5.2.MFT_Metadata
advertisement
Metadata Files Excellent reference: http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h Metadata Files • The metadata files in NTFS contain information used to implement the file system structure. • Their names begin with $ • The $ is usually hidden • With the exception of these $ files all the rest of the MFT entries are for normal files and directories Metadata Files Files 0 – 15 are reserved for metadata files in the MFT, usually only the first 12 are used by MS. 0 $Mft – MFT 1 $MftMirr – MFT Mirror 2 $LogFile – Log File 3 $Volume – Volume File 4 $AttrDef – Attribute definition table 5 \ - Root directory 6 $Bitmap - Voume cluster allocation file 7 $Boot – Boot sector 8 9 10 11 12 13 14 15 $BadClus – Bad-cluster file $Secure – Security settings file $UpCase – Uppercase character mapping $Extend – Extended metadata directory Unused Unused Unused Unused $MFT • • • • • • Entry 0 Master File Table Contains an entry for every file First entry in the MFT Has a $BITMAP attribute Its $DATA attribute contains the clusters used by the MFT • Also has $STANDARD_INFORMATION and $FILE_NAME attributes $MFTMirr • Entry 1 • Backup for the MFT • Second entry (entry #1) in the MFT – Has a non-resident attribute • Contains a few entries in the MFT – $MFT, $MFTMirr, $LogFile, $Volume • Located in the middle of the file system – Allocated by the $DATA attributte • Problems with $MFT – Find midddle of file system – Look for signatures “FILE” $LogFile • • • • • • Entry 2 Used as the NTFS journal Has standard attributes Log data is stored in $DATA Appears to have signature “RSTR” And entries with signature “RCRD” $Volume • MFT entry number 3 • Contains volume label and version info • Has 2 important attributes – $VOLUME_NAME – $VOLUME_INFORMATION • Has $STD_INFO, FILE_NAME, OBJECT_ID attributes • $DATA has 0 bytes $VOLUME_NAME • Type ID 96 • Name of volume in UTF-16 Unicode • Nothing more $VOLUME_INFORMATION • Type ID – 112 • Unique to $Volume file Fields 0–7 8–8 9–9 10 – 11 Unused Major version Minor version Flags Flags 0x0001 0s0002 0x0004 0x0008 0x0010 0x0020 0x0080 Dirty Resize $LogFile (File system journal) Upgrade volume next time Mounted in NT Deleting change journal Repair object Ids Modified by chkdsk $AttrDef • Entry 4 • Defines the attribute names and Ids • $DATA attribute for this file contains a list of entries Entry: 0 – 127 128 – 131 132 – 135 136 – 139 140 – 143 144 – 151 152 – 159 Name of attribute Type of identifier Display rule Collation rule Flag Minimum size Maximum size Flags: 0x02 0x04 0x08 Attribute can be used in an index Attribute is always resident Attributte can be non-resident \ - Root directory • Entry 5 $Bitmap • Entry 6 • Bitmap of allocated dlusters is maintained in the $DATA attribute $Boot • Entry 7 • Contains the boot sector of the file system • Static location for $DATA attribute – Located in the first sector of the file system – Used to boot the system – Sirst sector is the VBR • Trailing file sig of first sector is 0xAA55 • Usually 16 sectors are reserved for $Boot – About half is used VBR for NTFS Sector 1 of $DATA of $Boot Byte Offset Field Length Sample Value Field Name 0x00 0x03 0x0B 3 4 2 0xEB5290 0x4E544653 0x0002 Jump to boot code OEM Name Bytes Per Sector 0x0D 1 0x08 Sectors Per Cluster 0x0E 0x10 0x13 0x15 0x16 0x18 0x1A 0x1C 0x20 0x24 0x28 2 3 2 1 2 2 2 4 4 4 8 0x0000 0x000000 0x0000 0xF8 0x0000 0x3F00 0xFF00 0x3F000000 0x00000000 0x80008000 0x4AF57F0000000000 Reserved Sectors always 0 not used by NTFS Media Descriptor always 0 Sectors Per Track Number Of Heads Hidden Sectors not used by NTFS not used by NTFS Total Sectors 0x30 8 0x0400000000000000 Logical Cluster Number for the file $MFT 0x38 8 0x54FF070000000000 Logical Cluster Number for the file $MFTMirr 0x40 4 0xF6000000 Size of MFT entry 0x44 4 0x01000000 Clusters Per Index Block 0x48 8 0x14A51B74C91B741C Volume Serial Number 0x50 4 0x00000000 Checksum www.NTFS.com $Boot (cont’d) • The sectors following #1 is for actual boot code • Only significant for bootable partitions – Exercise • Format a disk with a non-bootable NTFS partition • What do the first 16 clusters of the file system look like. • Backup of the boot sector is in the last sector of the volume – One sector past the file system $BadClus • Entry 8 • Bad cluster file $Secure • Entry 9 • Security settings $UpCase • Entry 10 • Uppercase character mapping $Extend • Entry 11 • Extended metadata directory • Contains – – – – $ObjId $Reparse $Quota $UsnJrnl $Quota • Located in \$Extend\ • Contains two indexes • Both indexes use – $INDEX_ROOT – $INDEX_ALLOCATION • $O index – Correlates a SID to an owner ID • $Q index – Correlates an owner ID to quota information $UsnJrnl • • • • • Located in \$Extend\ Acts as a change journal Changes are stored in $DATA attribute This attribute is named $J Also has another $SATA attribute named $Max – Maximum settings for the UsnJrnl $J Attribute Entries 0–3 4–5 6–7 8 – 15 16 – 23 24 – 31 32 – 39 40 – 43 44 – 47 48 – 51 52 – 55 56 – 57 58+ Size of this journal entry Major version Minor version File reference of the file that caused this entry Parent directory file reference for the file that caused this entry USN (Update Sequence Number) for entry Time stamp Flags for type of change Source information (OS or user caused) Security ID (SID) File attributes Size of file name File name $J Entry Flags 0x00000001 0x00000002 0x00000004 0x00000010 0x00000020 0x00000040 0x00000100 0x00000200 0x00000400 0x00000800 0x00001000 0x00002000 0x00004000 Etc. Default $DATA attribute was overwritten Default $DATA attribute was extended Default $DATA attribute was truncated A named $DATA attribute was overwritten A named $DATA attribute was extended A named $DATA attribute was truncated The file or directory was created The fiile or directory was deleted The extended attributes of the file were changed The security descriptor was changed The name was changed – changge journal entry has old name The name was changed – changge journal entry has new name Content index status changed
