MFT Metadata

download MFT Metadata

of 10

  • date post

    07-Aug-2018
  • Category

    Documents

  • view

    218
  • download

    0

Embed Size (px)

Transcript of MFT Metadata

  • 8/21/2019 MFT Metadata

    1/23

    Metadata Files

    Excellent reference:

    http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ ntfs/attrib.h

  • 8/21/2019 MFT Metadata

    2/23

    Metadata Files

    • The metadata files in NTFS contain information used

    to implement the file system structure.

    • Their names begin with $

    • The $ is usually hidden

    • With the exception of these $ files all the rest of the

    MFT entries are for normal files and directories

  • 8/21/2019 MFT Metadata

    3/23

    Metadata Files

    0 $Mft – MF

    ! $MftMirr – MF Mirror

    " $#oFile – #o File

    % $&olu'e – &olu'e File

    ( $)ttr*ef – )ttribute de+nition table

    , -  oot director 1 $2it'ap  &ou'e cluster allocation

    +le

    3 $2oot – 2oot sector

    4 $2ad5lus – 2adcluster +le

    6 $7ecure – 7ecurit settins +le

    !0 $8p5ase – 8ppercase character 'appin

    !! $Extend – Extended 'etadata

    director !" 8nused

    !% 8nused

    !( 8nused

    !, 8nused

    Files 0  !" are reser#ed for metadata files in the MFT usually only the

    first !% are used by MS.

  • 8/21/2019 MFT Metadata

    4/23

    $MFT

    • &ntry 0

    • Master File Table

    • 'ontains an entry for e#ery file

    • First entry in the MFT

    • (as a $)*TM+, attribute

    • *ts $-+T+ attribute contains the clusters used by the

    MFT

    • +lso has $ST+N-+-/*NFM+T*N and

    $F*1&/N+M& attributes

  • 8/21/2019 MFT Metadata

    5/23

    $MFTMirr 

    • &ntry !

    • )ac2up for the MFT

    • Second entry 3entry 4!5 in the MFT

     – (as a non6resident attribute

    • 'ontains a few entries in the MFT  – $MFT $MFTMirr $1ogFile $7olume

    • 1ocated in the middle of the file system

     – +llocated by the $-+T+ attributte

    • ,roblems with $MFT

     – Find midddle of file system

     – 1oo2 for signatures 8F*1&9

  • 8/21/2019 MFT Metadata

    6/23

    $1ogFile

    • &ntry %

    • :sed as the NTFS ;ournal

    • (as standard attributes

    • 1og data is stored in $-+T+

    • +ppears to ha#e signature 8ST9

    • +nd entries with signature 8'-9

  • 8/21/2019 MFT Metadata

    7/23

    $7olume

    • MFT entry number <

    • 'ontains #olume label and #ersion info

    • (as % important attributes

     – $71:M&/N+M&

     – $71:M&/*NFM+T*N

    • (as $ST-/*NF F*1&/N+M& )=&'T/*-

    attributes • $-+T+ has 0 bytes

  • 8/21/2019 MFT Metadata

    8/23

    $71:M&/N+M&

    • Type *- >?

    •  Name of #olume in :TF6!? :nicode

    •  Nothing more

  • 8/21/2019 MFT Metadata

    9/23

    $71:M&/*NFM+T*N

    • Type *-  !!%

    • :[email protected] to $7olume file

    Fields

    0  A :nused B  B Ma;or #ersion

    >  > Minor #ersion

    !0  !! Flags

    Flags 0x000! -irty

    0s000% esiCe $1ogFile 3File system ;ournal5 0x000D :pgrade #olume next time

    0x000B Mounted in NT

    0x00!0 -eleting change ;ournal

    0x00%0 epair ob;ect *ds

    0x00B0 Modified by ch2ds2  

  • 8/21/2019 MFT Metadata

    10/23

    $+ttr-ef 

    &ntry D • -efines the attribute names and *ds

    • $-+T+ attribute for this file contains a list of entries

    &ntryE 0  !%A Name of attribute

    !%B  !

    !

  • 8/21/2019 MFT Metadata

    11/23

     6 oot directory

    • &ntry "

  • 8/21/2019 MFT Metadata

    12/23

    $)itmap

    • &ntry ?

    • )itmap of allocated dlusters is maintained in the

    $-+T+ attribute

  • 8/21/2019 MFT Metadata

    13/23

    $)oot

    • &ntry A

    • 'ontains the boot sector of the file system

    • Static location for $-+T+ attribute

     – 1ocated in the first sector of the file system

     – :sed to boot the system

     – Sirst sector is the 7) 

    • Trailing file sig of first sector is 0x++"" • :sually !? sectors are reser#ed for $)oot

     – +bout half is used

  • 8/21/2019 MFT Metadata

    14/23

    7) for NTFS Sector ! of $-+T+ of $)oot

    Byte Offset Field Length Sample Value Field Name

    0x00 0x0< 0x0)

    < D %

    0x&)"%>0 0xD&"DD?"< 0x000%

    =ump to boot code &M Name )ytes ,er Sector 

    0x0- ! 0x0B Sectors ,er 'luster  

    0x0& % 0x0000 eser#ed Sectors

    0x!0 < 0x000000 always 0

    0x!< % 0x0000 not used by NTFS 

    0x!" ! 0xFB Media -escriptor  

    0x!? % 0x0000 always 0

    0x!B % 0x

  • 8/21/2019 MFT Metadata

    15/23

    $)oot 3contGd5

    • The sectors following 4! is for actual boot code

    • nly significant for bootable partitions

     – Exercise

    • Format a dis2 with a non6bootable NTFS partition • What do the first !? clusters of the file system loo2 li2e.

    • )ac2up of the boot sector is in the last sector of the

    #olume

     – ne sector past the file system

  • 8/21/2019 MFT Metadata

    16/23

    $)ad'lus

    • &ntry B

    • )ad cluster file

  • 8/21/2019 MFT Metadata

    17/23

    $Secure

    • &ntry >

    • Security settings

  • 8/21/2019 MFT Metadata

    18/23

    $:p'ase

    • &ntry !0

    • :ppercase character mapping

  • 8/21/2019 MFT Metadata

    19/23

    $&xtend

    • &ntry !!

    • &xtended metadata directory

    • 'ontains

     – $b;*d

     – $eparse

     – $Huota

     – $:sn=rnl

  • 8/21/2019 MFT Metadata

    20/23

    $Huota

    • 1ocated in $&xtend

    • 'ontains two indexes

    • )oth indexes use

     – $*N-&I/T

     – $*N-&I/+11'+T*N

    • $ index

     – 'orrelates a S*- to an owner *-

    • $H index  – 'orrelates an owner *- to @uota information

  • 8/21/2019 MFT Metadata

    21/23

    $:sn=rnl

    • 1ocated in $&xtend

    • +cts as a change ;ournal

    • 'hanges are stored in $-+T+ attribute

    • This attribute is named $= • +lso has another $S+T+ attribute named $Max

     – Maximum settings for the :sn=rnl

  • 8/21/2019 MFT Metadata

    22/23

    $= +ttribute &ntries

    0  < SiCe of this ;ournal entry

    D  " Ma;or #ersion

    ?  A Minor #ersion

    B  !" File reference of the file that caused this entry

    !?  %< ,arent directory file reference for the file that caused this entry

    %D  Time stamp

    D0  D< Flags for type of change

    DD  DA Source information 3S or user caused5

    DB  "! Security *- 3S*-5

    "%  "" File attributes

    "?  "A SiCe of file name

    "BJ File name

  • 8/21/2019 MFT Metadata

    23/23

    $= &ntry Flags

    0x0000000! -efault $-+T+ attribute was o#erwritten

    0x0000000% -efault $-+T+ attribute was extended

    0x0000000D -efault $-+T+ attribute was truncated

    0x000000!0 + named $-+T+ attribute was o#erwritten

    0x000000%0 + named $-+T+ attribute was extended

    0x000000D0 + named $-+T+ attribute was truncated 0x00000!00 The file or directory was created

    0x00000%00 The fiile or directory was deleted

    0x00000D00 The extended attributes of the file were changed

    0x00000B00 The security descriptor was changed

    0x0000!000 The name was changed  changge ;ournal entry has old name

    0x0000%000 The name was changed  changge ;ournal entry has new name

    0x0000D000 'ontent index status changed

    &tc.