ntfs

NTFSNew Technology File System

Tuesday, March 15, 2011

NTFS OVERVIEW

No Official Specificationmkfs.ntfs is different from MS’s

MS made changes to NTFS / every Windows Something

Everything is FILE → Entire FS is Data Area(except. 1st Sector for BootSector)

Master File Table(info about all files and directories)


MFT(MASTER FILE TABLE)


MFT OVERVIEW# fsstat -f ntfs practice1.ntfs.dd FILE SYSTEM INFORMATION--------------------------------------------File System Type: NTFSVolume Serial Number: 6CA8E0B776511162OEM Name: NTFS Volume Name: MYNTFSVersion: Windows XP

METADATA INFORMATION--------------------------------------------First Cluster of MFT: 16First Cluster of MFT Mirror: 32759Size of MFT Entries: 1024 bytesSize of Index Records: 4096 bytesRange: 0 - 251Root Directory: 5

CONTENT INFORMATION--------------------------------------------Sector Size: 512Cluster Size: 1024Total Cluster Range: 0 - 65518Total Sector Range: 0 - 131038


MFT OVERVIEW....$AttrDef Attribute Values:$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident$FILE_NAME (48) Size: 68-578 Flags: Resident,Index$OBJECT_ID (64) Size: 0-256 Flags: Resident$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident$VOLUME_NAME (96) Size: 2-256 Flags: Resident$VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident$DATA (128) Size: No Limit Flags: $INDEX_ROOT (144) Size: No Limit Flags: Resident$INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident$BITMAP (176) Size: No Limit Flags: Non-resident$REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident$EA_INFORMATION (208) Size: 8-8 Flags: Resident$EA (224) Size: 0-65536 Flags: $LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident


MFT-MFT ENTRY


MFT ENTRY (FILE RECORD)

Every file and directory has at least 1 entry in MFTMFT entry(General) , File record(MS)

1 entry = 1KB, generally so far ← Defined in boot sector42byte(12 fields) with defined purpose + Attributes

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

MFT Entry


MFT ENTRY (FILE RECORD)

Attr

Attr Attr

Attr

42bytes(12 fields)

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

MFT Entry


MFT ENTRY ADDR.

[MFT Entry Address]Sequentially (from 0) addressed using a 48-bit value

Maximum Address (changes as the MFT grows) = Size of $MFT / Size of each entry

[MFT Entry Sequence #]16 bit : Incremented every time the entry is (re)allocated)

[File Reference Address]Entry Sequence#(2 bytes; 16 bits)+Entry Address(6 bytes; 48 bits)

=8 bytes (64 bits)Determining when the file system is in a corrupt state.

Recovering deleted content


MFT ENTRY HEADER

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

[MFT Entry]

SignatureOffset to

Fixup Array

Flags(in-use and directory)

$LogFile Sequence Number (LSN)

SequenceValue

Offset tofirst Attribute

[MFT Entry Header]

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 24 25 26 27 28 29

Used Size of MFT Entry

# of Values inFixup Array

LinkCount Allocated Size of MFT Entry

File Reference to Base Entry Next Attribute ID


MFT ENTRY HEADER

SignatureOffset to

Fixup Array


$LogFile Sequence Number (LSN)

SequenceValue


00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 24 25 26 27 28 29


# of Values inFixup Array

LinkCount Allocated Size of MFT Entry

File Reference to Base Entry Next Attribute ID

# icat -f ntfs practice1.ntfs.dd 0 | xxd # 0:$MFT (Entry 0)0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........0000010: 0100 0100 3800 0100 9801 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0400 0000 0000 0000 .....................

[MFT Entry Header]


MFT ENTRY HEADER

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

SignatureSignatureSignatureSignatureOffset to

Fixup Array

Offset to Fixup Array

# of Ele. in

Fixup Arr.

# of Ele. in

Fixup Arr.$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)

- Signature : FILE(Standard), BAAD(chkdsk error)- Offset to Fixup Array : 0x0030 = 48 (Byte offset 48)- Number of Fixup Array Elements : 0x0030 = 3 (3 Elements)- $LogFile Sequence Number (LSN) : 0x0000000000000000 (NTFS log journal file)
















# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd //skip=144 : MFT ENTRY #144 (TrueCrypt.exe)//0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........

Non-Resident $Data Attribute of $LogFile MFT Entry (#2)

Restart Area Logging Area (Each record has a logical sequence number (LSN))


FIXUP ARRAY

The last two bytes of each sector (ie, 0x1fe:0x1ff = 510:511)

In large “data structures” (not actual file content) are replaced with a signature value

when the [data structure is written] to disk.

Used (Later) to verify the integrity of the data by verifying that all sectors have the same signature.


FIXUP ARRAY

04 05 06 07

Offset to Fixup ArrayOffset to Fixup ArrayOffset to Fixup ArrayOffset to Fixup ArrayOffset to Fixup ArrayOffset to Fixup Array Number of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup ArrayNumber of Elements in Fixup Array

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

0000030: 0000 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(510:511)00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 B(1022:1023)

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 000000003f0: 0000 0000 0000 0000 0000 0000 0000 0000

0000030: 9a02 0000 0000 0000 1000 0000 4800 000000001f0: 0000 0000 0000 0000 0000 0000 0000 9a0200003f0: 0000 0000 0000 0000 0000 0000 0000 9a02

[data structure is written 1]

[data structure is written 2]

[Original Data Structure]

[Data Structure with Fixup]


MFT ENTRY HEADER

[MFT Entry Header]

- Sequence Value : 0x0001 = 1 (This is the first time this entry has been used)- Link Count : 0x0001 = 1 (It has only one name)
















10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

SequenceValue

SequenceValue

LinkCountLink

Count

Offset tofirst

Attribute

Offset tofirst

Attribute

Flags(in-use/

dir.)

Flags(in-use/

dir.)





Allocated Size of MFT Entry




- Offset to first Attribute : 0x0038 = 56 (Byte offset 56) 0000030: 9a02 0000 0000 0000 1000 0000 4800 0000

- Flag : 0x0001 = 1 (in Use)- Used Size of NFT Entry : 0x000001B0 = 432 bytes- Allocated Size of MFT Entry : 0x00000400 = 1024 bytes































# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd 0000010: 0100 0100 3800 0100 b001 0000 0004 0000 ....8...........


MFT ENTRY HEADER

[MFT Entry Header]

File Reference to Base Record : 0x0000000000000000 = 0 (This is Base Entry)

Next Attribute ID (to be assigned) : 0x0004 = 4 (So, This Entry so far has 3 Attributes (1~3))





















20 21 22 23 24 25 26 27 28 29

File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)Next

Attribute ID

Next Attribute

ID

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd0000020: 0000 0000 0000 0000 0400 0000 9000 0000 ................


MFT-MFT ENTRY-ATTRIBUTE


ATTRIBUTE

The content of the attribute can have “any format” & “any size”

[Resident Attribute]Content in the MFT entry

[Non-Resident Attribute]Content in an external cluster in the file system

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

Attribute ContentsCluster(n)

UnusedSpace


ATTRIBUTE HEADER (C)

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

[MFT Entry]

Attribute Type ID Attribute Length Length of Name

Non Resident Flag Offset to Name

Flags

[“Common” Attribute Header both for Resident and Non-Resident]

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Attribute Identifier

If an MFT entry has more than one attribute of the same type


ATTRIBUTE TYPEAttribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

A “file” can have up to 65,536 attributes(0x0000:0xffff = 0:65535)

More than one MFT entry may be needed to store all the attribute headers

(even non-resident attributes need header in the MTF entry)

Original MFT entry becomes the base MFT entryThe non-base entries will have the base entry's address

in one of their MFT entry fields

20 21 22 23 24 25 26 27

File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry)File Reference to Base Record (Entry) [MFT Entry Header]



00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Sparse Attribute(Save Space)

12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File 12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File12 Cluster File

F F F F F 0 0 0 F F F F F F F F F 0 0 0 F F F F

F F F F F F F F F

RunsRunsRunsRunsRunsRunsRunsRunsRunsRunsRunsRuns RunsRunsRunsRunsRunsRunsRunsRunsRunsRunsRunsRuns

1 Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12Start:160 Len:12 1 Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5Start:160 Len:5

2 Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3Start:----- Len:3

3 Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4Start:165 Len:4

Sparse Run



00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Compressed AttributeOnly the $DATA attribute should be compressed

and only when it is non-resident (MS)

DetectionAttribute header Flag

The flags in $STANDARD_INFORMATION and $FILE_NAME

Flags



00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Encrypted AttributeOnly $DATA attributes to be encrypted (MS, with DESX)

-In theory, any attribute could be encrypted, though-

Only the content is encrypted.(Attribute header X)

$LOGGED_UTILITY_STREAM attribute is created for the file(contains the keys needed to decrypt the data)

DetectionAttribute header Flag

Special flag in $STANDARD_INFORMATION

Flags


ENCRYPTION

FileContent

User1’sPublic Key

↘

User1’sEncrypted

FEK

↓ Encrypt↗ $LOGGED_Utility_Stream

Attribute

Encrypt(DESX) ← Random Key

(FEK)↗↘


(FEK)↗↘


(FEK)↗↘

↓ Encrypt ↘Encrypted

FileContent

User2’sPublic Key

↗ User2’sEncrypted

FEK$DATA

Attribute

DESX : MS Crypto Algorithm


DECRYPTION

FileContent

User1’sEncryptedPrivate Key

← Registry ValueFileContent

User1’sEncryptedPrivate Key

←

↑ User1’sPriv. Key ↖ ↓ User1’s Password

Decrypt(DESX) ← Random Key

(FEK) ↖↓ Decrypt

↙$LOGGED_Utility_Stream

Attribute

↑ Decrypt ↖↑ Decrypt ↖↑ Decrypt ↖Encrypted

FileContent

User1’sEncrypted

FEK$DATA

Attribute


$LOGGED_UTILITY_STREAMA list of data decryption fields (DDF)

+A list data recovery fields (DRF)

DDF- Created for every user who has access to the file

- User's Security ID (SID) + Encryption information + FEK(FEK : encrypted with the user's public key)

DRF-Created for each method of data recovery

- FEK (FEK : encrypted with a data recovery public key

that is used by an administrator, or other authorized user)


ATTRIBUTE HEADER (R)

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

[MFT Entry]

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15

ContentContentContentContentContentContentContentContentContentContentSize of ContentSize of ContentSize of ContentSize of Content Offset toOffset to ContentContentContentContentContentContentContentContentContentContent

[Resident Attribute Header]


ATTRIBUTE HEADER (NR)

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

AttributeContents

UnusedSpace

[MFT Entry]

[Non-Resident Attribute Header]

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

Starting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlistStarting VCN of the runlist Ending VCN of the runlistEnding VCN of the runlistEnding VCN of the runlistEnding VCN of the runlistEnding VCN of the runlistEnding VCN of the runlistEnding VCN of the runlistEnding VCN of the runlist

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

UnusedUnusedUnusedUnused Allocated size of attribute contentAllocated size of attribute contentAllocated size of attribute contentAllocated size of attribute contentAllocated size of attribute contentAllocated size of attribute contentAllocated size of attribute contentAllocated size of attribute content

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

Actual size of attribute contentActual size of attribute contentActual size of attribute contentActual size of attribute contentActual size of attribute contentActual size of attribute contentActual size of attribute contentActual size of attribute content Initialized size of attribute contentInitialized size of attribute contentInitialized size of attribute contentInitialized size of attribute contentInitialized size of attribute contentInitialized size of attribute contentInitialized size of attribute contentInitialized size of attribute content

Offset tothe runlist

Compress.Unit Size


ATTRIBUTE TYPE(STD)Attribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Type Name Description

16 $STANDARD_INFORMATION

flags; the last accessed, written, and created times; and the owner and security ID.

32 $ATTRIBUTE_LIST List where other attributes for file can be found

48 $FILE_NAME File name in Unicode, and the last accessed, written, and created times

64$VOLUME_VERSION Volume information. Exists only in version 1.2 (Windows NT)

64$OBJECT_ID A 16-byte unique identifier for the file or directory.

Only in versions 3.0+ (W2K+)

80 $SECURITY_ DESCRIPTOR

The access control and security properties of the file

96 $VOLUME_NAME Volume name

112 $VOLUME_ INFORMATION

File system version and other flags


ATTRIBUTE TYPE(STD)Attribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


128 $DATA File contents

144 $INDEX_ROOT Root node of an index tree

160 $INDEX_ALLOCATION Nodes of an index tree rooted in $INDEX_ROOT attribute

176 $BITMAP A bitmap for the $MFT file and for indexes

192$SYMBOLIC_LINK Soft link information. Exists only in version 1.2 (Windows NT)

192$REPARSE_POINT Contains data about a reparse point,

which is used as a soft link in version 3.0+ (W2K+)

208 $EA_INFORMATIONUsed for backward compatibility with OS/2 applications (HPFS)

224 $EAUsed for backward compatibility with OS/2 applications (HPFS)

256 $LOGGED_UTILITY_STREAM

Contains keys and information about encrypted attributes in version 3.0+ (W2K+)


MFT OVERVIEW AGAIN....$AttrDef Attribute Values:$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident$FILE_NAME (48) Size: 68-578 Flags: Resident,Index$OBJECT_ID (64) Size: 0-256 Flags: Resident$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident$VOLUME_NAME (96) Size: 2-256 Flags: Resident$VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident$DATA (128) Size: No Limit Flags: $INDEX_ROOT (144) Size: No Limit Flags: Resident$INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident$BITMAP (176) Size: No Limit Flags: Non-resident$REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident$EA_INFORMATION (208) Size: 8-8 Flags: Resident$EA (224) Size: 0-65536 Flags: $LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident


ATTRIBUTE TYPE(STD-R)Attribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F





Nearly every allocated MFT entry has, except non-base MFT entries,$STANDARD_INFORMATION AND $FILE_NAME (Both always Resident)Nearly every allocated MFT entry has, except non-base MFT entries,$STANDARD_INFORMATION AND $FILE_NAME (Both always Resident)Nearly every allocated MFT entry has, except non-base MFT entries,$STANDARD_INFORMATION AND $FILE_NAME (Both always Resident)

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000010: 0100 0100 3800 0100 b001 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0400 0000 9000 0000 ................0000030: 9a02 0000 0000 0000 1000 0000 4800 0000 ............H........ Type:0x00000010 = $STD_INFO ATTR LEN:0x00000048 = 720000080: 3000 0000 7800 0000 0000 1800 0000 0300 0...x................0x38+0x48=80 Type:0x00000030 = $FILE_NAME

Attribute Length

Length of Name

Offset to Name Attribute Identifier

FlagsNon Resident Flag



00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F





Attribute Length

Length of Name



# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000030: 9a02 0000 0000 0000 1000 0000 4800 0000 ............H...0000040: 0000 1800 0000 0000 3000 0000 1800 0000 ........0.......Non-Resident Flag:0 Length of Name:0 Offset to Name : 0x0018Flags:0 Attribute Identifier:00000050: 0007 b206 cb95 c901 00d4 ae71 6693 c901 ...........qf...0000060: 0007 b206 cb95 c901 00ca 5522 7294 c901 ..........U"r...0000070: 0000 0000 0000 0000 0000 0000 0000 0000 .....................



00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)

Size of ContentSize of ContentSize of ContentSize of Content Offset toOffset to

Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)Size of Content : 0x00000030=48 bytesOffset to Content : 0x0018=24=B(0x50~)





Attribute Length Offset to Name Attribute Identifier

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000030: 9a02 0000 0000 0000 1000 0000 4800 0000 ............H...0000040: 0000 1800 0000 0000 3000 0000 1800 0000 ........0.......Size of Content : 0x00000030, Offset to Content : 0x00180000050: 0007 b206 cb95 c901 00d4 ae71 6693 c901 ...........qf........


$STD_INFO00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

C-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIME M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT) A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

FLAGSFLAGSFLAGSFLAGS MAX# of Ver.MAX# of Ver.MAX# of Ver.MAX# of Ver. Version #Version #Version #Version # CLASS IDCLASS IDCLASS IDCLASS ID

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

OWNER ID (3.0+)OWNER ID (3.0+)OWNER ID (3.0+)OWNER ID (3.0+) SECURITY ID (3.0+)SECURITY ID (3.0+)SECURITY ID (3.0+)SECURITY ID (3.0+) Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)

40 41 42 43 44 45 46 47

Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000050: 0007 b206 cb95 c901 00d4 ae71 6693 c901 ...........qf...0000060: 0007 b206 cb95 c901 00ca 5522 7294 c901 ..........U"r...0000070: 0000 0000 0000 0000 0000 0000 0000 0000 .....................


$STD_INFO00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

C-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIMEC-TIME M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)M-TIME (File)

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT)M-TIME (MFT) A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)A-TIME (File)

[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC[Windows Time]0x01c995cb06b20700 one hundred nanoseconds since January 1, 1601 UTC

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000050: 0007 b206 cb95 c901 00d4 ae71 6693 c901 ...........qf...0000060: 0007 b206 cb95 c901 00ca 5522 7294 c901 ..........U"r...0000070: 0000 0000 0000 0000 0000 0000 0000 0000 .....................


$STD_INFO

0x0002 : Hidden0x0004 : System0x0020 : Archive----------0x0026
















20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


# istat -f ntfs practice1.ntfs.dd 5 #.(Root Directory) - Example.....$STANDARD_INFORMATION Attribute Values:Flags: Hidden, System, Archive.....Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48.....# icat -f ntfs practice1.ntfs.dd 5-16-00000000: 0087 056b 6294 c901 00ea ed4b be9d c901 ...kb......K....0000010: 00ea ed4b be9d c901 80da e84e be9d c901 ...K.......N....0000020: 2600 0000 0000 0000 0000 0000 0000 0000 &...............


$STD_INFO[FLAGS]0x0001 : Read Only0x0002 : Hidden0x0004 : System0x0020 : Archive0x0040 : Device0x0080 : #Normal0x0100 : Temporary

[FLAGS]0x0001 : Read Only0x0002 : Hidden0x0004 : System0x0020 : Archive0x0040 : Device0x0080 : #Normal0x0100 : Temporary







[FLAGS]0x0200 : Sparse file0x0400 : Reparse point0x0800 : Compressed0x1000 : Offline0x2000 : Not Indexed0x4000 : Encrypted








20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

OWNER ID (3.0+)OWNER ID (3.0+)OWNER ID (3.0+)OWNER ID (3.0+) SECURITY ID (3.0+)SECURITY ID (3.0+)SECURITY ID (3.0+)SECURITY ID (3.0+) Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)Quota Charged (3.0+)

40 41 42 43 44 45 46 47

Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)Update Seq. # (USN, 3.0+)


$FILE_NAME00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

File reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directory File creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation time

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

File modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification time MFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification time

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

File access timeFile access timeFile access timeFile access timeFile access timeFile access timeFile access timeFile access time Allocated size of fileAllocated size of fileAllocated size of fileAllocated size of fileAllocated size of fileAllocated size of fileAllocated size of fileAllocated size of file

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

Real size of fileReal size of fileReal size of fileReal size of fileReal size of fileReal size of fileReal size of fileReal size of file FlagsFlagsFlagsFlags Reparse valueReparse valueReparse valueReparse value

40 41 42~42~42~42~42~42~ # : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace

# % NameNameNameNameNameName

# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace# : Length of name% : Namespace


$FILE_NAME

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000080: 3000 0000 7800 0000 0000 1800 0000 0300 0...x...........0000090: 5c00 0000 1800 0100 8a00 0000 0000 0100 \...............00000a0: 0007 b206 cb95 c901 0007 b206 cb95 c901 ................00000b0: 0007 b206 cb95 c901 0007 b206 cb95 c901 ................00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00000d0: 0000 0000 0000 0000 0d00 5400 7200 7500 ..........T.r.u.00000e0: 6500 4300 7200 7900 7000 7400 2e00 6500 e.C.r.y.p.t...e.00000f0: 7800 6500 0000 0200 5000 0000 6800 0000 x.e.....P...h........

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15

ContentContentContentContentContentContentContentContentContentContentSize of ContentSize of ContentSize of ContentSize of Content Offset toOffset to ContentContentContentContentContentContentContentContentContentContent

[Resident Attribute Header]


$FILE_NAME00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

File reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directoryFile reference of parent directory File creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation timeFile creation time

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

File modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification timeFile modification time MFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification timeMFT modification time

0x0001+0x00000000008aUpper two bytes are the sequence number : 1 Lower six bytes are the MFT entry : 138

# istat -f ntfs practice1.ntfs.dd 138 → Flags: Directory, Name: TrueCrypt































# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000080: 3000 0000 7800 0000 0000 1800 0000 0300 0...x...........0000090: 5c00 0000 1800 0100 8a00 0000 0000 0100 \...............00000a0: 0007 b206 cb95 c901 0007 b206 cb95 c901 ................00000b0: 0007 b206 cb95 c901 0007 b206 cb95 c901 .....................


$FILE_NAME

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F


Many files have these sizes set to 0, but it is accurate when this attribute is used in a directory index.Flags : same as Flags in $STANDARD_INFORMATION
















# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....00000b0: 0007 b206 cb95 c901 0007 b206 cb95 c901 ................00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00000d0: 0000 0000 0000 0000 0d00 5400 7200 7500 ..........T.r.u.00000e0: 6500 4300 7200 7900 7000 7400 2e00 6500 e.C.r.y.p.t...e.00000f0: 7800 6500 0000 0200 5000 0000 6800 0000 x.e.....P...h........


$FILE_NAME

Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)Flags : 0x10000006 (0x10000000: Directory 0x02+0x04:Hidden,System)

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F


















# icat -f ntfs practice1.ntfs.dd 5-48-1 |xxd0000000: 0500 0000 0000 0500 0087 056b 6294 c901 ...........kb...0000010: 0087 056b 6294 c901 0087 056b 6294 c901 ...kb......kb...0000020: 0087 056b 6294 c901 0000 0000 0000 0000 ...kb...........0000030: 0000 0000 0000 0000 0600 0010 0000 0000 ................0000040: 0103 2e00 ....


$FILE_NAME

0x0d : Length of name : 13 (TrueCrypt.exe) → 26 bytes (UTF16 Unicode)[Namespace]0 : POSIX (The name is case sensitive and allows all Unicode characters except for '/' and NULL.)1 : Win32 (The name is case insensitive and allows most Unicode characters except for special values such as '/', '\', ':', '>', '<', and '?'.)2 : DOS (The name is case insensitive, upper case, and no special characters. The name must have eight or fewer characters in the name and three or less in the extension.)3 : Win32 & DOS (Used when the original name already fits in the DOS namespace and two names are not needed.)




40 41 42~ # : Length of name% : Namespace

# % Name

# : Length of name% : Namespace

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....00000b0: 0007 b206 cb95 c901 0007 b206 cb95 c901 ................00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00000d0: 0000 0000 0000 0000 0d00 5400 7200 7500 ..........T.r.u.00000e0: 6500 4300 7200 7900 7000 7400 2e00 6500 e.C.r.y.p.t...e.00000f0: 7800 6500 0000 0200 5000 0000 6800 0000 x.e.....P...h........


ATTRIBUTE TYPE(STD-NR)Attribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F



Every “file” has a $DATA attributeNon-Resident (if content size > 700 bytes)

ADS(Alternate Data Streams)More than one $DATA attributeAdditional $DATA attributes must have a “attribute’s name”





# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd ..... Type = 0x00000080 = 128 Offset to Name Attr. ID0000160: 8000 0000 4800 0000 0100 4000 0000 0200 [email protected]: 0000 000 Non Resident NameLength Flags ........).......0000180: 4000 0000 0000 0000 00a8 1400 0000 0000 @...............0000190: c0a6 1400 0000 0000 c0a6 1400 0000 0000 ................00001a0: 322a 0577 a800 0000 ffff ffff 0000 0000 2*.w............

Attribute Length

Length of Name




ATTRIBUTE TYPE(STD-NR)00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F


20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F




# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000160: 8000 0000 4800 0000 0100 4000 0000 0200 ....H.....@..........


Compress.Unit Size


NR-ATTR CLUSTER RUNS

[Non-Resident Attribute]Content in an external cluster in the file system

[Cluster Runs]

MTF EntryHeader

AttributeHeader

AttributeHeader

AttributeContents

AttributeContents

AttributeHeader

Attribute ContentsCluster(n)

UnusedSpace

48 49 50 51 52

0 1 2 3 4

56 57 58 59

7 8 9 10

80 81

5 6 ←VCN←VCN←VCN

1 Start:48(LCN) Len:5



LCN : Logical Cluster # = Logical File System AddressVCN : Virtual Cluster # = Logical File Address

LCN : Logical Cluster # = Logical File System AddressVCN : Virtual Cluster # = Logical File Address


NR-ATTR CLUSTER RUNS

0010 0001 Byte2 Byte3 Byte4

1 byte for Run length

2 bytes for Run Offset


NR-ATTR CLUSTER RUNS31 38 73 25 34 32 14 01 E5 11 02 31 42 AA 00 03 00Run 1:Header = 0x31 - 1 byte length, 3 bytes offsetLength = 0x38 (1 byte)Offset = 0x342573 (3 bytes)31 38 73 25 34 - 32 14 01 E5 11 02 31 42 AA 00 03 00Run 2:Header = 0x32 - 2 bytes length, 3 bytes offsetLength = 0x114Offset = 0x363758 (0x211E5 relative to 0x342573)31 38 73 25 34 - 32 14 01 E5 11 02 - 31 42 AA 00 03 00Run 3:Header = 0x31 - 1 byte length, 3 bytes offsetLength = 0x42Offset = 0x393802 (0x300AA relative to 0x363758)31 38 73 25 34 - 32 14 01 E5 11 02 - 31 42 AA 00 03 - 00Run 4:Header = 0x00 - the endSummary:0x38 Clusters @ LCN 0x3425730x114 Clusters @ LCN 0x3637580x42 Clusters @ LCN 0x393802Therefore, Data2 is a fragmented file, of size 0x18E clusters, with data blocks at LCNs 0x342573, 0x363758 and 0x393802.


ATTRIBUTE TYPE(STD-NR)00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F


VCN : 0x00~0x529 (1322 clusters)# istat -f ntfs practice1.ntfs.dd 144.....Type: $DATA (128-2) Name: N/A Non-Resident size: 1353408 init_size: 135340843127(VCN 0) 43128 43129 43130 43131 43132 43133 43134.....44447 44448 (VCN 1321)


















# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000170: 0000 0000 0000 0000 2905 0000 0000 0000 ........)....... .....


ATTRIBUTE TYPE(STD-NR)

Offset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not CompressedOffset to the runlist : 0x0040 = 64Not Compressed

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


Allocated size of attribute content : 0x14a800 = 1353728 bytes (1322*1024)

# istat -f ntfs practice1.ntfs.dd 144Type: $DATA (128-2) Name: N/A Non-Resident size: 1353408+Slack

































# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000180: 4000 0000 0000 0000 00a8 1400 0000 0000 @....................


Compress.Unit Size


ATTRIBUTE TYPE(STD-NR)Offset to the runlist : 0x0040 = 6400001a0: 322a 0577 a800 000032 : [0x3 the 1st cluster offset(len.)][0x2 bytes/length of run]2a05 : length of run = 0x52a = 1322 clusters = 1353728 bytes77a800 : first cluster of the fie (0xa877) = 43127

Offset to the runlist : 0x0040 = 6400001a0: 322a 0577 a800 000032 : [0x3 the 1st cluster offset(len.)][0x2 bytes/length of run]2a05 : length of run = 0x52a = 1322 clusters = 1353728 bytes77a800 : first cluster of the fie (0xa877) = 43127















20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F




# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000180: 4000 0000 0000 0000 00a8 1400 0000 0000 @....................


Compress.Unit Size


ATTRIBUTE TYPE(STD-NR)

Actual size of attribute content : 0x14a6c0 = 1353408Initialized size of attribute content : 0x14a6c0 = 1353408

# istat -f ntfs practice1.ntfs.dd 144.....Type: $DATA (128-2) Name: N/A Non-Resident size: 1353408init_size: 1353408.....































30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F




# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=144 count=1 | xxd .....0000190: c0a6 1400 0000 0000 c0a6 1400 0000 0000 .....................


$DATA

Raw content of a file

700 bytes - Resident or Non-Resident

The last attribute in the MFT entry (most files)

Directories can have $DATA attributes in addition to their index attributes


$DATA - RESIDENT

# istat -f ntfs practice1.ntfs.dd 119.....$FILE_NAME Attribute Values:Flags: Name: Eddy.iniParent MFT Entry: 117 Sequence: 1Allocated Size: 0 Actual Size: 0Created: Mon Feb 23 10:15:16 2009File Modified: Mon Feb 23 10:15:16 2009MFT Modified: Mon Feb 23 10:15:16 2009Accessed: Mon Feb 23 10:15:16 2009

Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48Type: $FILE_NAME (48-3) Name: N/A Resident size: 82Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80Type: $DATA (128-2) Name: N/A Resident size: 314


$DATA - RESIDENT0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........0000010: 0100 0100 3800 0100 b802 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0400 0000 7700 0000 ............w...0000030: 0600 6f6e 0000 0000 1000 0000 4800 0000 ..on........H...0000040: 0000 1800 0000 0000 3000 0000 1800 0000 ........0.......0000050: 009a 0888 c995 c901 80a7 e4bf 9a1e c901 ................0000060: 009a 0888 c995 c901 8096 53e7 7194 c901 ..........S.q...0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000080: 3000 0000 7000 0000 0000 1800 0000 0300 0...p...........0000090: 5200 0000 1800 0100 7500 0000 0000 0100 R.......u.......00000a0: 009a 0888 c995 c901 009a 0888 c995 c901 ................00000b0: 009a 0888 c995 c901 009a 0888 c995 c901 ................00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................00000d0: 0000 0000 0000 0000 0800 4500 6400 6400 ..........E.d.d.00000e0: 7900 2e00 6900 6e00 6900 0000 1800 0000 y...i.n.i.......00000f0: 5000 0000 6800 0000 0000 1800 0000 0100 P...h...........0000100: 5000 0000 1800 0000 0100 0480 1400 0000 P...............0000110: 2400 0000 0000 0000 3400 0000 0102 0000 $.......4.......0000120: 0000 0005 2000 0000 2002 0000 0102 0000 .... ... .......0000130: 0000 0005 2000 0000 2002 0000 0200 1c00 .... ... .......0000140: 0100 0000 0003 1400 ff01 1f00 0101 0000 ................0000150: 0000 0001 0000 0000 8000 0000 5801 0000 Attribute Length : 0x158 = 344 bytes0000160: 0000 1800 0000 0200 3a01 0000 1800 0000 Offset to Contents : 1800 = 0x180000170: 5b4d 4149 4e5d 0d0a 446f 6375 6d65 6e74 [MAIN]..Document.....00002a0: 494e 5445 524e 414c 0d0a 0000 0000 0000 INTERNAL........ 0x518-0x18-0x6 = 314 bytes00002b0: ffff ffff 0000 0000 0000 0000 0000 0000 ................


$DATA-ADS

Alternate Data Streams

Have its(attribute’s) own name

Different Attribute Identifier(ie. 128-6, 128-7)


$DATA - ADS

C:> echo “Hello ADS!!!!” > ADSFile.txt:foo

# fls -f ntfs /dev/sda2.....r/r 634-128-6: ADSFile.txtr/r 634-128-7: ADSFile.txt:foo.....

# istat -f ntfs /dev/sda2 634.....Type: $DATA (128-6) Name: N/A Non-Resident size: 8627 init_size: 862780 81 82 Type: $DATA (128-7) Name: foo Resident size: 18


$DATA - ADS# icat -f ntfs /dev/sda2 0 | dd bs=1024 skip=634 count=1 | xxd0000000: 4649 4c45 3000 0300 c86c 9b00 0000 0000 FILE0....l......0000010: 0100 0100 3800 0100 b801 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0800 0000 7a02 0000 ............z...0000030: 0500 0000 0000 0000 1000 0000 6000 0000 ............`...0000040: 0000 0000 0000 0000 4800 0000 1800 0000 ........H.......0000050: d543 eab1 95d3 cb01 6191 3eea 95d3 cb01 .C......a.>.....0000060: 6191 3eea 95d3 cb01 d543 eab1 95d3 cb01 a.>......C......0000070: 2000 0000 0000 0000 0000 0000 0000 0000 ...............0000080: 0000 0000 b002 0000 0000 0000 0000 0000 ................0000090: 0000 0000 0000 0000 3000 0000 7000 0000 ........0...p...00000a0: 0000 0000 0000 0400 5800 0000 1800 0100 ........X.......00000b0: 0500 0000 0000 0500 d543 eab1 95d3 cb01 .........C......00000c0: d543 eab1 95d3 cb01 d543 eab1 95d3 cb01 .C.......C......00000d0: d543 eab1 95d3 cb01 0000 0000 0000 0000 .C..............00000e0: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......00000f0: 0b03 4100 4400 5300 4600 6900 6c00 6500 ..A.D.S.F.i.l.e.0000100: 2e00 7400 7800 7400 4000 0000 2800 0000 ..t.x.t.@...(...0000110: 0000 0000 0000 0500 1000 0000 1800 0000 ................0000120: 4fd7 2419 7f3f e011 b0d1 0021 7008 9374 O.$..?.....!p..t0000130: 8000 0000 4800 0000 0100 0000 0000 0600 ....H...........0000140: 0000 0000 0000 0000 0200 0000 0000 0000 ................0000150: 4000 0000 0000 0000 0030 0000 0000 0000 @........0......0000160: b321 0000 0000 0000 b321 0000 0000 0000 .!.......!......0000170: 1103 5000 30e9 31bd 8000 0000 3800 0000 ..P.0.1.....8...0000180: 0003 1800 0000 0700 1200 0000 2000 0000 Length of Name, Offset to (Name, Content)0000190: 6600 6f00 6f00 0000 2248 656c 6c6f 2041 f.o.o..."Hello A00001a0: 4453 2121 2121 2220 0d0a 0000 1800 0000 DS!!!!" ........00001b0: ffff ffff 8279 4711 0000 0000 0000 0000 .....yG.........


$ATTRIBUTE_LIST

Exists in MFT EntryType identifier : 32 (0x20)

Files that have attribute headers,not fit into one MFT entry


$ATTRIBUTE_LIST

Base MFT entry haz $ATTRIBUTE_LISTA list of all of the file's attributes, except itself

Non-base entry not haz$FILE_NAME, $STANDARD_INFORMATION

37 $STD_INFO (ID:0) $ATTRIBUTE_LIST (ID:4)$ATTRIBUTE_LIST (ID:4)$ATTRIBUTE_LIST (ID:4)

TYPE:16 ID:0 ENTRY:37





48 $File_Name (ID:2) $DATA (ID:3 Offset:0)$DATA (ID:3 Offset:0)$DATA (ID:3 Offset:0)

49 $DATA (ID:3 Offset:284,201,984)$DATA (ID:3 Offset:284,201,984)$DATA (ID:3 Offset:284,201,984)$DATA (ID:3 Offset:284,201,984)

50 $DATA (ID:5 Offset:0)$DATA (ID:5 Offset:0)$DATA (ID:5 Offset:0)$DATA (ID:5 Offset:0)


$ATTRIBUTE_LIST

# istat -f ntfs practice1.ntfs.dd 64.....$ATTRIBUTE_LIST Attribute Values:Type: 16-0 MFT Entry: 64 VCN: 0Type: 48-3 MFT Entry: 64 VCN: 0Type: 80-1 MFT Entry: 64 VCN: 0Type: 144-0 MFT Entry: 136 VCN: 0

Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48Type: $ATTRIBUTE_LIST (32-4) Name: N/A Non-Resident size: 136 init_size: 13658070.....


$ATTRIBUTE_LIST# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=64 count=1 | xxd0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........0000010: 0100 0100 3800 0300 8001 0000 0004 0000 ....8................0000030: 2d00 0000 0000 0000 1000 0000 4800 0000 -...........H........0000080: 2000 0000 4800 0000 0100 4000 0000 0400 [email protected]: 0000 0000 0000 0000 0000 0000 0000 0000 ................00000a0: 4000 0000 0000 0000 0004 0000 0000 0000 Offset to runlist00000b0: 8800 0000 0000 0000 8800 0000 0000 0000 ................00000c0: 3101 d6e2 0000 c901 3000 0000 6800 0000 1.......0...h........ cluster 1ea, 0x00e2d6 = 58070, 0x00 = E.N.D0000130: 5000 0000 4800 0000 0100 4000 0000 0100 P...H.....@.....

# dd if=practice1.ntfs.dd bs=1024 skip=58070 count=1 | xxd(# icat -f ntfs practice1.ntfs.dd 64-32-4 | xxd)0000000: 1000 0000 2000 001a 0000 0000 0000 0000 .... ...........0000010: 4000 0000 0000 0100 0000 0000 0000 0000 @...............0000020: 3000 0000 2000 001a 0000 0000 0000 0000 0... ...........0000030: 4000 0000 0000 0100 0300 0000 0000 0000 @...............0000040: 5000 0000 2000 001a 0000 0000 0000 0000 P... ...........0000050: 4000 0000 0000 0100 0100 0000 0000 0000 @...............0000060: 9000 0000 2800 041a 0000 0000 0000 0000 ....(...........0000070: 8800 0000 0000 0100 0000 2400 4900 3300 ..........$.I.3.0000080: 3000 0000 0000 0000 0000 0000 0000 0000 0...............


$ATTRIBUTE_LIST00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Attribute typeAttribute typeAttribute typeAttribute typeLength of this entryLength of this entry

@ # Starting VCN in attributeStarting VCN in attributeStarting VCN in attributeStarting VCN in attributeStarting VCN in attributeStarting VCN in attributeStarting VCN in attributeStarting VCN in attribute

10 11 12 13 14 15 16 17 18 @ : Length of name# : Offset to name(relative to start of this entry)$ : Attribute ID

@ : Length of name# : Offset to name(relative to start of this entry)$ : Attribute ID





@ : Length of name# : Offset to name(relative to start of this entry)$ : Attribute IDFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is locatedFile reference where attribute is located $








# dd if=practice1.ntfs.dd bs=1024 skip=58070 count=1 | xxd0000000: 1000 0000 2000 001a 0000 0000 0000 0000 .... ........... $STANDARD_INFORMATION0000010: 4000 0000 0000 0100 0000 0000 0000 0000 @............... MFT Entry(Base):0x40(“64”-32-4) Entry Seq.:0x01.....0000060: 9000 0000 2800 041a 0000 0000 0000 0000 ....(........... $INDEX_ROOT0000070: 8800 0000 0000 0100 0000 2400 4900 3300 ..........$.I.3. MFT Entry(Non-Base):0x88(136 - $INDEX_ROOT) Entry Seq.:0x010000080: 3000 0000 0000 0000 0000 0000 0000 0000 0...............


$OBJECT_ID

Type identifier : 64 (0x40)

File's 128-bit global object identifier(can be used to address the file instead of its name)


$OBJECT_ID00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Object IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject IDObject ID

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)Birth Volume ID (Optional)

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)Birth Object ID (Optional)

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)Birth Domain ID (Optional)

# icat -f ntfs /dev/sda2 0 | dd bs=1024 skip=634 count=1 | xxd.....0000100: 2e00 7400 7800 7400 4000 0000 2800 0000 ..t.x.t.@...(...0000110: 0000 0000 0000 0500 1000 0000 1800 0000 ................0000120: 4fd7 2419 7f3f e011 b0d1 0021 7008 9374 O.$..?.....!p..t.....# istat -f ntfs /dev/sda2 634.....$OBJECT_ID Attribute Values:Object Id: 74930870-2100-d1b0-11e0-3f7f1924d74f.....


$REPARSE_POINT

Type identifier : 192 (0xC0)

Special file or directory that contains information about what it links to.

(NTFS v3.0+)

Reparse points can link to files and directories on the same and other volumes, or on remote servers

Reparse points also can be used to mount a volume on a “directory” instead of a drive letter such as 'E:\.'


$REPARSE_POINT

A symbolic link (files)A junction (directories)

A mount point (volumes)

“Windows Remote Storage Server”uses reparse points to describe the server location

of a file or directory


$REPARSE_POINTReparse points(special files) have a flag set in their

$STANDARD_INFORMATION and $FILE_NAME attributes

They also have a $REPARSE_POINT attribute that contains information about where the target file or directory is

NTFS keeps track of the reparse point locations using anindex in the \$Extend\$Reparse file system metadata file

NTFS keeps track of mount points in a $DATA attributein the root directory, MFT entry 5

($MountMgrRemoteDatabase)


$REPARSE_POINT

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Reparse type flagsReparse type flagsReparse type flagsReparse type flagsSize of reparse

data

Size of reparse

data

Unused No

Unused No

Offset (B(16)-) to target

name

Offset (B(16)-) to target

name

Length of target name

Length of target name

Offset (B(16)-) to print name of target

Offset (B(16)-) to print name of target

Length of print name

Length of print name

# icat -f ntfs ntfs2.dd 167-192 | xxd

0000000: 0300 00a0 2800 0000 0000 1c00 1e00 0000 ....(...........Junction(or mount point):0xa0000000 flag set0000016: 5c00 3f00 3f00 5c00 6300 3a00 5c00 7700 \.?.?.\.c.:.\.w.0000032: 6900 6e00 6400 6f00 7700 7300 0000 1200 i.n.d.o.w.s.....


INDEX

An index in NTFS is “A collection of attributes that is stored in a sorted order”

Only the $FILE_NAME attribute was in an index(Prior to version 3.0 of NTFS)

Several other uses of indexesSecurity information, Quota information....

(Post version 3.0 of NTFS)


INDEX

B-Tree (Similar to Binary Tree but more than 2 children/Node)

[Original Tree with 3 entries Max]

A eee.txt lll.txt ttt.txt

B aaa.txt bbb.txt D ooo.txt rrr.txt E vvv.txt zzz.txt

C fff.txt ggg.txt iii.txt


INDEXAdding jjj.txt (1)

A eee.txt lll.txt ttt.txt


C fff.txt ggg.txt iii.txt jjj.txt Over Max 3Over Max 3



A eee.txt ggg.txt lll.txt ttt.txt Over Max 3Over Max 3


F fff.txt G iii.txt jjj.txt Deleting CDeleting C



H ggg.txt

I eee.txt J lll.txt ttt.txt

B aaa.txt bbb.txt F fff.txt D ooo.txt rrr.txt E vvv.txt zzz.txt

G iii.txt jjj.txt


INDEXDeleting fff.txt and zzz.txt (1)

H ggg.txt


B aaa.txt bbb.txt F fff.txt D ooo.txt rrr.txt E vvv.txt zzz.txt

G iii.txt jjj.txt



H ggg.txt


B aaa.txt bbb.txt F D ooo.txt rrr.txt E vvv.txt

G iii.txt jjj.txt

!



H ggg.txt

I bbb.txt J lll.txt ttt.txt

B aaa.txt F eee.txt D ooo.txt rrr.txt E vvv.txt

G iii.txt jjj.txt


INDEX

Every “directory” has a $INDEX_ROOT attributeInformation about the files and subdirectories in it.

$INDEX_ALLOCATION, $BITMAP attributes are used(If the directory is large)

“Directory” can have $DATA attribute$DATA attribute can store any content

that an application or user wants.

$INDEX_ROOT, $INDEX_ALLOCATION attributes for a directory typically have the name "$I30"


INDEXAttribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F



Every “directory” has a $INDEX_ROOT attributeInformation about the files and subdirectories in it.Every “directory” has a $INDEX_ROOT attributeInformation about the files and subdirectories in it.Every “directory” has a $INDEX_ROOT attributeInformation about the files and subdirectories in it.

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=5 count=1 | xxd.....0000120: 2105 0d20 0000 0000 9000 0000 5800 0000 !.. ........X...0000130: 0004 1800 0000 0300 3800 0000 2000 0000 ........8... ...0000140: 2400 4900 3300 3000 3000 0000 0100 0000 $.I.3.0.0.......0000150: 0010 0000 0400 0000 1000 0000 2800 0000 ............(...0000160: 2800 0000 0100 0000 0000 0000 0000 0000 (...............0000170: 1800 0000 0300 0000 0000 0000 0000 0000 ................0000180: a000 0000 5000 0000 0104 4000 0000 0500 ....P.....@..........

Attribute Length

Length of Name




INDEXAttribute Type ID

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F



160 $INDEX_ALLOCATION Nodes of an index tree rooted in $INDEX_ROOT attribute

176 $BITMAP A bitmap for the $MFT file and for indexes

$INDEX_ALLOCATION, $BITMAP attributes ← large directory$INDEX_ALLOCATION, $BITMAP attributes ← large directory$INDEX_ALLOCATION, $BITMAP attributes ← large directory# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 skip=5 count=1 | xxd.....0000120: 2105 0d20 0000 0000 9000 0000 5800 0000 !.. ........X........0000140: 2400 4900 3300 3000 3000 0000 0100 0000 $.I.3.0.0............0000180: a000 0000 5000 0000 0104 4000 0000 0500 [email protected]: 2400 4900 3300 3000 2104 1220 0000 0000 $.I.3.0.!.. ....00001d0: b000 0000 2800 0000 0004 1800 0000 0400 ....(...........00001e0: 0800 0000 2000 0000 2400 4900 3300 3000 .... ...$.I.3.0......

Length of Name



Attribute Length


Index Record←Fixed Size (4,096 bytes, usually)→

NTFS INDEX ATTRIBUTE

MFTEntry

Header Att1 Att2if node

>1$INDEX_ROOT

(1 node)

$INDEX_ALLOCATIONNon-Resident$STD_INFO $FILE_NAME

0 IndexEntry

IndexEntryIndexEntry


IndexEntry

IndexEntry

IndexEntry

1 IndexEntryIndexEntry

IndexEntry

IndexEntry

IndexEntryIndexEntryIndexEntry

2 IndexEntry

IndexEntryIndexEntryIndexEntry

Cluster (713)

IndexRecord

IndexNode

(Directory)

Index Entry 1Index Entry 1 Index Entry 2Index Entry 2 Index Entry 3Index Entry 3 Index Entry 4Index Entry 4IndexNode

(Directory) H $FILE_NAME H $FILE_NAME H $FILE_NAME H $FILE_NAME

The $BITMAP attribute is used to manage the allocation status of the index records


$INDEX_ROOT

Type identifier : 144 (0x90)Resident (Always)

The root of the index tree(Store only a small list of index entries)

$INDEX_ROOT Attr.

$INDEX_ROOT Header

Node Header

IndexEntry #1

IndexEntry #2

IndexEntry #3

IndexEntry #4

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Type of attr. in index (0 if entry does not

use an attribute)


use an attribute)


use an attribute)


use an attribute)

Collation sorting ruleCollation

sorting ruleCollation


sorting ruleSize of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”

UnusedUnusedUnusedType of attr. in index (0 if entry does not

use an attribute)


use an attribute)


use an attribute)


use an attribute)




sorting ruleSize of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes” Size of each index

record in “clusters”Size of each index record in “clusters”Size of each index record in “clusters”Size of each index record in “clusters”


$INDEX_ROOT$INDEX_ROOT

Attr.$INDEX_ROOT

HeaderNode

HeaderIndex

Entry #1Index

Entry #2Index

Entry #3Index

Entry #4

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


use an attribute)


use an attribute)


use an attribute)


use an attribute)




sorting ruleSize of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”

UnusedUnusedUnusedType of attr. in index (0 if entry does not

use an attribute)


use an attribute)


use an attribute)


use an attribute)




sorting ruleSize of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes”Size of each index record in “bytes” Size of each index

record in “clusters”Size of each index record in “clusters”Size of each index record in “clusters”Size of each index record in “clusters”

# icat -f ntfs ./practice1.ntfs.dd 68-144-8 | xxd0000000: 3000 0000 0100 0000 0010 0000 0400 0000 0....................Type: Attribute type 48 (0x30), $FILE_NAMESize of index record : 4,096 bytes = 4 clusters


$INDEX_ALLOCATION

Type identifier : 160 (0xA0)Non-Resident

Should not exist without an $INDEX_ROOT attribute

Index record : Static size, Contains one node in the sorted tree

Index record Size$INDEX_ROOT attr. header / Boot Sector

(typically 4,096 bytes)

INDEXRecord 0

INDEX Record Header

Node Header

IndexEntry



...

INDEXRecord 1

INDEX Record Header

Node Header



IndexEntry

...

[$INDEX_ALLOCATION Attribute]


$INDEX_ALLOCATIONINDEX

Record 0INDEX Record

HeaderNode

HeaderIndexEntry



...

INDEXRecord 1

INDEX RecordHeader

Node Header



IndexEntry

...

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Signature value ("INDX")




Offset to fixup array


Number of entries in fixup array


$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)

10 11 12 13 14 15 16 17

The VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index stream


$INDEX_ALLOCATION

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F









$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)$LogFile Sequence Number (LSN)

# icat -f ntfs ./practice1.ntfs.dd 68-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 7006 0000 ........(...p...0000020: e80f 0000 0000 0000 2d00 c901 0000 0000 ........-............00001f0: 8014 ddc9 b895 c901 8014 ddc9 b895 2d00 ..............-......00003f0: 8014 ddc9 b895 c901 0000 0000 0000 2d00 ..............-......0000ff0: 0000 0000 0000 0000 0000 0000 0000 2d00 ..............-.


$INDEX_ALLOCATION

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17


# icat -f ntfs ./practice1.ntfs.dd 68-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 7006 0000 ........(...p........

# icat -f ntfs ./practice1.ntfs.dd 89-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 c007 0000 ........(............ VCN00001000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(........... 2nd record0001010: 0400 0000 0000 0000 2800 0000 900d 0000 ........(............ VCN4


$INDEX_ALLOCATION

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17


# icat -f ntfs ./practice1.ntfs.dd 89-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 c007 0000 ........(............ VCN00001000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(........... 2nd record0001010: 0400 0000 0000 0000 2800 0000 900d 0000 ........(............ VCN4

# icat -f ntfs ./practice1.ntfs.dd 89-144-7 | xxd0000000: 3000 0000 0100 0000 0010 0000 0400 0000 0....................Type: Attribute type 48 (0x30), $FILE_NAMESize of index record : 4,096 bytes = 4 clusters


$BITMAPType identifier : 176 (0xB0)

Organized by bytes and Each bit corresponds to an index record

Keep track of which index records are allocated to an index record(in the $INDEX_ALLOCATION attribute)

A directory may have unneeded(or unused) records after deleting or cluster larger than one index record

# icat -f ntfs ./practice1.ntfs.dd 68-176-5 | xxd0000000: 0100 0000 0000 0000 ........ 0x01=00000001 : Index Record 0 is allocated

# icat -f ntfs ./practice1.ntfs.dd 89-176-5 | xxd0000000: 0300 0000 0000 0000 ........ 0x03=00000011 : Index Records 0 and 1 are allocated


INDEX NODE HEADER

Used to show where the list of index entries starts and ends.

$INDEX_ROOT Attr.

$INDEX_ROOT Header

Node Header

IndexEntry #1

IndexEntry #2

IndexEntry #3

IndexEntry #4

INDEXRecord 0

INDEX Record Header

Node Header

IndexEntry #1

IndexEntry...IndexEntry...

IndexEntry #n

IndexEntry #n

...

INDEXRecord 1

INDEX Record Header

Node Header

IndexEntry #1

IndexEntry #1


IndexEntry #n

...


00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Offset to start of index entry list




Offset to end of used portion of index

entry list


entry list


entry list


entry list

Offset to end of allocated index entry

list buffer


list buffer


list buffer


list bufferFlags

(0x01 = there are children nodes)

Flags(0x01 = there are children nodes)



(Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header)






INDEX NODE HEADER00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F






entry list


entry list


entry list


entry list


list buffer


list buffer


list buffer


list bufferFlags

(0x01 = there are children nodes)




(Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header) (Relative to start of the node header)





# icat -f ntfs ./practice1.ntfs.dd 68-144-8 | xxd0000000: 3000 0000 0100 0000 0010 0000 0400 0000 0...............0000010: 1000 0000 2800 0000 2800 0000 0100 0000 ....(...(.......0000020: 0000 0000 0000 0000 1800 0000 0300 0000 ................0000030: 0000 0000 0000 0000 ........

bash-3.2# icat -f ntfs ./practice1.ntfs.dd 68-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 7006 0000 ........(...p...0000020: e80f 0000 0000 0000 2d00 c901 0000 0000 ........-............ No children node0000040: 4500 0000 0000 0100 6000 4e00 0000 0000 E.......`.N..........0000680: 1000 0000 0200 0000 0000 0000 0000 0000 .....................0000ff0: 0000 0000 0000 0000 0000 0000 0000 2d00 ..............-.


INDEX ENTRY (GENERIC)$INDEX_ROOT

Attr.$INDEX_ROOT

HeaderNode

HeaderIndex

Entry #1Index

Entry #2Index

Entry #3Index

Entry #4

INDEXRecord 0

INDEX Record Header

NodeHeader

IndexEntry #1


IndexEntry #n

IndexEntry #n

...

INDEXRecord 1

INDEX Record Header

NodeHeader

IndexEntry #1

IndexEntry #1


IndexEntry #n

...


00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

UndefinedUndefinedUndefinedUndefinedUndefinedUndefinedUndefinedUndefined Length of this EntryLength of this Entry

Length of ContentLength of Content

Flags(0x01 : Child Node0x02 : Last Entry)




10 ~ N-810 ~ N-810 ~ N-810 ~ N-810 ~ N-810 ~ N-810 ~ N-810 ~ N-8 N-7 N-6 N-5 N-4 N-3 N-2 N-1 N

ContentContentContentContentContentContentContentContentThe VCN of this record

in the full index stream (only w/ flag set)The VCN of this record







in the full index stream (only w/ flag set)


INDEX ENTRY (DIR. INDEX)$INDEX_ROOT

Attr.$INDEX_ROOT

HeaderNode

HeaderIndex

Entry #1Index

Entry #2Index

Entry #3Index

Entry #4

INDEXRecord 0

INDEX Record Header

NodeHeader

IndexEntry #1


IndexEntry #n

IndexEntry #n

...

INDEXRecord 1

INDEX Record Header

NodeHeader

IndexEntry #1

IndexEntry #1


IndexEntry #n

...


00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

MFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file name Length of this EntryLength of this Entry

Length of $FILE_NAME attr.







$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)The VCN of this record










INDEX ENTRY00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

UndefinedUndefinedUndefinedUndefinedUndefinedUndefinedUndefinedUndefined Length of this EntryLength of this Entry

Length of ContentLength of Content






ContentContentContentContentContentContentContentContentThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index streamThe VCN of this record in the full index stream

# icat -f ntfs ./practice1.ntfs.dd 68-144-8 | xxd0000000: 3000 0000 0100 0000 0010 0000 0400 0000 0...............0000010: 1000 0000 2800 0000 2800 0000 0100 0000 ....(...(.......0000020: 0000 0000 0000 0000 1800 0000 0300 0000 ................0x03 : 0x01+0x02 → with Child Node ($INDEX_ALLOCATION) and the last0000030: 0000 0000 0000 0000


INDEX ENTRY

# icat -f ntfs ./practice1.ntfs.dd 68-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 7006 0000 ........(...p...0000020: e80f 0000 0000 0000 2d00 c901 0000 0000 ........-............0000040: [4500 0000 0000 0100 6000 4e00 0000 0000 E.......`.N.....0000050: [4400 0000 0000 0100 8014 ddc9 b895 c901 D...............0000060: 8014 ddc9 b895 c901 8014 ddc9 b895 c901 ................0000070: 8014 ddc9 b895 c901 0000 0000 0000 0000 ................0000080: 0000 0000 0000 0000 0000 0010 0000 0000 ................0000090: 0600 6300 6b00 6b00 6900 6e00 6700] 0000] ..c.k.k.i.n.g........

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

MFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file nameMFT file reference for file name Length of this EntryLength of this Entry








$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)$FILE_NAME attr. (if length > 0)The VCN of this record










INDEX ENTRY# icat -f ntfs ./practice1.ntfs.dd 68-160-6 | xxd0000000: 494e 4458 2800 0900 0000 0000 0000 0000 INDX(...........0000010: 0000 0000 0000 0000 2800 0000 7006 0000 ........(...p...0000020: e80f 0000 0000 0000 2d00 c901 0000 0000 ........-............0000040: [4500 0000 0000 0100 6000 4e00 0000 0000 E.......`.N.....0000050: [4400 0000 0000 0100 8014 ddc9 b895 c901 D....................0000090: 0600 6300 6b00 6b00 6900 6e00 6700] 0000] ..c.k.k.i.n.g...

# istat -f ntfs ./practice1.ntfs.dd 69MFT Entry Header Values:Entry: 69 Sequence: 1.....$FILE_NAME Attribute Values:Flags: DirectoryName: ckkingParent MFT Entry: 68 Sequence: 1


METADATA FILES


METADATA FILES

[File System Meta Data Files]Files that store the file system's administrative data

(MS reserves the first 16 MFT entries for this)

###1st entry for user file or directory is entry 24###(MS reserves another entries for $MFT extensions)


METADATA FILESEntry FileName Description

0 $MFT The entry for the MFT itself

1 $MFTMirr Contains a backup of the first entries in the MFT

2 $LogFile Contains the journal that records the metadata transactions

3 $Volume Contains the volume info. (label, identifier, version)

4 $AttrDef Contains the attribute info. (identifier values, name, sizes)

5 . Contains the root directory of the file system

6 $Bitmap Contains the allocation status of each cluster in the file system

7 $Boot Contains the boot sector and boot code for the file system

8 $BadClus Contains the clusters that have bad sectors

9 $Secure Contains info. (security and access control for the files)

10 $UpCase Contains the uppercase version of every Unicode character

11 $Extend A directory that contains files for optional extensions

12..23 Reserved for $MFT extension entriesReserved for $MFT extension entries


METADATA FILESFILESYSTEM CATEGORY


$MFT

$MFT = The 1st Entry in the table(MFT)→ describes on-disk location of MFT

The starting location of the MFT ← Defined in boot sector

BootSectorC(0)

Start of MFTC(16)

$MFT1 Cluster


$MFT

The starting location of the MFT : C(16)=S(32)Entry Size = 1C = 1024 bytes

$MFT = The 1st Entry in the table(MFT)

S(31) S(32) S(33)

# dd if=./practice1.ntfs.dd bs=512 count=2 skip=32 | xxd...0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........0000010: 0100 0100 3800 0100 9801 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0400 0000 0000 0000 ...................


$MFT# istat -f ntfs practice1.ntfs.dd 0 // 0:MFT Entry#MFT Entry Header Values:Entry: 0 Sequence: 1$LogFile Sequence Number: 0Allocated FileLinks: 1

$STANDARD_INFORMATION Attribute Values:Flags: Hidden, SystemOwner ID: 0Security ID: 256 ()Created: Wed Dec 31 19:00:00 1969 //File Modified, MFT Modified Accessed....

$FILE_NAME Attribute Values:Flags: Hidden, SystemName: $MFTParent MFT Entry: 5 Sequence: 5 // 5:”.”-Root DirectoryMFT Entry Header Values:Allocated Size: 27648 Actual Size: 27648Created: Sat Feb 21 15:24:38 2009......


$MFT# istat -f ntfs practice1.ntfs.dd 0...Attributes: Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72Type: $FILE_NAME (48-2) Name: N/A Resident size: 74Type: $DATA (128-1) Name: N/A Non-Resident size: 257024 init_size: 25702416 17 18 19 20 21 22 23 .......256 257 258 259 260 261 262 263 264 265 266 //(266-16+1)*1024=257024Type: $BITMAP (176-3) Name: N/A Non-Resident size: 32 init_size: 328

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024 count=251 | xxd0000000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........0000010: 0100 0100 3800 0100 9801 0000 0004 0000 ....8...........0000020: 0000 0000 0000 0000 0400 0000 0000 0000 ................0000030: b800 0000 0000 0000 1000 0000 6000 0000 ............`.........00000f0: 0403 2400 4d00 4600 5400 0000 0000 0000 ..$.M.F.T.............003ebd0: 0000 0000 0000 0000 0000 0000 0000 0000 ................003ebe0: 0000 0000 0000 0000 0000 0000 0000 0000 ................003ebf0: 0000 0000 0000 0000 0000 0000 0000 0700 //0x3ebff = 257023


$MFT - $BITMAP ATTR.# icat -f ntfs ./practice1.ntfs.dd 0-176-3 | xxd0000000: ffff 0007 0000 0000 ffff ffff ffff ffff ................ff:11111111 ff:11111111 00:00000000 07:00000111 >> 11100000 (little endian!!!)...0000010: ffff ffff ffff ffff ffff ffff ffff fd06 ................

//** Checking Flags in MFT Entry **//

# for (( c=0; c<32; c++)); do icat -f ntfs ./practice1.ntfs.dd 0-128-1 | dcfldd bs=1024 skip=$c count=1 | xxd | grep '0000010\:' | awk '{print $5}' >> flag01; done

# cat ./flag01 0100/0100/0100/0100/0100/0300/0100/01000100/0900/0100/0300/0100/0100/0100/01000000/0000/0000/0000/0000/0000/0000/00000d00/0d00/0d00/0000/0000/0000/0000/0000

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 24 25 26 27 28 29


SequenceValue


Used Size of MFT EntryLinkCount Allocated Size of MFT Entry


$MFTMIRR$MFTMirr

Clusters in the middle of the file systemSaves copies of at least the first four MFT entries

($MFT, $MFTMirr, $LogFile, $Volume)

# istat -f ntfs practice1.ntfs.dd 1....Entry: 1 Sequence: 1.....Name: $MFTMirr.....Attributes: .....Type: $DATA (128-1) Name: N/A Non-Resident size: 4096 init_size: 409632759 32760 32761 32762

# dd if=./practice1.ntfs.dd bs=1024 skip=32759 count=4 | xxd.....00000f0: 0403 2400 4d00 4600 5400 0000 0000 0000 ..$.M.F.T..........00004f0: 0803 2400 4d00 4600 5400 4d00 6900 7200 ..$.M.F.T.M.i.r....00008f0: 0803 2400 4c00 6f00 6700 4600 6900 6c00 ..$.L.o.g.F.i.l....0000cd0: 0600 0000 0000 0000 0703 2400 5600 6f00 ..........$.V.o....


$BOOT

Contains the boot sector of the file systemThis is the only file system metadata file that has a static location

# istat -f ntfs practice1.ntfs.dd 7....Entry: 7 Sequence: 7.....Name: $Boot.....Attributes: .....Type: $DATA (128-1) Name: N/A Non-Resident size: 8192 init_size: 81920 1 2 3 4 5 6 7

# dd if=./practice1.ntfs.dd bs=1024 skip=0 count=8 | xxd0000000: eb52 904e 5446 5320 2020 2000 0202 0000 .R.NTFS ........00001f0: 0000 0000 0000 0000 809d b2ca 0000 55aa ..............U.0000200: 0700 4200 4f00 4f00 5400 4d00 4700 5200 ..B.O.O.T.M.G.R....0000250: 0000 0000 0000 eb22 9090 0500 4e00 5400 ......."....N.T.0000260: 4c00 4400 5200 0000 0000 0000 0000 0000 L.D.R..............0001ff0: 0000 0000 0000 0000 0000 0000 0000 0000 //0x1ffff = 8191


$BOOT-BOOTSECTOR

Jump code MediaType:F8(Fixed)

Bytes/Sector=0x0200=512

Sectors/Cluster

OEM Name:NTFS....

Total Sectors in FileSystem=0x01FFDF=131039 (0~131038)

MFT Starting Cluster Addr.=0x10=16

MFT Mirror Start.Clus.Addr.=0x7FF7=32759

MFT Entry(File Record) Size(in cluster)

INDEX Record Size(in cluster)

Serial Number=0x6CA8E0B776511162

# icat -f ntfs ./practice1.ntfs.dd 7-128-1 | xxd


# fsstat practice1.ntfs.dd FILE SYSTEM INFORMATION--------------------------------------------File System Type: NTFSVolume Serial Number: 6CA8E0B776511162OEM Name: NTFS Volume Name: MYNTFSVersion: Windows XP

METADATA INFORMATION--------------------------------------------First Cluster of MFT: 16First Cluster of MFT Mirror: 32759Size of MFT Entries: 1024 bytesSize of Index Records: 4096 bytesRange: 0 - 251Root Directory: 5

CONTENT INFORMATION--------------------------------------------Sector Size: 512Cluster Size: 1024Total Cluster Range: 0 - 65518Total Sector Range: 0 - 131038

$BOOT-BOOTSECTOR

Bytes/Sector=0x200=512 Sectors/Cluster

OEM Name:NTFS....

Total Sectors in FileSystem=0x01FFDF=131039 (0~131038)

MFT Starting Cluster Addr.=0x10=16

MFT Mirror Start.Clus.Addr.=0x7FF7=32759

MFT Entry (File Record) Size = 1 cluster

INDEX Record Size = 4 clusters

Serial Number=0x6CA8E0B776511162


$BOOT[Backup Copy]

the last sector of the volume or in the middle of the volume

# sigfind -o 510 -l AA55 ./practice1.ntfs.ddBlock size: 512 Offset: 510 Signature: 55AABlock: 0 (-)Block: 131038 (+131038) // The Last Sector

bash-3.2# dd if=./practice1.ntfs.dd count=1 of=./originalbash-3.2# dd if=./practice1.ntfs.dd skip=131038 count=1 of=./backup

bash-3.2# md5 ./original MD5 (./original) = 68b14932a9e057a0125a849eb3af4041bash-3.2# md5 ./backup MD5 (./backup) = 68b14932a9e057a0125a849eb3af4041


$ATTRDEFMFT entry #4

Defines the file system attribute names and identifiers.0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F0-0x7F

Name of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attributeName of attribute

80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F

Type IDType IDType IDType ID Display RuleDisplay RuleDisplay RuleDisplay Rule Collation RuleCollation RuleCollation RuleCollation Rule FlagsFlagsFlagsFlags

0x02 : Attr. can be used in an index0x40 : Attr. is always resident

0x80 : Attr. can be non-resident































90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F

Minimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum size Maximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum size

Collation rule : How to be sorted(when the attribute is in an index)


$ATTRDEF# istat -f ntfs practice1.ntfs.dd 4....Entry: 4 Sequence: 4.....Name: $AttrDef.....$OBJECT_ID Attribute Values:Object Id: 7d328f9e-3c5b-f081-304d-b2491bae5792

Attributes: .....Type: $DATA (128-1) Name: N/A Non-Resident size: 2560 init_size: 25608214 8215 8216

# icat -f ntfs practice1.ntfs.dd 4-128-1 | xxd0000000: 2400 5300 5400 4100 4e00 4400 4100 5200 $.S.T.A.N.D.A.R....00000a0: 2400 4100 5400 5400 5200 4900 4200 5500 $.A.T.T.R.I.B.U....0000140: 2400 4600 4900 4c00 4500 5f00 4e00 4100 $.F.I.L.E._.N.A....00001e0: 2400 4f00 4200 4a00 4500 4300 5400 5f00 $.O.B.J.E.C.T._....0000280: 2400 5300 4500 4300 5500 5200 4900 5400 $.S.E.C.U.R.I.T....0000320: 2400 5600 4f00 4c00 5500 4d00 4500 5f00 $.V.O.L.U.M.E._.......0000640: 2400 4200 4900 5400 4d00 4100 5000 0000 $.B.I.T.M.A.P......00008c0: 2400 4c00 4f00 4700 4700 4500 4400 5f00 $.L.O.G.G.E.D._....00009a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................


$ATTRDEF

# icat -f ntfs ./practice1.ntfs.dd 4-128-1 | xxd0000000: 2400 5300 5400 4100 4e00 4400 4100 5200 $.S.T.A.N.D.A.R.0000010: 4400 5f00 4900 4e00 4600 4f00 5200 4d00 D._.I.N.F.O.R.M.0000020: 4100 5400 4900 4f00 4e00 0000 0000 0000 A.T.I.O.N.......0000030: 0000 0000 0000 0000 0000 0000 0000 0000 .....................0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000080: 1000 0000 0000 0000 0000 0000 4000 0000 [email protected]: 3000 0000 0000 0000 4800 0000 0000 0000 0.......H.......00000a0: 2400 4100 5400 5400 5200 4900 4200 5500 $.A.T.T.R.I.B.U.00000b0: 5400 4500 5f00 4c00 4900 5300 5400 0000 T.E._.L.I.S.T...

80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F

Type IDType IDType IDType ID Display RuleDisplay RuleDisplay RuleDisplay Rule Collation RuleCollation RuleCollation RuleCollation Rule FlagsFlagsFlagsFlags

































90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F

Minimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum sizeMinimum size Maximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum size


$VOLUME

# istat -f ntfs practice1.ntfs.dd 3....Type: $VOLUME_NAME (96-4) Name: N/A Resident size: 12Type: $VOLUME_INFORMATION (112-5) Name: N/A Resident size: 12Type: $DATA (128-3) Name: N/A Resident size: 0

# icat -f ntfs practice1.ntfs.dd 3-112-5 | xxd0000000: 0000 0000 0000 0000 0301 0000 ............

00 01 02 03 04 0505 06 07 08 09 0A 0B

Type ID Display RuleType ID Display RuleType ID Display RuleType ID Display RuleType ID Display RuleType ID Display RuleType ID Display RuleType ID Display RuleType ID Display Rule FlagsFlags

Major VersionMajor VersionMajor Version Minor VersionMinor VersionMinor Version 0x0001 : Dirty

$VOLUME_INFORMATION$VOLUME_INFORMATION$VOLUME_INFORMATION$VOLUME_INFORMATION$VOLUME_INFORMATION$VOLUME_INFORMATION

0x0002 : Resize $LogFile (file system journal)0x0004 : Upgrade volume next time

0x0008 : Mounted in NT0x0010 : Deleting change journal

0x0020 : Repair object IDs0x8000 : Modified by chkdsk
















# icat -f ntfs practice1.ntfs.dd 3-96-4 | xxd0000000: 4d00 5900 4e00 5400 4600 5300 M.Y.N.T.F.S.


METADATA FILESCONTENTS CATEGORYSECTOR = CLUSTER * SECTORS_PER_CLUSTER


CLUSTER ALLOCATION

Windows XP uses the best-fit algorithm

Not the first or next available!

But a location for the most efficiently use of the available space

Therefore, if a small amount of data is being written, it will be placed in clusters that are part of a small group of unallocated clusters instead of in a large group where larger files could be stored.


CLUSTER ALLOCATION

Windows XP uses the best-fit algorithm

100 avail. 30 avail. 50 avail.

allocatedunallocatednew 10 clus.


FILE SYSTEM LAYOUT

$BOOT$AttrDef, $MFT

$BOOT$AttrDef, $MFT

$BOOT$AttrDef, $MFT

$MFTMirr, $LogFile$ROOT, $BITMAP

$UPCASE, $SECURE

$MFTMirr, $LogFile$ROOT, $BITMAP

$UPCASE, $SECURE

W2K

$BOOT$LogFile,

$AttrDef, $MFT, $SECURE

$LogFile, $AttrDef, $MFT,

$SECURE

$MFTMirr, $ROOT, $BITMAP, $SECURE

WXP


$BITMAP

# istat -f ntfs practice1.ntfs.dd 6....Entry: 6 Sequence: 6.....Name: $Bitmap.....Attributes: .....Type: $DATA (128-1) Name: N/A Non-Resident size: 8192 init_size: 81928217 8218 8219 8220 8221 8222 8223 8224

# icat -f ntfs ./practice1.ntfs.dd 6-128-1 | xxd0000000: ff01 ffff ffff ffff ffff ffff ffff ffff ................0000010: ffff ffff ffff ffff ffff ffff ffff ffff ................0000020: ff07 0000 0000 0000 0000 0000 0000 0000 ................0000030: 0000 0000 0000 0000 0000 0000 0000 0000 .....................0001fc0: ffff ffff ffff ffff ffff ffff ffff ffff ................0001fd0: ffff ffff ffff ffff ffff ffff ffff ffff ................0001fe0: ffff ffff ffff ffff ffff ffff ffff ffff ................0001ff0: ffff ffff ffff ffff ffff ffff ffff ffff ................

$DATA1 bit for every “cluster” in the file system

Bit 0 : Cluster 0, Bit 1 : Cluster 1If the Bit is set to 1, the cluster is allocated; if it is set to 0, it is not


$BITMAP

Cluster 31 : I=3, O=7ff : 11111111Cluster 337 : I=42, O=100 : 00000000

# icat -f ntfs ./practice1.ntfs.dd 6-128-1 | xxd0000000: ff01 ffff ffff ffff ffff ffff ffff ffff ................0000010: ffff ffff ffff ffff ffff ffff ffff ffff ................0000020: ff07 0000 0000 0000 0000 0000 0000 0000 ................0000030: 0000 0000 0000 0000 0000 0000 0000 0000 .....................

Finding the allocation status of Cluster NByte(N/8) => Index I

Offset(N-8xI) => Offset O (← little endian)


$BADCLUS

# istat -f ntfs practice1.ntfs.dd 8....Entry: 8 Sequence: 8.....Name: $BadClus.....Attributes: .....Type: $DATA (128-2) Name: N/A Resident size: 0Type: $DATA (128-1) Name: $Bad Non-Resident size: 67091456 init_size: 0

# icat -f ntfs ./practice1.ntfs.dd 8-128-1 | xxd#

$DATA attributeone bit for every cluster in the file system

Bit 0 corresponds to Cluster 0, and Bit 1 corresponds to Cluster 1If the Bit is set to 1, the cluster is allocated; if it is set to 0, it is not

Total FS Size (bytes)


METADATA FILESMETADATA CATEGORY


ATTRIBUTES COVERED

$STANDARD_INFORMATION Attribute

$FILE_NAME Attribute

$DATA Attribute

$ATTRIBUTE_LIST Attribute


$SECURITY_DESCRIPTOR (A)

$SECURITY_DESCRIPTOR Attribute

Describing the access control policy applied to a file or directory(Before NTFS 3.0 only, NTFS 3.0+ → Backward Compatibility)

NTFS 3.0+ stores the security descriptors in a single file ($SECURE) (many files have the same security descriptor

→ one/each file = waste of space)


$SECURE FILE

Index to the $Secure file : Security ID (an identifier in $STANDARD_INFORMATION attribute

of every file and directory )

The $Secure file contains two indexes ($SDH and $SII) : reference the descriptors

and one $DATA attribute ($SDS) : actual security descriptors


$SECURE FILE$SII (sorted by the Security ID)

Locate the security descriptor for a file when its Security ID is known

$SDH (sorted by a hash of the security descriptor)The OS uses this index

when a new security descriptor is applied to a file or directory.

If the hash of the new descriptor cannot be found, a new descriptor and Security ID are created

and added to both indices.


METADATA FILESFILENAME CATEGORY


ATTR.S AND FILES COVERED$INDEX_ROOT Attribute

$INDEX_ALLOCATION Attribute

$BITMAP Attribute

$ROOT file (MFT Entry #5) - Covered in Example

\$Extend\$Reparse metadata file

$OBJECT_ID attribute\$Extend\$ObjId file (to find a file based on its object ID)

B-Tree Algorithm


$OBJID FILE

$Extend\$ObjId file (to find a file based on its object ID)This allows a file to be renamed but still be found.

$Extend\$ObjId file has an INDEX named$O that correlates a file's object ID to its MFT entry.

$O with typical $INDEX_ROOT/$INDEX_ALLOCATION attr.


$OBJID FILE00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

@@ ## UnusedUnusedUnusedUnused $$ %% Flags (=IDX Entry)Flags (=IDX Entry)Flags (=IDX Entry)Flags (=IDX Entry)

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F


20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

File referenceFile referenceFile referenceFile referenceFile referenceFile referenceFile referenceFile reference Birth volume IDBirth volume IDBirth volume IDBirth volume IDBirth volume IDBirth volume IDBirth volume IDBirth volume ID

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

@ : Offset to file information@ : Offset to file information@ : Offset to file information@ : Offset to file information@ : Offset to file information@ : Offset to file information@ : Offset to file information@ : Offset to file information Birth object IDBirth object IDBirth object IDBirth object IDBirth object IDBirth object IDBirth object IDBirth object ID

40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F

# : Size of file information# : Size of file information# : Size of file information# : Size of file information# : Size of file information# : Size of file information# : Size of file information# : Size of file information Birth domain IDBirth domain IDBirth domain IDBirth domain IDBirth domain IDBirth domain IDBirth domain IDBirth domain ID

50 51 52 53 54 55 56 57% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)

$ : Size of index entry$ : Size of index entry$ : Size of index entry$ : Size of index entry$ : Size of index entry$ : Size of index entry$ : Size of index entry$ : Size of index entry% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)% : Size of object ID (16-bytes)

[$ObjId index entries]




10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F


20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F


40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F




# fls -f ntfs -r ./practice1.ntfs.dd .....d/d 11-144-2: $Extend+ r/r 25-144-2: $ObjId:$O.....

# icat -f ntfs ./practice1.ntfs.dd 25-144-2 | xxd //**$INDEX_ROOT**//0000000~0000010 : $NDEX_ROOT HEADER + Node Header0000020: 2000 3800 0000 0000 5800 1000 0000 0000 .8.....X.......0000030: 9257 ae1b 49b2 4d30 81f0 5b3c 9e8f 327d .W..I.M0..[<..2}0000040: 0300 0000 0000 0300 0000 0000 0000 0000 ..................... $Volume




10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F


20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F


30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F


40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F




0000030: 9257 ae1b 49b2 4d30 81f0 5b3c 9e8f 327d .W..I.M0..[<..2}# istat -f ntfs ./practice1.ntfs.dd 3MFT Entry Header Values:Entry: 3 Sequence: 3.....$FILE_NAME Attribute Values:Name: $Volume.....$OBJECT_ID Attribute Values:Object Id: 7d328f9e-3c5b-f081-304d-b2491bae5792.....


METADATA FILESAPPLICATION CATEGORY


DISK QUOTASNTFS supports disk space Quotas/User

Quota information(stored as file system metadata

and in application-level files- like Windows registry+).

-NTFS 3.0 →$Quota file(MFT entry #9)NTFS 3.0+ → $Extend\$Quota

$Quota has 2 INDEXES ($0,$Q)$0 : correlates an OwnerID to SID

(real SID, not security id in $SECURITY*)$Q : correlates an Owner ID with the details

(how many bytes charged to the user's quota and is allowed.)


$QUOTA FILE

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)0x10 ~ (0x10+L-1)

SIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSID

OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~OFF~

Owner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner IDOwner ID

@ : Offset to Owner ID (OFF), # : Length of Owner ID$ : Size of index entry, % : Size of SID (L)
















[$O index entries in $Quota]


$QUOTA FILE00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

Owner IDOwner IDOwner IDOwner ID VersionVersionVersionVersion Quota FlagsQuota FlagsQuota FlagsQuota Flags Bytes ChargedBytes ChargedBytes ChargedBytes Charged

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

Time of last chargeTime of last chargeTime of last chargeTime of last chargeTime of last chargeTime of last chargeTime of last chargeTime of last charge Threshold ValueThreshold ValueThreshold ValueThreshold Value

30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

(a soft limit)(a soft limit)(a soft limit)(a soft limit) Hard Limit ValueHard Limit ValueHard Limit ValueHard Limit ValueHard Limit ValueHard Limit ValueHard Limit ValueHard Limit Value Exceeded TimeExceeded TimeExceeded TimeExceeded Time

40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F

SIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSIDSID

@ : Offset to Quota information, # : Size of Quota information$ : Size of index entry, % : Size of OWNER ID (4-bytes)
















[$Q index entries in $Quota]


$QUOTA FILE

[Flag values for the $Q index entry flags field]

Quota Flags Description

0x00000001 Default limits being used

0x00000002 Limit reached

0x00000004 ID deleted

0x00000010 Tracking data usage

0x00000020 Enforcing data usage

0x00000040 Usage tracking requested

0x00000080 Create log when threshold is met

0x00000100 Create log when limit is met

0x00000200 Out of date

0x00000400 Corrupt

0x00000800 Pending deletes


FILE SYSTEM JOURNALINGLogging ($LogFile)

Information about any metadata updates before file system crash happen

and records when the updates performed(Crash before the journal record update has been performed→ OS “quickly” change the system back to a known state)

The logging area has a finite size(no more space for a new record → beginning of the file updated)

$LogFile MFT Entry (#2) $Data

Non-Resident $Data Attribute

Restart Area Logging Area (Each record has a 64-bit logical sequence number (LSN))


FILE SYSTEM JOURNALING

Records : Update and CheckPoint

[Update Record]*Update

most common, describing a file system transaction before it occurs and used for transaction.

(many transactions require more than one update record)*Commit

describing a file system transaction after it occurs

Update Record : LSN+Redo field(what 2 do)+Undo field


FILE SYSTEM JOURNALING[Checkpoint Record]

Where in the log file the OS should start from if it needs to verify the file system.

(Windows creates one of these records every five seconds, and its LSN value is stored in the restart area of the log file)

*Verify the file systemOS locates the last checkpoint record

(Identifying the transactions that were started)

transaction completed(commit record exists)

transaction not completed(no commit record exists)

OS uses the redo field (to ensure that the data were updated

on the filesystem and not lost in a crash)

OS uses the undo field (to ensure that the data were brought backto the state before the transaction started)


$LOGFILE FILE

Exact Data Structure UnknownThe log is organized into 4,096 byte pages

Many of the other values = zero and the only string is "NTFS" in Unicode.

Restart area(with the signature "RSTR")# icat -f ntfs ntfs1.dd 2 | xxd | grep RSTR.....0000000: 5253 5452 1e00 0900 0000 0000 0000 0000 RSTR............0004096: 5253 5452 1e00 0900 0000 0000 0000 0000 RSTR.................

Records(start with the signature "RCRD")# icat –f ntfs ntfs1.dd 2 | xxd | grep RCRD.....0008192: 5243 5244 2800 0900 0050 2500 0000 0000 RCRD(....P%.....0012288: 5243 5244 2800 0900 0050 2500 0000 0000 RCRD(....P%..........


CHANGE JOURNAL$Extend\$UsrJrnl file

(NTFS 3.0+, used by applications)Records when changes are made to files and directories

to determine which files have changed in a certain time span

Any application in Windows can turn the change journal feature on and off

(Default : Off)

The journal has a 64-bit number (USN:Update Sequence #) assigned(changes each time the journal is enabled or disabled)

USN : index the records in the journalStored in the $STANDARD_INFORMATION attribute

of the file that was modified.Tuesday, March 15, 2011

CHANGE JOURNAL$Extend\$UsrJrnl

2 $DATA attributes ($Max, $J) $Max : basic information about the journal

$J : the actual journal as a list of varying sized records(file name, the time of change, the type of change)

If the journal reaches system defined maximum size, Windows turns the file into a sparse file

and continues to append data to the end of the file.

When it allocates a new cluster at the end of the file, it removes the first cluster and makes it sparse.

So, it always has the same number of allocated clusters.


$USRJRNL FILE00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Size of this entrySize of this entrySize of this entrySize of this entry @@ ## File reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entryFile reference of file that caused this entry

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

Parent directory file reference for file that caused this entry








USN for entryUSN for entryUSN for entryUSN for entryUSN for entryUSN for entryUSN for entryUSN for entry

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F

TimestampTimestampTimestampTimestampTimestampTimestampTimestampTimestamp Flags for type of change

Flags for type of change



Source informationSource informationSource informationSource information

30 31 32 33 34 35 36 37 38 39 3A~3A~3A~3A~3A~3A~

Security ID (SID)Security ID (SID)Security ID (SID)Security ID (SID) File attributesFile attributesFile attributesFile attributes $$ File NameFile NameFile NameFile NameFile NameFile Name

@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name@ : Major version, # : Minor version, $ : Size of File Name

[$J attribute entries in $UsrJrnl]


$USRJRNL FILE

[the change type field in $J entries]


0x00000001 The default $DATA attribute was overwritten

0x00000002 The default $DATA attribute was extended

0x00000004 The default $DATA attribute was truncated

0x00000010 A named $DATA attribute was overwritten

0x00000020 A named $DATA attribute was extended

0x00000040 A named $DATA attribute was truncated

0x00000100 The file or directory was created

0x00000200 The file or directory was deleted

0x00000400 The extended attributes of the file were changed

0x00000800 The security descriptor was changed

0x00001000 The name changed—change journal entry has old name


$USRJRNL FILE

[the change type field in $J entries]


0x00002000 The name changed—change journal entry has new name

0x00004000 Content indexed status changed

0x00008000 Changed basic file or directory attributes

0x00010000 A hard link was created or deleted

0x00020000 Compression status changed

0x00040000 Encryption status changed

0x00080000 Object ID changed

0x00100000 Reparse point value changed

0x00200000 A named $DATA attribute was created, deleted, or changed

0x80000000 The file or directory was closed


$USRJRNL FILE

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Maximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum sizeMaximum size Allocation sizeAllocation sizeAllocation sizeAllocation sizeAllocation sizeAllocation sizeAllocation sizeAllocation size

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

USN IDUSN IDUSN IDUSN IDUSN IDUSN IDUSN IDUSN ID Lowest USNLowest USNLowest USNLowest USNLowest USNLowest USNLowest USNLowest USN

[$Max attribute of $UsrJrnl]


TSKTHE SLEUTH KIT


FUN WITH TSK & DD

[File System Status]-- mmls result >>> Slot Start End Length Description >>> 12: 02:00 0000286752 0000417791 0000131040 Linux (0x83)

# fsstat -f ntfs -o 286752 ./practice1.dd

# dd if=./practice1.dd bs=512 skip=286752 count=131040 of=./practice1.ntfs.dd# fsstat -f ntfs practice1.ntfs.dd

-- From Lth cluster to Nth cluster (with Cluster size of M)

# dd if=./practice1.dd bs=1024(M) skip=x(286752/(M/SectSize)+L) count=4(N-L+1) | xxd# dd if=./practice1.ntfs.dd bs=1024(M) skip=10(L) count=4(N-L+1) | xxd

# blkcat -f ntfs -o 286752 ./practice1.dd 10(L) 4(N-L+1)= # blkcat -f ntfs -o 143376(286752/2) -b 1024 ./practice1.dd 10(L) 4(N-L+1)!!! TSK automatically calculate the data unit size


FUN WITH TSK & DD

[MFT Entry and Attributes]-- Nth MFT Entry Metadata Information

# istat -f ntfs -o 286752 ./practice1.dd 64(N)# istat -f ntfs practice1.ntfs.dd 64(N)

-- Nth MFT Entry Raw Data(with Entry size of M)

# icat -f ntfs practice1.ntfs.dd 0 | dd bs=1024(M) skip=64(N) count=1 | xxd# icat -f ntfs practice1.ntfs.dd 0-128-x | dd bs=1024(M) skip=64(N) count=1 | xxd

-- Attribute(A-S) Raw Data in Nth MFT Entry

# icat -f ntfs ./practice1.ntfs.dd 132(N)-128(A)-2(S) | xxd

-- Display iNode Details

# ils -f ntfs ./practice1.ntfs.dd (Root Directory)# ils -f ntfs -e ./practice1.ntfs.dd (All)# ils -f ntfs -e -m ./practice1.ntfs.dd (All+mactime format) !!!!


FUN WITH TSK & DD[File Listing]-- Simple Root Dir# fls -f ntfs -o 286752 ./practice1.dd# fls -f ntfs ./practice1.ntfs.dd

-- Inside Directory of MFT Entry #N# fls -f ntfs -o 286752 ./practice1.dd N # fls -f ntfs ./practice1.ntfs.dd N

-- Recursive (Sub Directory and Files)# fls -f ntfs -o 286752 -r ./practice1.dd N # fls -f ntfs -r ./practice1.ntfs.dd N

-- Options-d : deleted files (doesn’t work at the moment) Alt. # fls -f ntfs -o 286752 -p -r ./practice1.dd | grep '\*'-p : with full path from the starting point-l : long version [filetype|Metadata Addr.|name|mtime(last)|atime(last)|ctime(last)|crtime(created time)| size(in bytes)|uid|gid]-v : verbose


FUN WITH TSK & DD[r/r 1304-128-1: IO.SYS]

The r/r value shows the file type. The 1st 'r' is the type as saved in the file's file name structure.The 2nd 'r' is the type as saved in the file's metadata structure.

For allocated files, these should always be equal. For deleted files, they could be different (if one of the structures was reallocated to a different file type)

-: Unknown typer: Regular filed: Directoryc: Character deviceb: Block devicel: Symbolic linkp: Named FIFOs: Shadowh: Socketw: Whiteoutv: TSK Virtual file / directory (not a real directory, created by TSK for convenience)

* (b/w the file type and the metadata address) : deleted file.


FUN WITH TSK

[File Finding]-- Find name and path by MFT entry #N

# ffind -f ntfs -o 286752 ./practice1.dd N

-- Find MFT entry# by Cluster #N

# ifind -f ntfs -o 286752 -d N ./practice1.dd

-- Find Signature

# sigfind -o 510 -l AA55 ./practice1.dd # sigfind -o 510 55AA ./practice1.dd


ntfs

Documents

mftmft entry

mft size

entry mft entry sequence

logfile mft entry

base entry mft entry

mft entry headersignature

mft entry header00

mft mft entrygeneral