Windows XP File System Windows XP File System ManagementManagement

Group DGroup D

3 Layers of Drivers3 Layers of Drivers

• Filter DriversFilter Drivers– Virus protection, compression, Virus protection, compression,

encryptionencryption

• File System DriversFile System Drivers– Implement FS format (NTFS - XP, FAT)Implement FS format (NTFS - XP, FAT)

• Volume DriversVolume Drivers– Control hardware device Control hardware device

File System DriversFile System Drivers

• Fulfill I/O requests with I/O ManagerFulfill I/O requests with I/O Manager

• Use file object pointers to determine Use file object pointers to determine file locationfile location

• Read Requests traverse driver layersRead Requests traverse driver layers

• Link between logical (user) and Link between logical (user) and physical representation (storage)physical representation (storage)

File System DriversFile System Drivers

• LocalLocal– Process I/O for Hardware DevicesProcess I/O for Hardware Devices

• RemoteRemote– Transfer files to / from remote file Transfer files to / from remote file

servers via network protocolsservers via network protocols

• Support for file system independent Support for file system independent of file storage volumeof file storage volume

Master File Table (MFT)Master File Table (MFT)

• NTFS uses MFT entries to define the files to which they NTFS uses MFT entries to define the files to which they correspond. All information about a file, including its correspond. All information about a file, including its size, time and date stamps, permissions, and data size, time and date stamps, permissions, and data content is either stored in MFT entries or in space content is either stored in MFT entries or in space external to the MFT but described by the MFT entries.external to the MFT but described by the MFT entries.

• As files are added to an NTFS volume, more entries are As files are added to an NTFS volume, more entries are added to the MFT and so the MFT increases in size. added to the MFT and so the MFT increases in size. When files are deleted from an NTFS volume, their MFT When files are deleted from an NTFS volume, their MFT entries are marked as free and may be reused, but the entries are marked as free and may be reused, but the MFT does not shrink. Thus, space used by these entries MFT does not shrink. Thus, space used by these entries is not reclaimed from the disk.is not reclaimed from the disk.

Master File Table (MFT)Master File Table (MFT)

To learn MFT size, follow these instructions:To learn MFT size, follow these instructions:

Start Start All Programs All Programs Accessories Accessories System Tools System Tools Disk Disk DefragmenterDefragmenter

Simplified illustration of the Simplified illustration of the MFT structureMFT structure

Master File Table (MFT)Master File Table (MFT)

• The first record of this table describes the The first record of this table describes the master file table itself, followed by a MFT master file table itself, followed by a MFT mirror recordmirror record. If the first MFT record is . If the first MFT record is corrupted, NTFS reads the second record to corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is find the MFT mirror file, whose first record is identical to the first record of the MFT. The identical to the first record of the MFT. The locations of the data segments for both the locations of the data segments for both the MFT and MFT mirror file are recorded in the MFT and MFT mirror file are recorded in the boot sector. A duplicate of the boot sector is boot sector. A duplicate of the boot sector is located at the logical center of the disk. located at the logical center of the disk.

Master File Table (MFT)Master File Table (MFT)

• The third record of the MFT is the log The third record of the MFT is the log file, used for file recovery. The file, used for file recovery. The seventeenth and following records of seventeenth and following records of the master file table are for each file the master file table are for each file and directory (also viewed as a file and directory (also viewed as a file by NTFS) on the volume. by NTFS) on the volume.

MFT Record for a Small File or MFT Record for a Small File or DirectoryDirectory

Data StreamsData StreamsWhere the contents of an NTFS file are; Multiple data streams allowed in one file:

• Default

the contents of the file;

• Alternate

meta and supplemental data;

Where the contents of an NTFS file are; Multiple data streams allowed in one file:

• Default

the contents of the file;

• Alternate

meta and supplemental data;

Attribute type

Data Attribute name

how NTFS differentiates between alternate data streams

Attribute type

Data Attribute name

how NTFS differentiates between alternate data streams

Data StreamsData Streams

File CompressionFile Compression Transparent to applications

• Done at system level

• Same API calls for both compressed and uncompressed files

Lempel-Ziv• “I am fat and because I am fat, I can't even tell you that I am fat.”

• “$1 and because $1, I can't even tell you that $1.” $1=[I am fat]

Transparent to applications

• Done at system level

• Same API calls for both compressed and uncompressed files

Lempel-Ziv• “I am fat and because I am fat, I can't even tell you that I am fat.”

• “$1 and because $1, I can't even tell you that $1.” $1=[I am fat]

Segmented compression

• Divides file in compression units

• Random file I/O without decompressing the entire file

• Compresses files while still being modified

Segmented compression

• Divides file in compression units

• Random file I/O without decompressing the entire file

• Compresses files while still being modified

File CompressionFile Compression

NTFS EncryptionNTFS Encryption

• True support for encryption in file True support for encryption in file system (unlike encrypted loopback system (unlike encrypted loopback device in linux)device in linux)

• Same API as regular filesSame API as regular files

• All data streams are encryptedAll data streams are encrypted

• Encrypted in 16 cluster chunksEncrypted in 16 cluster chunks

• Encryption uses PKI to store data Encryption uses PKI to store data encryption key for each user (see next)encryption key for each user (see next)

Structure of an EFS fileStructure of an EFS file

FEK DDF(Data

Decryption Field)

User NameEncrypted FEK, etc

FEKDRF(Data

Recovery Field)

Encrypted Data

From Presentation by Ken Knapton, formerly Chief Technology Officer of AccessData Corporation

File Attributes defined by NTFS

Credit: www.ntfs.com

Credit: www.ntfs.com

Fat 12 Example

Fat 16 Example

Fat 32 Example

NTFS Example

NTFS’ Boot Sector Example

Data Stored in MFT

Credit: www.ntfs.com

MFT Example