Transcript 5.2.MFT_Metadata

Metadata Files
Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h
Metadata Files
• The metadata files in NTFS contain information used
to implement the file system structure.
• Their names begin with $
• The $ is usually hidden
• With the exception of these $ files all the rest of the
MFT entries are for normal files and directories
Metadata Files
Files 0 – 15 are reserved for metadata files in the MFT, usually only the
first 12 are used by MS.
0 $Mft – MFT
1 $MftMirr – MFT Mirror
2 $LogFile – Log File
3 $Volume – Volume File
4 $AttrDef – Attribute definition table
5 \ - Root directory
6 $Bitmap - Voume cluster allocation file
7 $Boot – Boot sector
8
9
10
11
12
13
14
15
$BadClus – Bad-cluster file
$Secure – Security settings file
$UpCase – Uppercase character mapping
$Extend – Extended metadata directory
Unused
Unused
Unused
Unused
$MFT
•
•
•
•
•
•
Entry 0
Master File Table
Contains an entry for every file
First entry in the MFT
Has a $BITMAP attribute
Its $DATA attribute contains the clusters used by the
MFT
• Also has $STANDARD_INFORMATION and
$FILE_NAME attributes
$MFTMirr
• Entry 1
• Backup for the MFT
• Second entry (entry #1) in the MFT
– Has a non-resident attribute
• Contains a few entries in the MFT
– $MFT, $MFTMirr, $LogFile, $Volume
• Located in the middle of the file system
– Allocated by the $DATA attributte
• Problems with $MFT
– Find midddle of file system
– Look for signatures “FILE”
$LogFile
•
•
•
•
•
•
Entry 2
Used as the NTFS journal
Has standard attributes
Log data is stored in $DATA
Appears to have signature “RSTR”
And entries with signature “RCRD”
$Volume
• MFT entry number 3
• Contains volume label and version info
• Has 2 important attributes
– $VOLUME_NAME
– $VOLUME_INFORMATION
• Has $STD_INFO, FILE_NAME, OBJECT_ID
attributes
• $DATA has 0 bytes
$VOLUME_NAME
• Type ID 96
• Name of volume in UTF-16 Unicode
• Nothing more
$VOLUME_INFORMATION
• Type ID – 112
• Unique to $Volume file
Fields
0–7
8–8
9–9
10 – 11
Unused
Major version
Minor version
Flags
Flags
0x0001
0s0002
0x0004
0x0008
0x0010
0x0020
0x0080
Dirty
Resize $LogFile (File system journal)
Upgrade volume next time
Mounted in NT
Deleting change journal
Repair object Ids
Modified by chkdsk
$AttrDef
• Entry 4
• Defines the attribute names and Ids
• $DATA attribute for this file contains a list of entries
Entry:
0 – 127
128 – 131
132 – 135
136 – 139
140 – 143
144 – 151
152 – 159
Name of attribute
Type of identifier
Display rule
Collation rule
Flag
Minimum size
Maximum size
Flags:
0x02
0x04
0x08
Attribute can be used in an index
Attribute is always resident
Attributte can be non-resident
\ - Root directory
• Entry 5
$Bitmap
• Entry 6
• Bitmap of allocated dlusters is maintained in the
$DATA attribute
$Boot
• Entry 7
• Contains the boot sector of the file system
• Static location for $DATA attribute
– Located in the first sector of the file system
– Used to boot the system
– Sirst sector is the VBR
• Trailing file sig of first sector is 0xAA55
• Usually 16 sectors are reserved for $Boot
– About half is used
VBR for NTFS
Sector 1 of $DATA of $Boot
Byte Offset
Field Length
Sample Value
Field Name
0x00
0x03
0x0B
3
4
2
0xEB5290
0x4E544653
0x0002
Jump to boot code
OEM Name
Bytes Per Sector
0x0D
1
0x08
Sectors Per Cluster
0x0E
0x10
0x13
0x15
0x16
0x18
0x1A
0x1C
0x20
0x24
0x28
2
3
2
1
2
2
2
4
4
4
8
0x0000
0x000000
0x0000
0xF8
0x0000
0x3F00
0xFF00
0x3F000000
0x00000000
0x80008000
0x4AF57F0000000000
Reserved Sectors
always 0
not used by NTFS
Media Descriptor
always 0
Sectors Per Track
Number Of Heads
Hidden Sectors
not used by NTFS
not used by NTFS
Total Sectors
0x30
8
0x0400000000000000
Logical Cluster Number for the file $MFT
0x38
8
0x54FF070000000000
Logical Cluster Number for the file
$MFTMirr
0x40
4
0xF6000000
Size of MFT entry
0x44
4
0x01000000
Clusters Per Index Block
0x48
8
0x14A51B74C91B741C
Volume Serial Number
0x50
4
0x00000000
Checksum
www.NTFS.com
$Boot (cont’d)
• The sectors following #1 is for actual boot code
• Only significant for bootable partitions
– Exercise
• Format a disk with a non-bootable NTFS partition
• What do the first 16 clusters of the file system look like.
• Backup of the boot sector is in the last sector of the
volume
– One sector past the file system
$BadClus
• Entry 8
• Bad cluster file
$Secure
• Entry 9
• Security settings
$UpCase
• Entry 10
• Uppercase character mapping
$Extend
• Entry 11
• Extended metadata directory
• Contains
–
–
–
–
$ObjId
$Reparse
$Quota
$UsnJrnl
$Quota
• Located in \$Extend\
• Contains two indexes
• Both indexes use
– $INDEX_ROOT
– $INDEX_ALLOCATION
• $O index
– Correlates a SID to an owner ID
• $Q index
– Correlates an owner ID to quota information
$UsnJrnl
•
•
•
•
•
Located in \$Extend\
Acts as a change journal
Changes are stored in $DATA attribute
This attribute is named $J
Also has another $SATA attribute named $Max
– Maximum settings for the UsnJrnl
$J Attribute Entries
0–3
4–5
6–7
8 – 15
16 – 23
24 – 31
32 – 39
40 – 43
44 – 47
48 – 51
52 – 55
56 – 57
58+
Size of this journal entry
Major version
Minor version
File reference of the file that caused this entry
Parent directory file reference for the file that caused this entry
USN (Update Sequence Number) for entry
Time stamp
Flags for type of change
Source information (OS or user caused)
Security ID (SID)
File attributes
Size of file name
File name
$J Entry Flags
0x00000001
0x00000002
0x00000004
0x00000010
0x00000020
0x00000040
0x00000100
0x00000200
0x00000400
0x00000800
0x00001000
0x00002000
0x00004000
Etc.
Default $DATA attribute was overwritten
Default $DATA attribute was extended
Default $DATA attribute was truncated
A named $DATA attribute was overwritten
A named $DATA attribute was extended
A named $DATA attribute was truncated
The file or directory was created
The fiile or directory was deleted
The extended attributes of the file were changed
The security descriptor was changed
The name was changed – changge journal entry has old name
The name was changed – changge journal entry has new name
Content index status changed