Download presentation
Presentation is loading. Please wait.
1
Metadata Files Excellent reference:
2
Metadata Files The metadata files in NTFS contain information used to implement the file system structure. Their names begin with $ The $ is usually hidden With the exception of these $ files all the rest of the MFT entries are for normal files and directories
3
Metadata Files Files 0 – 15 are reserved for metadata files in the MFT, usually only the first 12 are used by MS. 0 $Mft – MFT $MftMirr – MFT Mirror $LogFile – Log File $Volume – Volume File $AttrDef – Attribute definition table \ - Root directory $Bitmap - Voume cluster allocation file $Boot – Boot sector $BadClus – Bad-cluster file $Secure – Security settings file $UpCase – Uppercase character mapping $Extend – Extended metadata directory Unused
4
$MFT Entry 0 Master File Table Contains an entry for every file
First entry in the MFT Has a $BITMAP attribute Its $DATA attribute contains the clusters used by the MFT Also has $STANDARD_INFORMATION and $FILE_NAME attributes
5
$MFTMirr Entry 1 Backup for the MFT Second entry (entry #1) in the MFT
Has a non-resident attribute Contains a few entries in the MFT $MFT, $MFTMirr, $LogFile, $Volume Located in the middle of the file system Allocated by the $DATA attributte Problems with $MFT Find midddle of file system Look for signatures “FILE”
6
$LogFile Entry 2 Used as the NTFS journal Has standard attributes
Log data is stored in $DATA Appears to have signature “RSTR” And entries with signature “RCRD”
7
$Volume MFT entry number 3 Contains volume label and version info
Has 2 important attributes $VOLUME_NAME $VOLUME_INFORMATION Has $STD_INFO, FILE_NAME, OBJECT_ID attributes $DATA has 0 bytes
8
$VOLUME_NAME Type ID 96 Name of volume in UTF-16 Unicode Nothing more
9
$VOLUME_INFORMATION Type ID – 112 Unique to $Volume file Fields Flags
0 – 7 Unused 8 – 8 Major version 9 – 9 Minor version 10 – 11 Flags Flags 0x0001 Dirty 0s0002 Resize $LogFile (File system journal) 0x0004 Upgrade volume next time 0x0008 Mounted in NT 0x0010 Deleting change journal 0x0020 Repair object Ids 0x0080 Modified by chkdsk
10
$AttrDef Entry 4 Defines the attribute names and Ids
$DATA attribute for this file contains a list of entries Entry: 0 – 127 Name of attribute 128 – 131 Type of identifier 132 – 135 Display rule 136 – 139 Collation rule 140 – 143 Flag 144 – 151 Minimum size 152 – 159 Maximum size Flags: 0x02 Attribute can be used in an index 0x04 Attribute is always resident 0x08 Attributte can be non-resident
11
\ - Root directory Entry 5
12
$Bitmap Entry 6 Bitmap of allocated dlusters is maintained in the $DATA attribute
13
$Boot Entry 7 Contains the boot sector of the file system
Static location for $DATA attribute Located in the first sector of the file system Used to boot the system Sirst sector is the VBR Trailing file sig of first sector is 0xAA55 Usually 16 sectors are reserved for $Boot About half is used
14
VBR for NTFS Sector 1 of $DATA of $Boot
Byte Offset Field Length Sample Value Field Name 0x00 0x03 0x0B 3 4 2 0xEB5290 0x4E544653 0x0002 Jump to boot code OEM Name Bytes Per Sector 0x0D 1 0x08 Sectors Per Cluster 0x0E 0x0000 Reserved Sectors 0x10 0x000000 always 0 0x13 not used by NTFS 0x15 0xF8 Media Descriptor 0x16 0x18 0x3F00 Sectors Per Track 0x1A 0xFF00 Number Of Heads 0x1C 0x3F000000 Hidden Sectors 0x20 0x 0x24 0x 0x28 8 0x4AF57F Total Sectors 0x30 0x Logical Cluster Number for the file $MFT 0x38 0x54FF Logical Cluster Number for the file $MFTMirr 0x40 0xF Size of MFT entry 0x44 0x Clusters Per Index Block 0x48 0x14A51B74C91B741C Volume Serial Number 0x50 Checksum
15
$Boot (cont’d) The sectors following #1 is for actual boot code
Only significant for bootable partitions Exercise Format a disk with a non-bootable NTFS partition What do the first 16 clusters of the file system look like. Backup of the boot sector is in the last sector of the volume One sector past the file system
16
$BadClus Entry 8 Bad cluster file
17
$Secure Entry 9 Security settings
18
$UpCase Entry 10 Uppercase character mapping
19
$Extend Entry 11 Extended metadata directory Contains $ObjId $Reparse
$Quota $UsnJrnl
20
$Quota Located in \$Extend\ Contains two indexes Both indexes use
$INDEX_ROOT $INDEX_ALLOCATION $O index Correlates a SID to an owner ID $Q index Correlates an owner ID to quota information
21
$UsnJrnl Located in \$Extend\ Acts as a change journal
Changes are stored in $DATA attribute This attribute is named $J Also has another $SATA attribute named $Max Maximum settings for the UsnJrnl
22
$J Attribute Entries 0 – 3 Size of this journal entry 4 – 5 Major version 6 – 7 Minor version 8 – 15 File reference of the file that caused this entry 16 – 23 Parent directory file reference for the file that caused this entry 24 – 31 USN (Update Sequence Number) for entry 32 – 39 Time stamp 40 – 43 Flags for type of change 44 – 47 Source information (OS or user caused) 48 – 51 Security ID (SID) 52 – 55 File attributes 56 – 57 Size of file name 58+ File name
23
$J Entry Flags 0x Default $DATA attribute was overwritten 0x Default $DATA attribute was extended 0x Default $DATA attribute was truncated 0x A named $DATA attribute was overwritten 0x A named $DATA attribute was extended 0x A named $DATA attribute was truncated 0x The file or directory was created 0x The fiile or directory was deleted 0x The extended attributes of the file were changed 0x The security descriptor was changed 0x The name was changed – changge journal entry has old name 0x The name was changed – changge journal entry has new name 0x Content index status changed Etc.
Similar presentations
