Presentation is loading. Please wait.

Presentation is loading. Please wait.

NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.

Published byAubrey Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also."— Presentation transcript:

1 NTFS Filing System CHAPTER 9

2 New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also used later versions of NTFS. There is very little specifications from Microsoft published on it, so most of it is speculative. We will be doing a general overview of it.

3 Important Concept An important concept in understanding the NTFS design is that all data is allocated to files, including the file system itself. The file system files can be located anywhere in the volume, as would a regular file. NTFS does not have a normal File System Layout like FAT, where there are areas at the beginning of the volume reserved for these data.

4 Similarities with FAT The entire file system is considered a data, and any sector can be allocated to a file. The only constant within the NTFS file structure is that the first sectors contain the boot sector, similar to the volume boot in FAT.

5 Components of the NTFS Partition Boot Sector (PBR) – similar to VBR in FAT Master File Table (MFT) – similar to directory entry in FAT. $bitmap – similar to the FAT

6 Partition Boot Record Comprised of 16 sectors, as opposed to one sector with FAT. Only 8 sectors of the 16 sectors available are used.

7 Offset Byte offset 0-10 contains jump instructions and the OEM ID (NTFS). OEM – (Original Equipment Manufacturer) – represented by a string of characters that identifies the name and version number of the operating system that formatted the volume.

8 Offset 0-9 OEM ID – offset 0-9  NTFS EB 52 90 4E 54 46 53 20 20 20

9 Offset 3-6 Contains the ASCII “NTFS” 4E 54 46 53

10 Offset 11-63 Contains partition parameter information (PBR). Offset 64 - 509 contains the Boot Strap Code. Offset 510 – 511 by default contains the end of file marker with HEX value of 55AA

11

12 Master File Table Is the heart of NTFS file system. Contains much of the metadata. The MFT is much like database as it contains entries to track all data contained within the file system similar to FAT.’ The MFT contains an entry for every file and directory in the partition, including itself, which is named $MFT.

13 MFT Scattered throughout the disk structure unlike the FAT which it is constrained to a specified sector. By the MFT being scattered, it is consider to be dynamic and able to expand as necessary. It is not bounded or limited to certain number of files. Each entry (record) does however have a fixed length of 1,024 bytes. There are 512 bytes per sector, there are 2 sectors per MFT entry.

14 Determining the Location of the MFT To find the location of the MFT starting location, we must look at byte offset 48-55 (8 bytes) in the Boot record. The decimal value of these binary values gives us the Logical Cluster number for the $MFT. Don’t forget to (Little Endian)

15 Example Suppose Offset 48-55 contains the following: 00 00 0C 00 00 00 00 00 Little Endian 00 00 00 00 00 0C 00 00 Drop leading 0’s  0C 00 00 Convert to decimal  786,432 MFT will start at cluster offset 786,432

16 MFT The MFT views everything about the file as an attribute, metadata and data alike. The first byte of the MFT entry is the standard file record header The first 4 bytes of the MFT are combined to form the file identifier, “FILE”. It is this attribute that defines this sector as a record. If the file is small, sometimes the entirety of that file is stored within the MFT entry: this is called resident data

17 A File and Its Attributes If the file is too large for all its data to be contained within the MFT then the file is allocated to a cluster. The cluster runs are then stored in place of the resident data. Typically 480 bytes is the max length for resident files.

18 Attribute Two Parts Header – Identifies the attribute: file type, file size, and name. It has flags to identify if the attribute is compressed or encrypted. Header is generic and standard to all attributes. Content – Actual contents of the file for a resident file. Cluster location of file for nonresident files. Content is specific and unique and can be any size.

19 Attributes are stored one of two ways 1.Resident Attributes – Attributes that are stored directly within the file’s primary MFT record itself. Example: the name of the file, and its creation, modification, and access date/time stamps are resident for every file. 2.Non-Resident Attributes – If an attribute requires more space than is available within the MFT record, it then cannot be stored in that record. Instead, the attribute is placed in a separate location on the disk. A pointer is placed within the MFT that leads to the location of the attribute.

20 $Bitmap The $Bitmap is a file that represents cluster allocation within a partition. It identifies if a cluster is allocated or unallocated. Each bit within the $Bitmap represents that cluster is available for use or unallocated; if the bit has a value of one (1), then that cluster is unavailable or allocated. $Bitmap simple tells the system if the cluster is allocated or unallocated.

21 exFAT Microsoft’s Extended File Allocation Table (exFAT) was released with Windows Vista SP1 (Service Pack One). A file system designed for Flash memory storage and other external devices. ExFAT expands upon the file size, drive size, and directory limitation of older versions of FAT yet maintains the low overhead of FAT.

22 Advantages and Disadvantages A robust and complex file system like Windows NTFS allows for relatively efficient storage in extremely large drives. However, the overhead of efficient storage is the consumption of system resources, such as memory and processing power. In a system where resources are limited NTFS is inefficient. The NTFS file system consumes a lot of resources maintaining itself. ExFAT was designed for use in those areas where NTFS is an overkill and inefficient.

23 Alternative Filing System Concept Binary Search Tree Filing System Hierarchical data structure to place and locate files.

24 Binary Tree Terms Nodes – that are linked together as a parent of child. Parent Node – Above other nodes Child Node – Below parent nodes sometimes called leaves. Root – is the top node Traversing – checking all the nodes. Binary Tree is a data structure for rapid storing sorted data and retrieving

25 Apple HFS – Hierarchical File System - used by Apple. Introduced in 1995 replacing their legacy MFS – Macintosh Filing System

26 UNIX File System UFS – used by UNIX Operating System, also called Berkley File System Composition

27 EXT2 and EXT3 Linux Operating System default system. Linux supports many file systems but EXT is the default. EXT3 is the newer version of EXT2 basically the same. EXT stores all the data related to a file, unlike FAT or NTFS which stores metadata in separate locations.

Download ppt "NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also."

Similar presentations

DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.

DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.
NTFS - The workhorse file system for the Windows Platform

NTFS - The workhorse file system for the Windows Platform
Chapter 12: File System Implementation

Chapter 12: File System Implementation
File Management.

File Management.
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Operating Systems File Management.

Operating Systems File Management.
File Systems.

File Systems.
Allocation Methods - Contiguous

Allocation Methods - Contiguous
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
File System Analysis.

File System Analysis.
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.

© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
Operating Systems File Systems CNS 3060.

Operating Systems File Systems CNS 3060.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.

Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Operating Systems File systems

Operating Systems File systems
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Similar presentations

Ads by Google