As the most popular personal computer operating system, Windows has become a part of our study, work and life. Almost every day we experience opening the file manager, entering specific disks, and opening specific files. Windows uses a file system to manage all files and disk space. This file system is NTFS.
NTFS file system
The document is mainly divided into two parts:
1. Introduction to NTFS File System
2. File disk location calculation
Introduction to NTFS File System
NTFS (New Technology File System) is a file system for Windows introduced by Microsoft in 1993 to replace the original FAT file system to improve performance. NTFS has undergone multiple version updates since its launch. The update history is as follows: It 
can be seen that after the release of version 3.1 in 2001, NTFS has not been updated.
NTFS data structure
The structure of an NTFS partition is shown in the figure below: The 
entire partition is mainly divided into three areas:
1. VBR (Volume Boot Record): very important, stores boot-related data, the size is 16 sectors;
2. File area: In the concept of NTFS, everything is a file, including metadata files, regular files, directories, everything is a file;
3. BBS (Backup Boot Sector): The first sector of the partition is the partition boot record, which is the key to booting the system, so NTFS uses the last sector of the partition to back up the first sector to repair damaged The first sector.
file
Files can be divided into three types: metadata files, regular files and directories.
Metadata file
Any file system will have metadata used to describe file information, such as name, size, modification time, storage location, etc. Note that NTFS metadata is also represented by files, there are always 16 metadata files, the names of these files All start with $ and are hidden files.
View these files:
MFT(Master File Table)
Very important files, including metadata of all files, to locate files must go through the $MFT file. MFT consists of file records, one file occupies at least one record, and the $MFT file occupies the first record.
The MFT file record (fixed size is 1KB) consists of a record header and attributes. The record header size is 42 or 48 bytes. Before version 3.1, it was 42 bytes, and then 48 bytes. The data structure of the record header is defined as follows: 
File record attributes are divided into resident attributes and non-resident attributes. The resident attributes represent the entire content of the attributes in the file record, and the non-resident attributes represent that the content of the attribute exceeds the size of the file record and needs to be developed separately. Space storage, such as file content is relatively large.
The offset of the first attribute is indicated in the file record header. The attributes supported by NTFS are defined in $AttrDef. Each attribute has a unique ID. Common IDs are: 
File content
The file content is described by the attribute $DATA. Since the size of the file record is fixed at 1KB and the record header occupies 48 bytes, the space left for the file to store the content will not exceed 976 bytes. If the content of the file is relatively small, all of them are stored in the file record, otherwise the extents storage will be opened up. The developed extents are based on the family, the basic allocation unit of NTFS is the family, and the family size is 4KB.
File disk location calculation
With the help of the tool fsutil provided by Microsoft, the data distribution range of the file can be calculated. According to the size of the file, it can be divided into two situations.
Small file
Small file refers to the file content can be contained in the file record without opening up the extents to store, and it is also the most inconvenient situation for calculation.
first step:
Get the disk distribution range of the $MFT file in the following way: The 
command is: fsutil file queryextents file path
Output result (the result may be multiple lines, indicating that the file storage location is not continuous):
VCN : virtual family number, relative to the offset within the file, the unit is family;
Family : the extent size, the unit is family;
LCN : logical family number, the offset of extent relative to the partition, the unit is family.
In this way, you can know that the $MFT file is in the 0xc0000 (786432 decimal) family (size 4096) of the partition, converted to 786432 bytes 4096=3221225472, and the file size is 0x1640 (5696 decimal) family, converted to The bytes are 5696 4096 = 23330816.
The second step:
Get the location of the file in the $MFT file. The lower 4 bytes of the file reference number is the location of the file in the $MFT file. The method to find the file reference number is as follows: The 
file reference number can be obtained through the file path of fsutil volume filelayout, which is lower than 0x0007000000005206 4 bytes are 0x5206, which means that the file record of E:\12.txt is located at the 0x5206 (20998 decimal) record of $MFT.
A file record is fixed at 1KB, then the file record of E:\12.txt is located at 20998 * 1024 = 21501952 = 0x1481800.
Use FTK to see what is at 0x1481800 in $MFT: the 
character "FIFE" represents a file record, the second purple box indicates that the file name matches, and the third purple box is the file content "helios89", look at 12.txt The content: It 
can be seen that the calculated position of E:\12.txt in $MFT is correct, the distribution range of $MFT in the partition is known, and the position of E:\12.txt in $MFT is also known. Through simple Calculate to know the distribution range of E:\12.txt in the partition.
Large file
Large files refer to the file records that cannot contain the contents of the file, and it is necessary to develop extents for storage. This kind of file is the easiest to calculate the data distribution range. Refer to the first step of small file calculation.
Partition offset
The above calculation result is the offset of the file in the partition, and the partition offset needs to be added to the disk offset. The partition offset can be viewed through FTK software.
Methods as below:
Select [File] -> [add Evidence Item..], the pop-up box is as follows: 
select [Physical Drive] [Next] to select the disk, and click Finish.
Select [Properties] in [View] to display the properties box
Select a partition in the [Evidence Tree] on the left, and you can view the offset (unit sector) of the partition in the property box, as shown in the figure below:
Concluding remarks
As the most popular personal computer operating system, Windows also proves the power and stability of the NTFS file system. This document is just a brief introduction to NTFS, there are more technical principles worthy of our continued study, let us move on.