MFT Metadata
-
Upload
syeda-ashifa-ashrafi-papia -
Category
Documents
-
view
239 -
download
0
Transcript of MFT Metadata
-
8/21/2019 MFT Metadata
1/23
Metadata Files
Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h
-
8/21/2019 MFT Metadata
2/23
Metadata Files
• The metadata files in NTFS contain information used
to implement the file system structure.
• Their names begin with $
• The $ is usually hidden
• With the exception of these $ files all the rest of the
MFT entries are for normal files and directories
-
8/21/2019 MFT Metadata
3/23
Metadata Files
0 $Mft – MF
! $MftMirr – MF Mirror
" $#oFile – #o File
% $&olu'e – &olu'e File
( $)ttr*ef – )ttribute de+nition table
, - oot director1 $2it'ap &ou'e cluster allocation
+le
3 $2oot – 2oot sector
4 $2ad5lus – 2adcluster +le
6 $7ecure – 7ecurit settins +le
!0 $8p5ase – 8ppercase character'appin
!! $Extend – Extended 'etadata
director!" 8nused
!% 8nused
!( 8nused
!, 8nused
Files 0 !" are reser#ed for metadata files in the MFT usually only the
first !% are used by MS.
-
8/21/2019 MFT Metadata
4/23
$MFT
• &ntry 0
• Master File Table
• 'ontains an entry for e#ery file
• First entry in the MFT
• (as a $)*TM+, attribute
• *ts $-+T+ attribute contains the clusters used by the
MFT
• +lso has $ST+N-+-/*NFM+T*N and
$F*1&/N+M& attributes
-
8/21/2019 MFT Metadata
5/23
$MFTMirr
• &ntry !
• )ac2up for the MFT
• Second entry 3entry 4!5 in the MFT
– (as a non6resident attribute
• 'ontains a few entries in the MFT – $MFT $MFTMirr $1ogFile $7olume
• 1ocated in the middle of the file system
– +llocated by the $-+T+ attributte
• ,roblems with $MFT
– Find midddle of file system
– 1oo2 for signatures 8F*1&9
-
8/21/2019 MFT Metadata
6/23
$1ogFile
• &ntry %
• :sed as the NTFS ;ournal
• (as standard attributes
• 1og data is stored in $-+T+
• +ppears to ha#e signature 8ST9
• +nd entries with signature 8'-9
-
8/21/2019 MFT Metadata
7/23
$7olume
• MFT entry number <
• 'ontains #olume label and #ersion info
• (as % important attributes
– $71:M&/N+M&
– $71:M&/*NFM+T*N
• (as $ST-/*NF F*1&/N+M& )=&'T/*-
attributes• $-+T+ has 0 bytes
-
8/21/2019 MFT Metadata
8/23
$71:M&/N+M&
• Type *- >?
• Name of #olume in :TF6!? :nicode
• Nothing more
-
8/21/2019 MFT Metadata
9/23
$71:M&/*NFM+T*N
• Type *- !!%
• :ni@ue to $7olume file
Fields
0 A :nusedB B Ma;or #ersion
> > Minor #ersion
!0 !! Flags
Flags0x000! -irty
0s000% esiCe $1ogFile 3File system ;ournal50x000D :pgrade #olume next time
0x000B Mounted in NT
0x00!0 -eleting change ;ournal
0x00%0 epair ob;ect *ds
0x00B0 Modified by ch2ds2
-
8/21/2019 MFT Metadata
10/23
$+ttr-ef
•
&ntry D• -efines the attribute names and *ds
• $-+T+ attribute for this file contains a list of entries
&ntryE0 !%A Name of attribute
!%B !
!
-
8/21/2019 MFT Metadata
11/23
6 oot directory
• &ntry "
-
8/21/2019 MFT Metadata
12/23
$)itmap
• &ntry ?
• )itmap of allocated dlusters is maintained in the
$-+T+ attribute
-
8/21/2019 MFT Metadata
13/23
$)oot
• &ntry A
• 'ontains the boot sector of the file system
• Static location for $-+T+ attribute
– 1ocated in the first sector of the file system
– :sed to boot the system
– Sirst sector is the 7)
• Trailing file sig of first sector is 0x++""• :sually !? sectors are reser#ed for $)oot
– +bout half is used
-
8/21/2019 MFT Metadata
14/23
7) for NTFSSector ! of $-+T+ of $)oot
Byte Offset Field Length Sample Value Field Name
0x000x0<0x0)
<D%
0x&)"%>00xD&"DD?"<0x000%
=ump to boot code&M Name)ytes ,er Sector
0x0- ! 0x0B Sectors ,er 'luster
0x0& % 0x0000 eser#ed Sectors
0x!0 < 0x000000 always 0
0x!< % 0x0000 not used by NTFS
0x!" ! 0xFB Media -escriptor
0x!? % 0x0000 always 0
0x!B % 0x
-
8/21/2019 MFT Metadata
15/23
$)oot 3contGd5
• The sectors following 4! is for actual boot code
• nly significant for bootable partitions
– Exercise
• Format a dis2 with a non6bootable NTFS partition• What do the first !? clusters of the file system loo2 li2e.
• )ac2up of the boot sector is in the last sector of the
#olume
– ne sector past the file system
-
8/21/2019 MFT Metadata
16/23
$)ad'lus
• &ntry B
• )ad cluster file
-
8/21/2019 MFT Metadata
17/23
$Secure
• &ntry >
• Security settings
-
8/21/2019 MFT Metadata
18/23
$:p'ase
• &ntry !0
• :ppercase character mapping
-
8/21/2019 MFT Metadata
19/23
$&xtend
• &ntry !!
• &xtended metadata directory
• 'ontains
– $b;*d
– $eparse
– $Huota
– $:sn=rnl
-
8/21/2019 MFT Metadata
20/23
$Huota
• 1ocated in $&xtend
• 'ontains two indexes
• )oth indexes use
–$*N-&I/T
– $*N-&I/+11'+T*N
• $ index
– 'orrelates a S*- to an owner *-
•$H index – 'orrelates an owner *- to @uota information
-
8/21/2019 MFT Metadata
21/23
$:sn=rnl
• 1ocated in $&xtend
• +cts as a change ;ournal
• 'hanges are stored in $-+T+ attribute
• This attribute is named $=• +lso has another $S+T+ attribute named $Max
– Maximum settings for the :sn=rnl
-
8/21/2019 MFT Metadata
22/23
$= +ttribute &ntries
0 < SiCe of this ;ournal entry
D " Ma;or #ersion
? A Minor #ersion
B !" File reference of the file that caused this entry
!? %< ,arent directory file reference for the file that caused this entry
%D Time stamp
D0 D< Flags for type of change
DD DA Source information 3S or user caused5
DB "! Security *- 3S*-5
"% "" File attributes
"? "A SiCe of file name
"BJ File name
-
8/21/2019 MFT Metadata
23/23
$= &ntry Flags
0x0000000! -efault $-+T+ attribute was o#erwritten
0x0000000% -efault $-+T+ attribute was extended
0x0000000D -efault $-+T+ attribute was truncated
0x000000!0 + named $-+T+ attribute was o#erwritten
0x000000%0 + named $-+T+ attribute was extended
0x000000D0 + named $-+T+ attribute was truncated0x00000!00 The file or directory was created
0x00000%00 The fiile or directory was deleted
0x00000D00 The extended attributes of the file were changed
0x00000B00 The security descriptor was changed
0x0000!000 The name was changed changge ;ournal entry has old name
0x0000%000 The name was changed changge ;ournal entry has new name
0x0000D000 'ontent index status changed
&tc.