has standard attributes
Log data is stored in $DATA
Appears to have signature RSTR
And entries with signature RCRD
$Volume
MFT entry number 3
Contains volume label and version info
Has 2 important attributes
$VOLUME_NAME
$VOLUME_INFORMATION
$VOLUME_NAME
Type ID 96
Name of volume in UTF-16 Unicode
Nothing more
$VOLUME_INFORMATION
Type ID 112
Unique to $Volume file
Fields
07
88
99
10 11
Unused
Major version
Minor version
Flags
Flags
0x0001
0s0002
0x0004
0x0008
0x0010
0x0020
0x0080
Dirty
Resize $LogFile (File system journal)
Upgrade volume next time
Mounted in NT
Deleting change journal
Repair object Ids
Modified by chkdsk
$AttrDef
Entry 4
Defines the attribute names and Ids
$DATA attribute for this file contains a list of entries
Entry:
0 127
128 131
132 135
136 139
140 143
144 151
152 159
Name of attribute
Type of identifier
Display rule
Collation rule
Flag
Minimum size
Maximum size
Flags:
0x02
0x04
0x08
\ - Root directory
Entry 5
$Bitmap
Entry 6
Bitmap of allocated dlusters is maintained in the
$DATA attribute
$Boot
Entry 7
Contains the boot sector of the file system
Static location for $DATA attribute
Located in the first sector of the file system
Used to boot the system
Sirst sector is the VBR
Field Length
Sample Value
Field Name
0x00
0x03
0x0B
3
4
2
0xEB5290
0x4E544653
0x0002
0x0D
0x08
0x0E
0x10
0x13
0x15
0x16
0x18
0x1A
0x1C
0x20
0x24
0x28
2
3
2
1
2
2
2
4
4
4
8
0x0000
0x000000
0x0000
0xF8
0x0000
0x3F00
0xFF00
0x3F000000
0x00000000
0x80008000
0x4AF57F0000000000
Reserved Sectors
always 0
not used by NTFS
Media Descriptor
always 0
Sectors Per Track
Number Of Heads
Hidden Sectors
not used by NTFS
not used by NTFS
Total Sectors
0x30
0x0400000000000000
0x38
0x54FF070000000000
0x40
0xF6000000
0x44
0x01000000
0x48
0x14A51B74C91B741C
0x50
0x00000000
Checksum
www.NTFS.com
$Boot (contd)
The sectors following #1 is for actual boot code
Only significant for bootable partitions
Exercise
Format a disk with a non-bootable NTFS partition
What do the first 16 clusters of the file system look like.
$BadClus
Entry 8
Bad cluster file
$Secure
Entry 9
Security settings
$UpCase
Entry 10
Uppercase character mapping
$Extend
Entry 11
Extended metadata directory
Contains
$ObjId
$Reparse
$Quota
$UsnJrnl
$Quota
Located in \$Extend\
Contains two indexes
Both indexes use
$INDEX_ROOT
$INDEX_ALLOCATION
$O index
Correlates a SID to an owner ID
$Q index
Correlates an owner ID to quota information
$UsnJrnl
Located in \$Extend\
Acts as a change journal
Changes are stored in $DATA attribute
This attribute is named $J
Also has another $SATA attribute named $Max
Maximum settings for the UsnJrnl
$J Attribute Entries
03
45
67
8 15
16 23
24 31
32 39
40 43
44 47
48 51
52 55
56 57
58+
$J Entry Flags
0x00000001
0x00000002
0x00000004
0x00000010
0x00000020
0x00000040
0x00000100
0x00000200
0x00000400
0x00000800
0x00001000
0x00002000
0x00004000
Etc.