Structure of Ntfs
By: Victor • Essay • 768 Words • November 11, 2009 • 1,084 Views
Essay title: Structure of Ntfs
Structure of NTFS
The NTFS file system is used in all critical Microsoft Windows systems. It is an advanced file system that makes it different from the UNIX file systems that the original TCT was designed for. This document gives a quick overview of NTFS and how it was implemented. The biggest difference is the use of Alternate Data Streams (ADS) when specifying a meta data structure.
MFT
The Master File Table (MFT) contains entries that describe all system files, user files, and directories. The MFT even contains an entry (#0) that describes the MFT itself, which is how we determine its current size. Other system files in the MFT include the Root Directory (#5), the cluster allocation map, Security Descriptors, and the journal.
MFT ENTRIES
Each MFT entry is given a number (similar to Inode numbers in UNIX). The user files and directories start at MFT #25. The MFT entry contains a list of attributes. Example attributes include "Standard Information" which stores data such as MAC times, "File Name" which stores the file or directories name(s), $DATA which stores the actual file content, or "Index Alloc" and "Index Root" which contain directory contents stored in a B-Tree.
Each type of attribute is given a numerical value and more than one instance of a type can exist for a file. The "id" value for each attribute allows one to specify an instance. A given file can have more than one "$Data" attribute, which is a method that can be used to hide data from an investigator. To get a mapping of attribute type values to name, use the 'fsstat' command. It displays the contents of the $AttrDef system file.
Each attribute has a header and a value and an attribute is either resident or non-resident. A resident attribute has both the header and the content value stored in the MFT entry. This only works for attributes with a small value (the file name for example). For larger attributes, the header is stored in the MFT entry and the content value is stored in Clusters in the data area. A Cluster in NTFS is the same as FAT, it is a consecutive group of sectors. If a file has too many different attributes, an "Attribute List" is used that stores the other attribute headers in additional MFT entries.
FILES
Files in NTFS typically have the following attributes:
S.N. Attribute Description
1. $STANDARD_INFORMATION Contains MAC times, security ID, Owners ID, permissions in DOS format, and quota data.
2. $FILE_NAME Contains the file name in UNICODE, as well as additional MAC times, and the MFT entry of the parent directory.
3. $OBJECT_ID Identifiers regarding the files original Object ID, its birth Volume ID, and Domain ID.
4. $DATA The raw content data of the file.
When a file is deleted, the IN_USE flag is cleared from the MFT entry, but the attribute contents