master file table file ntfs $mft system master file table...
TRANSCRIPT
FileSystemForensics
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFSMaster File Table
Layout
NTFSMaster File Table
Layout
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
NTFS Metafiles
Data
$BOOT
$MFT
Record MetaFile Name Description0 $MFT Self Reference to Master File Table
1 $MFTMirr Backup of first four MFT FILE Records
2 $LogFile Helps to preserve file system consistency if system error
3 $Volume Volume Information (name, number, etc.)
4 $AttrDef Definitions of supported file attributes
5 . (dot) Root Directory of Volume
6 $Bitmap Bit representation of used/free clusters on volume
7 $Boot Boot sector of volume (not encrypted on BitLocker volume)
8 $BadClus List of Bad Clusters on the volume
9 $Secure Security descriptors for all files
10 $UpCase Table of UNICODE uppercase characters for sorting
11 $Extend For optional extensions
12-14 Reserved for future use (not used or empty)
15-23 Extension records for MFT if it is heavily fragmented
24 + Records for regular files
$Volume
$AttrDef
$Bitmap
$BadClus
$LogFile
$UpCase
$Secure
. (dot)
$Extend
$Quota Disk space allocated and used by each user
$UsrJrnl Changes made to files
$Reparse Shortcuts, mount points and junctions
$ObjId Alternate way to reference a file
$MFTMirr
NTFS Metafiles Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpace
MFT Record Header
NTFS
Par
titi
on
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpace
Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”
0x04 4 2 Offset to Fix-up Array
0x06 6 2 Number of Entires in Fix-up Array
0x08 8 8 Logfile Sequence Number (LSN)
0x10 16 2 Incremental Sequence Value
0x12 18 2 Hard Link Count
0x14 20 2 Offset to Start of Attributes
0x16 22 2 Flags (in-use and directory)
0x18 24 4 Used Size of MFT Entry
0x1C 28 4 Allocated Size of MFT Entry
0x20 32 8 File reference to Base Record
0x28 40 2 Next Attribute ID
0x2A 42 2 Fix-Up Codes and Attributes
0x2C 44 4 $MFT File Record Number
Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes
MFT Record Header
Other Possible Signatures:
INDXBAAD
Data
$BOOT
$MFT
$MFTMirr
MFT Record Header
46 49 4C 45 FILE49 4E 44 58 INDX42 41 41 44 BAAD
Fix-Up Data
MFT Record Header
NTFS
Par
titi
on
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpace
Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”
0x04 4 2 Offset to Fix-up Array
0x06 6 2 Number of Entires in Fix-up Array
0x08 8 8 Logfile Sequence Number (LSN)
0x10 16 2 Incremental Sequence Value
0x12 18 2 Hard Link Count
0x14 20 2 Offset to Start of Attributes
0x16 22 2 Flags (in-use and directory)
0x18 24 4 Used Size of MFT Entry
0x1C 28 4 Allocated Size of MFT Entry
0x20 32 8 File reference to Base Record
0x28 40 2 Next Attribute ID
0x2A 42 2 Fix-Up Codes and Attributes
0x2C 44 4 $MFT File Record Number
Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes
MFT Record Header
Data
$BOOT
$MFT
$MFTMirr
MFT Record HeaderLogfile Sequence NumberIncremental Sequence
Value (Use Count)Hard Link CountOffset to First
Attribute00 00 Deleted File01 00 Exiting (in-use) File02 00 Deleted Directory 03 00 Exisiting (in-use) Directory
Number of bytes used in this
recordNumber of bytes allocated for this record
Reference to base MFT RecordOnly used if file attributes could
not fit into a single record
Next Attribute IDMFT Record ID
This is the only MFT record file this file.
There should be four attributes.
MFT Record Header
NTFS
Par
titi
on
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpace
Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”
0x04 4 2 Offset to Fix-up Array
0x06 6 2 Number of Entires in Fix-up Array
0x08 8 8 Logfile Sequence Number (LSN)
0x10 16 2 Incremental Sequence Value
0x12 18 2 Hard Link Count
0x14 20 2 Offset to Start of Attributes
0x16 22 2 Flags (in-use and directory)
0x18 24 4 Used Size of MFT Entry
0x1C 28 4 Allocated Size of MFT Entry
0x20 32 8 File reference to Base Record
0x28 40 2 Next Attribute ID
0x2A 42 2 Fix-Up Codes and Attributes
0x2C 44 4 $MFT File Record Number
Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes
MFT Record Header
Data
$BOOT
$MFT
$MFTMirr
Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles
- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes- Each attribute has - a header (16 bytes)
- location and size of content (8 or 56 bytes)- and content (size varies) - details of attribute
Data
$BOOT
$MFT
$MFTMirr
NTFS
Par
titi
on
Content is stored in this FILE record.
“Resident”
Content is stored at another location in
partition. “Non-Resident”
Content
Content
MFT File RecordMFT Header
AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr
HeaderAttr
Header
Loc/
Siz
Loc/
Siz
AttrHeader
AttrHeaderLo
c/Si
z
Loc/
Siz
A file may need more than one MFT record to
hold its attributes.
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
NTFSMaster File Table
Layout
NTFSMaster File Table
Layout