Metadata Files Excellent reference: http://www.cs.fsu.edu/~baker/devices/lxr/http/ source/linux/fs/ntfs/attrib.h
Dec 22, 2015
Metadata Files
Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h
Metadata Files
• The metadata files in NTFS contain information used to implement the file system structure.
• Their names begin with $
• The $ is usually hidden
• With the exception of these $ files all the rest of the MFT entries are for normal files and directories
Metadata Files
0 $Mft – MFT1 $MftMirr – MFT Mirror2 $LogFile – Log File3 $Volume – Volume File4 $AttrDef – Attribute definition table5 \ - Root directory6 $Bitmap - Voume cluster allocation file7 $Boot – Boot sector
8 $BadClus – Bad-cluster file9 $Secure – Security settings file10 $UpCase – Uppercase character mapping11 $Extend – Extended metadata directory12 Unused13 Unused14 Unused15 Unused
Files 0 – 15 are reserved for metadata files in the MFT, usually only the first 12 are used by MS.
$MFT
• Entry 0
• Master File Table
• Contains an entry for every file
• First entry in the MFT
• Has a $BITMAP attribute
• Its $DATA attribute contains the clusters used by the MFT
• Also has $STANDARD_INFORMATION and $FILE_NAME attributes
$MFTMirr
• Entry 1
• Backup for the MFT
• Second entry (entry #1) in the MFT– Has a non-resident attribute
• Contains a few entries in the MFT– $MFT, $MFTMirr, $LogFile, $Volume
• Located in the middle of the file system– Allocated by the $DATA attributte
• Problems with $MFT– Find midddle of file system
– Look for signatures “FILE”
$LogFile
• Entry 2
• Used as the NTFS journal
• Has standard attributes
• Log data is stored in $DATA
• Appears to have signature “RSTR”
• And entries with signature “RCRD”
$Volume
• MFT entry number 3
• Contains volume label and version info
• Has 2 important attributes– $VOLUME_NAME
– $VOLUME_INFORMATION
• Has $STD_INFO, FILE_NAME, OBJECT_ID attributes
• $DATA has 0 bytes
$VOLUME_INFORMATION
• Type ID – 112
• Unique to $Volume file
Fields0 – 7 Unused
8 – 8 Major version
9 – 9 Minor version
10 – 11 Flags
Flags0x0001 Dirty
0s0002 Resize $LogFile (File system journal)
0x0004 Upgrade volume next time
0x0008 Mounted in NT
0x0010 Deleting change journal
0x0020 Repair object Ids
0x0080 Modified by chkdsk
$AttrDef
• Entry 4
• Defines the attribute names and Ids
• $DATA attribute for this file contains a list of entriesEntry:0 – 127 Name of attribute
128 – 131 Type of identifier
132 – 135 Display rule
136 – 139 Collation rule
140 – 143 Flag
144 – 151 Minimum size
152 – 159 Maximum size
Flags:0x02 Attribute can be used in an index
0x04 Attribute is always resident
0x08 Attributte can be non-resident
$Boot
• Entry 7
• Contains the boot sector of the file system
• Static location for $DATA attribute– Located in the first sector of the file system
– Used to boot the system
– Sirst sector is the VBR
• Trailing file sig of first sector is 0xAA55
• Usually 16 sectors are reserved for $Boot– About half is used
VBR for NTFSSector 1 of $DATA of $Boot
Byte Offset Field Length Sample Value Field Name
0x000x030x0B
342
0xEB52900x4E5446530x0002
Jump to boot codeOEM NameBytes Per Sector
0x0D 1 0x08 Sectors Per Cluster
0x0E 2 0x0000 Reserved Sectors0x10 3 0x000000 always 00x13 2 0x0000 not used by NTFS0x15 1 0xF8 Media Descriptor0x16 2 0x0000 always 00x18 2 0x3F00 Sectors Per Track0x1A 2 0xFF00 Number Of Heads0x1C 4 0x3F000000 Hidden Sectors0x20 4 0x00000000 not used by NTFS0x24 4 0x80008000 not used by NTFS0x28 8 0x4AF57F0000000000 Total Sectors
0x30 8 0x0400000000000000 Logical Cluster Number for the file $MFT
0x38 8 0x54FF070000000000Logical Cluster Number for the file $MFTMirr
0x40 4 0xF6000000 Size of MFT entry
0x44 4 0x01000000 Clusters Per Index Block
0x48 8 0x14A51B74C91B741C Volume Serial Number
0x50 4 0x00000000 Checksum www.NTFS.com
$Boot (cont’d)
• The sectors following #1 is for actual boot code
• Only significant for bootable partitions– Exercise
• Format a disk with a non-bootable NTFS partition
• What do the first 16 clusters of the file system look like.
• Backup of the boot sector is in the last sector of the volume– One sector past the file system
$Quota
• Located in \$Extend\
• Contains two indexes
• Both indexes use– $INDEX_ROOT
– $INDEX_ALLOCATION
• $O index– Correlates a SID to an owner ID
• $Q index– Correlates an owner ID to quota information
$UsnJrnl
• Located in \$Extend\
• Acts as a change journal
• Changes are stored in $DATA attribute
• This attribute is named $J
• Also has another $SATA attribute named $Max– Maximum settings for the UsnJrnl
$J Attribute Entries
0 – 3 Size of this journal entry
4 – 5 Major version
6 – 7 Minor version
8 – 15 File reference of the file that caused this entry
16 – 23 Parent directory file reference for the file that caused this entry
24 – 31 USN (Update Sequence Number) for entry
32 – 39 Time stamp
40 – 43 Flags for type of change
44 – 47 Source information (OS or user caused)
48 – 51 Security ID (SID)
52 – 55 File attributes
56 – 57 Size of file name
58+ File name
$J Entry Flags
0x00000001 Default $DATA attribute was overwritten
0x00000002 Default $DATA attribute was extended
0x00000004 Default $DATA attribute was truncated
0x00000010 A named $DATA attribute was overwritten
0x00000020 A named $DATA attribute was extended
0x00000040 A named $DATA attribute was truncated
0x00000100 The file or directory was created
0x00000200 The fiile or directory was deleted
0x00000400 The extended attributes of the file were changed
0x00000800 The security descriptor was changed
0x00001000 The name was changed – changge journal entry has old name
0x00002000 The name was changed – changge journal entry has new name
0x00004000 Content index status changed
Etc.