Understanding NTFS file system

by Kush Wadhwa, NII Consulting

In this article I will cover the basic concepts of NTFS file system. In NTFS (New Technologies File System) all important data like the basic file system administrative data are stored in a file and these files can be stored anywhere in a particular volume. These files don’t have reserved space as other file systems (FAT) have. Only thing which is consistent in NTFS is that the first sector of disk volume contains the boot sector and boot code.

Another important concept to be considered while understanding NTFS file system is MFT. Master File Table (MFT) is important to understand because it contains information about files and directories present on NTFS volume. Each file/directory will take defined space of 1 KB in the MFT. This 1 KB will contain lot of information like for MFT entry header, file’s name and file’s content. The first 42 bytes contains 12 fields. Remaining bytes are unstructured and can be filled with different attributes. Microsoft reserves first 16 MFT entries for file system metadata files.These 16 MFT entries are explained below.

0 $MFT The entry for the MFT itself

1 $MFTMirr Contains a backup of $MFT

2 $Logfile Information about metadata transaction

3 $Volume Volume information – for label

4 $AttrDef Attribute information such as size, identifier name

5 . Contains root directory of file system (Root directory is the name of file and its linked with the file content).

6 $BITMAP Information of allocation of each cluster on file system.

7 $BOOT Contains boot sector and boot code of file system.

8 $BadClust Contains bad clusters for the volume.

9 $Secure Information about security and access control for the files.

10 $Upcase Converts lowercase characters to matching Unicode uppercase characters.

11 $Extend Used for various optional extensions such as quotas, reparse point data, and object identifiers
12-15 reserved for future use.

To understand NTFS more in detail open up your NTFS drive in hex editor. I use Winhex as it is a very flexible tool. By using this tool we can directly jump to the MFT entries and can move further to see all the entries which are mentioned above.

In case your MFT entry is corrupted then the mirror of MFT i.e $MFTMirr is used. We can retrieve deleted files using the hex editor if we have enough knowledge of the location of file. We will discuss more on NTFS in coming articles. Till then happy experimenting

Author


Leave a Reply

Your email address will not be published. Required fields are marked *