Sie sind auf Seite 1von 23

Metadata Files

Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/
ntfs/attrib.h

Metadata Files
The metadata files in NTFS contain information used
to implement the file system structure.
Their names begin with $
The $ is usually hidden
With the exception of these $ files all the rest of the
MFT entries are for normal files and directories

Metadata Files
Files 0 15 are reserved for metadata files in the MFT, usually only the
first 12 are used by MS.

0
1
2
3
4
5
6
7

$Mft MFT
$MftMirr MFT Mirror
$LogFile Log File
$Volume Volume File
$AttrDef Attribute definition table
\ - Root directory
$Bitmap - Voume cluster allocation
file
$Boot Boot sector

8 $BadClus Bad-cluster file


9 $Secure Security settings file
10 $UpCase Uppercase character
mapping
11 $Extend Extended metadata
directory
12 Unused
13 Unused
14 Unused
15 Unused

$MFT

Entry 0
Master File Table
Contains an entry for every file
First entry in the MFT
Has a $BITMAP attribute
Its $DATA attribute contains the clusters used by the
MFT
Also has $STANDARD_INFORMATION and
$FILE_NAME attributes

$MFTMirr
Entry 1
Backup for the MFT
Second entry (entry #1) in the MFT
Has a non-resident attribute

Contains a few entries in the MFT


$MFT, $MFTMirr, $LogFile, $Volume

Located in the middle of the file system


Allocated by the $DATA attributte

Problems with $MFT


Find midddle of file system
Look for signatures FILE

$LogFile

Entry 2
Used as the NTFS journal
Has standard attributes
Log data is stored in $DATA
Appears to have signature RSTR
And entries with signature RCRD

$Volume
MFT entry number 3
Contains volume label and version info
Has 2 important attributes
$VOLUME_NAME
$VOLUME_INFORMATION

Has $STD_INFO, FILE_NAME, OBJECT_ID


attributes
$DATA has 0 bytes

$VOLUME_NAME
Type ID 96
Name of volume in UTF-16 Unicode
Nothing more

$VOLUME_INFORMATION
Type ID 112
Unique to $Volume file
Fields
07
88
99
10 11

Unused
Major version
Minor version
Flags

Flags
0x0001
0s0002
0x0004
0x0008
0x0010
0x0020
0x0080

Dirty
Resize $LogFile (File system journal)
Upgrade volume next time
Mounted in NT
Deleting change journal
Repair object Ids
Modified by chkdsk

$AttrDef
Entry 4
Defines the attribute names and Ids
$DATA attribute for this file contains a list of entries
Entry:
0 127
128 131
132 135
136 139
140 143
144 151
152 159

Name of attribute
Type of identifier
Display rule
Collation rule
Flag
Minimum size
Maximum size

Flags:
0x02
0x04
0x08

Attribute can be used in an index


Attribute is always resident
Attributte can be non-resident

\ - Root directory
Entry 5

$Bitmap
Entry 6
Bitmap of allocated dlusters is maintained in the
$DATA attribute

$Boot
Entry 7
Contains the boot sector of the file system
Static location for $DATA attribute
Located in the first sector of the file system
Used to boot the system
Sirst sector is the VBR

Trailing file sig of first sector is 0xAA55


Usually 16 sectors are reserved for $Boot
About half is used

VBR for NTFS


Sector 1 of $DATA of $Boot
Byte Offset

Field Length

Sample Value

Field Name

0x00
0x03
0x0B

3
4
2

0xEB5290
0x4E544653
0x0002

Jump to boot code


OEM Name
Bytes Per Sector

0x0D

0x08

Sectors Per Cluster

0x0E
0x10
0x13
0x15
0x16
0x18
0x1A
0x1C
0x20
0x24
0x28

2
3
2
1
2
2
2
4
4
4
8

0x0000
0x000000
0x0000
0xF8
0x0000
0x3F00
0xFF00
0x3F000000
0x00000000
0x80008000
0x4AF57F0000000000

Reserved Sectors
always 0
not used by NTFS
Media Descriptor
always 0
Sectors Per Track
Number Of Heads
Hidden Sectors
not used by NTFS
not used by NTFS
Total Sectors

0x30

0x0400000000000000

Logical Cluster Number for the file $MFT

0x38

0x54FF070000000000

Logical Cluster Number for the file


$MFTMirr

0x40

0xF6000000

Size of MFT entry

0x44

0x01000000

Clusters Per Index Block

0x48

0x14A51B74C91B741C

Volume Serial Number

0x50

0x00000000

Checksum

www.NTFS.com

$Boot (contd)
The sectors following #1 is for actual boot code
Only significant for bootable partitions
Exercise
Format a disk with a non-bootable NTFS partition
What do the first 16 clusters of the file system look like.

Backup of the boot sector is in the last sector of the


volume
One sector past the file system

$BadClus
Entry 8
Bad cluster file

$Secure
Entry 9
Security settings

$UpCase
Entry 10
Uppercase character mapping

$Extend
Entry 11
Extended metadata directory
Contains

$ObjId
$Reparse
$Quota
$UsnJrnl

$Quota
Located in \$Extend\
Contains two indexes
Both indexes use
$INDEX_ROOT
$INDEX_ALLOCATION

$O index
Correlates a SID to an owner ID

$Q index
Correlates an owner ID to quota information

$UsnJrnl

Located in \$Extend\
Acts as a change journal
Changes are stored in $DATA attribute
This attribute is named $J
Also has another $SATA attribute named $Max
Maximum settings for the UsnJrnl

$J Attribute Entries
03
45
67
8 15
16 23
24 31
32 39
40 43
44 47
48 51
52 55
56 57
58+

Size of this journal entry


Major version
Minor version
File reference of the file that caused this entry
Parent directory file reference for the file that caused this entry
USN (Update Sequence Number) for entry
Time stamp
Flags for type of change
Source information (OS or user caused)
Security ID (SID)
File attributes
Size of file name
File name

$J Entry Flags
0x00000001
0x00000002
0x00000004
0x00000010
0x00000020
0x00000040
0x00000100
0x00000200
0x00000400
0x00000800
0x00001000
0x00002000
0x00004000
Etc.

Default $DATA attribute was overwritten


Default $DATA attribute was extended
Default $DATA attribute was truncated
A named $DATA attribute was overwritten
A named $DATA attribute was extended
A named $DATA attribute was truncated
The file or directory was created
The fiile or directory was deleted
The extended attributes of the file were changed
The security descriptor was changed
The name was changed changge journal entry has old name
The name was changed changge journal entry has new name
Content index status changed