NTFS (New Technology File System) is a modern file system and one of the most commonly used file systems in the Windows operating system. It is an efficient, reliable, and secure file system that supports functions such as mass storage, file encryption, compression, and permission control. This article will introduce in detail the structure of the NTFS file system, $Boot file, $MFT metafile, file records, attribute header and attribute body analysis, MFT offset address calculation, and the idea of traversing the partition file list.
First, the structure of the NTFS file system
The NTFS file system consists of three main parts: the boot sector, file records, and metafiles. The boot sector contains the boot code and the partition table, the file record stores the data and metadata of the file, and the metafile stores the metadata of the file system.
Boot sector: The boot sector of the NTFS file system contains the boot code and partition table. The startup code is the program code used to start the operating system, and the partition table records the information of the partition, including the starting position, size, and type of the partition.
File record: The file record in the NTFS file system is used to store the data and metadata of the file. Each file record contains file attribute information, file name, file data and so on. The size of the file record is fixed, usually 1KB or 4KB.
Metafile: The metafile in the NTFS file system is used to store the metadata of the file system. Metadata includes file system information, file record information, disk space allocation, and so on. Metafiles usually include $MFT (file record table), $Bitmap (bitmap), $LogFile (log file), etc.
Two, $Boot file
The $Boot file is a special file in the NTFS file system, which contains some basic information of the file system, such as file system version, cluster size, partition size, etc. The size of the $Boot file is 512 bytes, and its structure is as follows:
Among them, the Jump command is used to jump to the startup code, the OEM ID is used to identify the file system, Bytes Per Sector indicates the number of bytes per sector, Sectors Per Cluster indicates the number of sectors contained in each cluster, Reserved Sectors indicates the number of reserved sectors, Media Descriptor indicates the type of disk media, Sectors Per Track indicates the number of sectors per track, Number of Heads indicates the number of heads, Hidden Sectors indicates the number of hidden sectors, and Total Sectors indicates the number of partitions The total number of sectors, MFT Start Cluster indicates the starting cluster number of the $MFT metafile, MFT Mirror Start Cluster indicates the starting cluster number of the $MFT mirror file, Clusters Per MFT Record indicates the number of clusters occupied by each $MFT record, Clusters Per Index Block indicates the number of clusters occupied by each index block, Volume Serial Number indicates the volume serial number, and Checksum is used to verify the $Boot file.
3. $MFT Metafile
The $MFT metafile is a special file in the NTFS file system, which stores information about all file records in the file system. The size of the $MFT metafile is typically 1024 clusters, with each cluster being the size of the cluster defined in the $Boot file. The structure of the $MFT metafile is as follows:
Among them, the file header contains some basic information of the file, such as file name, file attributes and so on. The file record contains file attribute information, file name, file data, etc. The size of each file record is fixed, usually 1KB or 4KB. Each file record has a unique identifier called a File Record Number (FRN). The first file record in the $MFT metafile is $MFT itself, which has file record number 0.
4. Documentation
File records in the NTFS file system are used to store file data and metadata. Each file record contains file attribute information, file name, file data and so on. The size of the file record is fixed, usually 1KB or 4KB. The file records are structured as follows:
Among them, the file header contains some basic information of the file, such as file name, file attributes and so on. The file record contains file attribute information, file name, file data, etc. Each file record has a unique identifier called the File Record Number (FRN)
Five, MFT offset address calculation
In the NTFS file system, each file record has a unique identifier, called the file record number (File Record Number, referred to as FRN). To access a file record, you need to find the offset address of the file record in the $MFT metafile. The formula for calculating the offset address is as follows:
$MFTOffset = MFTStartCluster * ClusterSize + FRN * RecordSize
Among them, MFTStartCluster is the starting cluster number of the $MFT metafile, ClusterSize is the size of the cluster, FRN is the file record number, and RecordSize is the size of the file record.
6. Analysis of the attribute header of the attribute
A file record in the NTFS file system contains multiple attributes, and each attribute has an attribute header and an attribute body. The attribute header contains some basic information of the attribute, such as attribute type, attribute length, attribute flag, etc. The structure of the attribute header is as follows:
Among them, Type indicates the type of the attribute, Length indicates the length of the attribute, Non-Resident indicates whether the attribute is a non-resident attribute, NameLength indicates the length of the attribute name, NameOffset indicates the offset of the attribute name, Flags indicates the flag of the attribute, and AttributeID indicates The identifier of the attribute.
7. Attribute Body Analysis of Attributes
A file record in the NTFS file system contains multiple attributes, and each attribute has an attribute header and an attribute body. The attribute body contains the specific content of the attribute, such as file data, file name, and file attributes. The structure of the attribute body varies with the attribute type. The following uses common attribute types as examples to introduce.
1. $STANDARD_INFORMATION property
The $STANDARD_INFORMATION attribute contains some basic information about the file, such as creation time, modification time, access time, file attributes, etc. The structure of the $STANDARD_INFORMATION property is as follows:
Among them, CreationTime represents the creation time of the file, LastAccessTime represents the last access time of the file, LastWriteTime represents the last modification time of the file, and FileAttributes represents the attribute of the file, such as read-only, hidden, system, etc.
2. $FILE_NAME attribute
The $FILE_NAME attribute contains information such as the name, size, creation time, modification time, and access time of the file. The structure of the $FILE_NAME property is as follows:
Among them, ParentDirectory indicates the FRN of the parent directory where the file is located, CreationTime indicates the creation time of the file, LastAccessTime indicates the last access time of the file, LastWriteTime indicates the last modification time of the file, FileSize indicates the size of the file, and Flags indicates the flag of the file, such as read-only , hidden, system, etc., FileNameLength indicates the length of the file name, and FileName indicates the file name.
3. $DATA attribute
The $DATA property contains the data for the file. The structure of the $DATA property is as follows:
Among them, Non-Resident indicates whether the data is a non-resident attribute, DataRuns indicates the run list of the data, and Data indicates the content of the data.
4. $INDEX_ROOT property
The $INDEX_ROOT property contains index information for directories. The structure of the $INDEX_ROOT property is as follows:
Among them, Type indicates the type of index, CollationRule indicates the collation rule, BytesPerIndexRecord indicates the size of each index record, ClustersPerIndexRecord indicates the number of clusters occupied by each index record, IndexEntriesOffset indicates the offset of the index record, IndexEntriesLength indicates the length of the index record, IndexEntries Represents the content of an index record.
Eight, the idea of traversing the list of partition files
To traverse all the files in the NTFS file system, you need to find the starting cluster number and size of the $MFT metafile first, then read the contents of the $MFT metafile, parse each file record, and obtain the file's attribute information, file name, file data etc. The specific traversal ideas are as follows:
1. Read the $Boot file to obtain the cluster size and the starting cluster number of the $MFT metafile.
2. Calculate the size of the $MFT metafile and read the contents of the $MFT metafile.
3. Parse each file record in the $MFT metafile to obtain file attribute information, file name, file data, etc.
4. If the file is a directory, traverse all files under the directory.
5. If the file is non-resident, read the DataRuns list, get the location and size of the data, and read the data.
6. If the file is an index attribute, read the IndexEntries list, obtain the position and size of the index record, parse the index record, and obtain the attribute information, file name, and file data of the file.
7. Repeat steps 3-6 until the entire partition is traversed.
Summarize
This article introduces the structure of NTFS file system, $Boot file, $MFT metafile, file records, attribute header and attribute body analysis of attributes in detail.