Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003
File Allocation Table (FAT) The FAT file System is a simple file system. The File Allocation Table resides at the start of the volume Duplicate copy maintained for recovery In the FAT file system space is allocated in clusters. The size of the default cluster is determined by the size of the volume The cluster number must fit in 16 bits and be a power of 2. Partition Boot Sector Fat-1Fat-2 Duplicate Root FolderOther folders and files
File Allocation System Uses a File Allocation Table to to organize the file system and keep track of cluster usage Two copies of the FAT are kept (in older versions of FAT, adjacent to each other, in the same cluster) Files are given first available cluster in the partition Also uses folders to indicate where in the FAT the info for a file may be
File Allocation Table Information Information on clusters –Unused 0x0000 (free) –Cluster in use by a file –Bad cluster (0xFFF7) –Last cluster in a file (0xFFF8-0xFFFF) If a file consists of multiple clusters then the end of the first cluster contains a link to the next cluster in the file. Example
Three Necessary System Files Besides FAT, MBR, Partition Tables need: –IO.SYS, MSDOS.SYS, COMMAND.COM IO.SYS –Low-level drivers to communicate with BIOS –First entry in root directory and first cluster MSDOS.SYS –Disk handling routines –Second entry in root directory, no position requirements COMMAND.COM –DOS command processor or user-interface
System Files format /S –puts these system files on to make it bootable and positions them correctly DOS 6.x removed required positioning of IO.SYS and MSDOS.SYS Windows 95 replaced them with one file, WINBOOT.SYS
FAT Root Folder Root folder contains each entry for each file and folder on the root At a fixed location Fixed size 512 entries for a hard disk Other folders contain similar entries but can be anywhere on the disk and have unlimited (relatively) entries Cannot be deleted – anchors file system
FAT Folder Structure Folder entries include –Name (8+3 characters) –Attribute byte –Creation time –Creation date –Last access date –Last modified time –Last modified date –Starting cluster number in the file allocation table (16 bits)
FAT Filenames Old 8+3 names, eight bits for the name, three bits for the extension
VFAT Longer names are supported but backward FAT compatibility is maintained in VFAT Example of conversion and storage –“The quick brown.fox” – 15 + extension –“THEQUI~1.FOX” made up name Unicode 2 bytes for each character in the long name Windows sets volume, read-only, system, and hidden attributes on log filename entries to get backwards compatible to ignore these fields
File Attributes Voluntary Stored in a single byte (only uses 6 bits) –Read-Only –Hidden –System –Volume Label –Directory –Archive
VFAT Long Filename Storage
File Deletion Places hex byte code “E5h” into the first letter of the file name of the file entry in the folder that contains it Just marks files for deletion and frees up clusters in FAT If you are quick enough and no files have overwritten it, you can recover it Search a hard drive and slack for “E5h” –Can even find deleted folders
FAT Problems Cross-linked files: files appearing to use the same clusters because of error in the FAT Lost cluster: cluster marked as ‘in use’ in the FAT, but there is no corresponding folder entry Invalid file or directories: –No pointer to parent directory “..” –Invalid start cluster –Invalid date (buggy software) Allocation or FAT errors: entries in FAT get set to invalid values
NTFS Basics The Windows NT file system is NTFS NTFS is designed for high performance on very large hard disks (read, write and file-system recovery) Formatting a volume with the NTFS file system results in: –Master Files Table (MFT) –System Files Formatted NTFS Volume Partition Boot Sector Master File Table System Files File Area
NTFS Includes: –Security features –Data access control – permissions on files and folders –Folders can be shared Basically everything on the volume is a file –Even file system metadata (info about file system itself) Everything in a file is an attribute: –Data attribute –Security attribute –File name attribute New features –Encryption, disk quotas, sparse files, reparse points, distributed link tracking
NTFS Partition Boot Sector BIOS Parameter Block –Information on volume layout similar to FAT –File system structures Code –How to find code that loads operating system –On NT points to and loads NTLDR Duplicate boot sector located in the logical middle of the volume
NTFS System Files First 16 records in MFT contain metadata: –0: Master File Table (MFT) –1: Master File Table2 – a mirror of first 3 records –2: Log File – list of transaction steps for NTFS recovery –3: Volume – volume name, NTFS version, other volume information –4: Attribute Definition Table – table of attribute names, numbers, and descriptions –5: Root Filename Index
NTFS System Files (2) –6: Cluster Bitmap – bitmap of clusters in use –7: Partition Boot Sector – if bootable, bootstrap code –8: Bad Cluster File – locations of bad clusters –9: Security File – security descriptors for all files in volume –10: Upcase Table – lowercase to Unicode uppercase –12: NTFS Extension File – optional extensions like quotas, reparse point data, object identifiers –12-15: are reserved for future use
NTFS Master File Table MFT A database that contians info on every file in an NTFS volume Small files are stored entirely in MFT (< 1500 bytes) Large files are referred to with pointers Small directories are stored in the MFT Large directories point to clusters where their directory entries are stored
NTFS File Attributes Attributes residing entirely in MFT are said to be resident attributes –File name and timestamp attributes are always resident Nonresident attributes are stored in cluster elsewhere on the volume and Attribute List attribute contains their locations
File Attribute Definitions Standard Information: time stamps, link counts, etc. Attribute List – location of nonresident attributes Filename –short (8.3, case insensitive) –long (255 Unicode characters) Security Descriptor – owner and access rights Data –Has one unnamed data attribute –Can have multiple named data attributes (think ADS) Object ID – a volume-unique file identifier for distributed link tracking service
File Attribute Definitions Logged Tool Stream – like data stream, but changes are logged to NTFS Log File like metadata changes Reparse Point – used for volume mount points Index Root – implements folders and indexes Index Allocation – implements folders and indexes Bitmap – map of records in use in MFT or folder Volume Information – volume version for $Volume system file Volume Name – volume label for $Volume system file
Review Homework 1