date: “2016-12-01” draft: false title: “Windows NTFS”
NTFS - Advanced Features [WISEp2-426]
- Multiple data streams
- Unicode-based names (max len=255)
- General indexing facility
- Dynamic bad-cluster remapping
- Hard links
- Symbolic (soft) links and junctions
- Compression and sparse files
- Change logging
- Per-user volume quotas
- Link tracking
- Encryption
- POSIX support
- Defragmentation
- Read-only support and dynamic partitioning
MFT Metadata
All records are 1KB, one for each file on the volume
| System File | File Name | MFT Record | Purpose of the File |
|---|---|---|---|
| Master file table | $Mft | 0 | Contains one base file record for each file and directory on an NTFS volume. If the allocation information for a file or directory is too large to fit within a single record, other file records are allocated as well. |
| Master file table 2 | $MftMirr | 1 | A duplicate image of the first four records of the MFT. This file guarantees access to the MFT in case of a single-sector failure. |
| Log file | $LogFile | 2 | Contains a list of transaction steps used for NTFS recoverability. Log file size depends upon the volume size. It is used by Windows 2000 to restore consistency to NTFS in the event of a system failure. For more information about the log file, see “NTFS Recoverability” later in this chapter. |
| Volume | $Volume | 3 | Contains information about the volume, such as the volume label and the volume version. |
| Attribute definitions | $AttrDef | 4 | A table of attribute names, numbers, and descriptions. |
| Root file name index | $ | 5 | The root directory. |
| Cluster bitmap | $Bitmap | 6 | A representation of the volume showing which clusters are in use. |
| Boot sector | $Boot | 7 | Includes the bootstrap for the volume if it is a bootable volume. |
| Bad cluster file | $BadClus | 8 | Contains bad clusters for the volume. |
| Security file | $Secure | 9 | Contains unique security descriptors for all files within a volume. |
| Upcase table | $Upcase | 10 | Converts lowercase characters to matching Unicode uppercase characters. |
| NTFS extension file | $Extend | 11 | Used for various optional extensions such as quotas, reparse point data, and object identifiers. |
| 12–15 | Reserved for future use. | ||
| 17-23 | Sometimes uses as overflow when reserved entries are not enough [FSFA-285] |
Standard Attributes (MFT File) [WISEp2-448]
| Attribute | Type ID | Size (bytes) | Notes |
|---|---|---|---|
$STANDARD_INFORMATION |
16 | 72 | ownership, security, quota, and time stamp information |
$FILE_NAME |
48 | 66 | same info as STD_INFO but not updated |
$DATA |
128 | Variable | file content, less than 700 bytes = resident |
Timestamsps (in STANDARD_INFORMATION)
• Creation time
• Modified time
• MFT Modified time
• Accessed time
Other
Opertunisitic Lock - oplock Metadata files - TODO?
[FSFA-285]: File System Forensic Analysis - Page 285 [WISEp2-426]: Windows Internals, Sixth Edition, Part 2 - page 426 [WISEp2-448]: Windows Internals, Sixth Edition, Part 2 - page 448