Metadata Files

Excellent reference:

http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h

Metadata Files

• The metadata files in NTFS contain information used to implement the file system structure.

• Their names begin with $

• The $ is usually hidden

• With the exception of these $ files all the rest of the MFT entries are for normal files and directories

Metadata Files

0 $Mft – MFT1 $MftMirr – MFT Mirror2 $LogFile – Log File3 $Volume – Volume File4 $AttrDef – Attribute definition table5 \ - Root directory6 $Bitmap - Voume cluster allocation file7 $Boot – Boot sector

8 $BadClus – Bad-cluster file9 $Secure – Security settings file10 $UpCase – Uppercase character mapping11 $Extend – Extended metadata directory12 Unused13 Unused14 Unused15 Unused

Files 0 – 15 are reserved for metadata files in the MFT, usually only the first 12 are used by MS.

$MFT

• Entry 0

• Master File Table

• Contains an entry for every file

• First entry in the MFT

• Has a $BITMAP attribute

• Its $DATA attribute contains the clusters used by the MFT

• Also has $STANDARD_INFORMATION and $FILE_NAME attributes

$MFTMirr

• Entry 1

• Backup for the MFT

• Second entry (entry #1) in the MFT– Has a non-resident attribute

• Contains a few entries in the MFT– $MFT, $MFTMirr, $LogFile, $Volume

• Located in the middle of the file system– Allocated by the $DATA attributte

• Problems with $MFT– Find midddle of file system

– Look for signatures “FILE”

$LogFile

• Entry 2

• Used as the NTFS journal

• Has standard attributes

• Log data is stored in $DATA

• Appears to have signature “RSTR”

• And entries with signature “RCRD”

$Volume

• MFT entry number 3

• Contains volume label and version info

• Has 2 important attributes– $VOLUME_NAME

– $VOLUME_INFORMATION

• Has $STD_INFO, FILE_NAME, OBJECT_ID attributes

• $DATA has 0 bytes

$VOLUME_NAME

• Type ID 96

• Name of volume in UTF-16 Unicode

• Nothing more

$VOLUME_INFORMATION

• Type ID – 112

• Unique to $Volume file

Fields0 – 7 Unused

8 – 8 Major version

9 – 9 Minor version

10 – 11 Flags

Flags0x0001 Dirty

0s0002 Resize $LogFile (File system journal)

0x0004 Upgrade volume next time

0x0008 Mounted in NT

0x0010 Deleting change journal

0x0020 Repair object Ids

0x0080 Modified by chkdsk

$AttrDef

• Entry 4

• Defines the attribute names and Ids

• $DATA attribute for this file contains a list of entriesEntry:0 – 127 Name of attribute

128 – 131 Type of identifier

132 – 135 Display rule

136 – 139 Collation rule

140 – 143 Flag

144 – 151 Minimum size

152 – 159 Maximum size

Flags:0x02 Attribute can be used in an index

0x04 Attribute is always resident

0x08 Attributte can be non-resident

\ - Root directory

• Entry 5

$Bitmap

• Entry 6

• Bitmap of allocated dlusters is maintained in the $DATA attribute

$Boot

• Entry 7

• Contains the boot sector of the file system

• Static location for $DATA attribute– Located in the first sector of the file system

– Used to boot the system

– Sirst sector is the VBR

• Trailing file sig of first sector is 0xAA55

• Usually 16 sectors are reserved for $Boot– About half is used

VBR for NTFSSector 1 of $DATA of $Boot

Byte Offset Field Length Sample Value Field Name

0x000x030x0B

342

0xEB52900x4E5446530x0002

Jump to boot codeOEM NameBytes Per Sector

0x0D 1 0x08 Sectors Per Cluster

0x0E 2 0x0000 Reserved Sectors0x10 3 0x000000 always 00x13 2 0x0000 not used by NTFS0x15 1 0xF8 Media Descriptor0x16 2 0x0000 always 00x18 2 0x3F00 Sectors Per Track0x1A 2 0xFF00 Number Of Heads0x1C 4 0x3F000000 Hidden Sectors0x20 4 0x00000000 not used by NTFS0x24 4 0x80008000 not used by NTFS0x28 8 0x4AF57F0000000000 Total Sectors

0x30 8 0x0400000000000000 Logical Cluster Number for the file $MFT

0x38 8 0x54FF070000000000Logical Cluster Number for the file $MFTMirr

0x40 4 0xF6000000 Size of MFT entry

0x44 4 0x01000000 Clusters Per Index Block

0x48 8 0x14A51B74C91B741C Volume Serial Number

0x50 4 0x00000000 Checksum www.NTFS.com

$Boot (cont’d)

• The sectors following #1 is for actual boot code

• Only significant for bootable partitions– Exercise

• Format a disk with a non-bootable NTFS partition

• What do the first 16 clusters of the file system look like.

• Backup of the boot sector is in the last sector of the volume– One sector past the file system

$BadClus

• Entry 8

• Bad cluster file

$Secure

• Entry 9

• Security settings

$UpCase

• Entry 10

• Uppercase character mapping

$Extend

• Entry 11

• Extended metadata directory

• Contains– $ObjId

– $Reparse

– $Quota

– $UsnJrnl

$Quota

• Located in \$Extend\

• Contains two indexes

• Both indexes use– $INDEX_ROOT

– $INDEX_ALLOCATION

• $O index– Correlates a SID to an owner ID

• $Q index– Correlates an owner ID to quota information

$UsnJrnl

• Located in \$Extend\

• Acts as a change journal

• Changes are stored in $DATA attribute

• This attribute is named $J

• Also has another $SATA attribute named $Max– Maximum settings for the UsnJrnl

$J Attribute Entries

0 – 3 Size of this journal entry

4 – 5 Major version

6 – 7 Minor version

8 – 15 File reference of the file that caused this entry

16 – 23 Parent directory file reference for the file that caused this entry

24 – 31 USN (Update Sequence Number) for entry

32 – 39 Time stamp

40 – 43 Flags for type of change

44 – 47 Source information (OS or user caused)

48 – 51 Security ID (SID)

52 – 55 File attributes

56 – 57 Size of file name

58+ File name

$J Entry Flags

0x00000001 Default $DATA attribute was overwritten

0x00000002 Default $DATA attribute was extended

0x00000004 Default $DATA attribute was truncated

0x00000010 A named $DATA attribute was overwritten

0x00000020 A named $DATA attribute was extended

0x00000040 A named $DATA attribute was truncated

0x00000100 The file or directory was created

0x00000200 The fiile or directory was deleted

0x00000400 The extended attributes of the file were changed

0x00000800 The security descriptor was changed

0x00001000 The name was changed – changge journal entry has old name

0x00002000 The name was changed – changge journal entry has new name

0x00004000 Content index status changed

Etc.