|
|
Flag
|
Description
|
|
0x02
|
Indexed
|
|
0x40
|
Resident (always)
|
|
0x80
|
Non-Resident (allowed to be)
|
In the MFT file record set properties
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
0x30
|
$FILE_NAME
|
.
|
|
0x50
|
$SECURITY_DESCRIPTOR
|
|
0x80
|
$DATA
|
$MountMgrDatabase
|
|
0x90
|
$INDEX_ROOT
|
$I30
|
|
0xA0
|
$INDEX_ALLOCATION
|
$I30
|
|
0xB0
|
$BITMAP
|
$I30
|
MountMgrDatabase data stream
仅当Reparse Points on the Volume.
|
Offset
|
Size
|
Description
|
|
0x00
|
4
|
Size of entry
|
|
0x04
|
4
|
Flags? (bitfield?)
|
|
0x08
|
2
|
Offset to UNC Path
|
|
0x0A
|
2
|
Size of UNC Path
|
|
0x0C
|
2
|
Offset to data
|
|
0x0E
|
2
|
Size of data
|
The file records the volume of all the use of the logical cluster. Each file represents a logical cluster BIT. In each byte, the logical cluster number by small to large order, such as: BIT0 logical cluster number corresponds to A, then BIT1 corresponding logical cluster number A +1.
MFT record set in the properties file
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Bitmap
|
|
0x80
|
$DATA
|
[Unnamed]
|
MFT record set in the properties file
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Boot
|
|
0x50
|
$SECURITY_DESCRIPTOR
|
|
|
0x80
|
$DATA
|
[Unnamed]
|
Unnamed data stream format
The first important data area NTFS volume is BPB (BIOS Parameter Block), the data area is located in all regions of the first volume: the first sector of $ Boot file. The sector is also called the boot sector.
Boot sector and BPB structure
|
Name
|
Offset
|
Size
|
Description
|
|
BS_jmpBoot
|
0
|
3
|
Jump to boot code at. This field allows the following two formats:
jmpBoot [0] = 0xEB, jmpBoot [1] = 0x??, jmpBoot [2] = 0x90
Or
jmpBoot [0] = 0xE9, jmpBoot [1] = 0x??, jmpBoot [2] = 0x??
0x?? Refers to here can be any value, the above format is Intel x86 code to jump to an unconditional jump instruction, the boot code stored in the volume behind the first sector BPB table
|
|
BS_OEMName
|
3
|
8
|
"NTFS " This field is a necessary condition for determining whether the volume is NTFS volume, NTFS volumes in this field must be set to the above values
|
|
BPB_BytsPerSec
|
0x0b
|
2
|
The number of bytes per sector, the value can only select from one of the following values: 512,1024,2048,1096. For compatibility with previous software, it is recommended to use the value 512
|
|
BPB_SecPerClus
|
0x0d
|
1
|
The number of sectors in each allocation unit, but must be an integer greater than zero power of 2, this value can be 1,2,4,8,16,32,64,128. Note that this value must ensure that the number of bytes per cluster (BPB_BytsPerSec * BPB_SecPerClus) is less than 4K.
|
|
BPB_RsvdSecCnt
|
0x0e
|
2
|
Reserved The number of sectors in the reserved area, 0
|
|
BPB_NumFATs
|
0x10
|
1
|
The number of FAT tables, in order to maintain the domain compatible with BPB FAT/FAT32 while retaining its value is fixed at 0
|
|
BPB_RootEntCnt
|
0x11
|
2
|
In order to maintain compatibility and retained value is fixed at 0
|
|
BPB_TotSec16
|
0x13
|
2
|
In order to maintain compatibility and retained value is fixed at 0
|
|
BPB_Media
|
0x15
|
1
|
Storage media code, fixed disk is 0xF8, for removable media, and its value is usually 0xF0, legal values are 0xF0, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, 0xFF.
|
|
BPB_FATSz16
|
0x16
|
2
|
In order to maintain compatibility and retained value is fixed at 0
|
|
BPB_SecPerTrk
|
0x18
|
2
|
Int 13H invocation sectors per track, only when the value of the storage media and can be addressed by CHS Int 13H way to identify meaningful.
|
|
BPB_NumHeads
|
0x1a
|
2
|
Int 13H call the number of heads, the same meaning as in front of the BPB_SecPerTrk. Note that the value of the base is 1.
|
|
BPB_HiddenSec
|
0x1c
|
4
|
Hidden sectors, partition offset relative to each sector of the partition table sectors.
|
|
BPB_TotSec32
|
0x20
|
4
|
In order to maintain compatibility and retained value is fixed at 0
|
|
BS_DrvNum
|
0x24
|
1
|
Int disk number parameter 13H call.
|
|
BS_Reserved1
|
0x25
|
1
|
Reservations, a value of 0.
|
|
BS_Reserved2
|
0x26
|
2
|
Retention, the value 80H.
|
|
BS_TotSec64
|
0x28
|
8
|
The total volume of sectors.
|
|
BS_1stClusOfMFT
|
0x30
|
8
|
$ MFT file first cluster in
|
|
BS_1stClusOfMFTMirr
|
0x38
|
8
|
$ MFTMirr file first cluster in
|
|
BS_ClusPerFR
|
0x40
|
4
|
Each file record number of occupied cluster 1
|
|
BS_ClusPerDR
|
0x48
|
4
|
Each directory record number of cluster points using a
|
|
BS_Serial
|
0x70
|
8
|
Volume Serial Number
|
|
~
|
|
|
|
|
|
0x200
|
|
NT loader
|
Note 1 : The number of clusters for each record takes a positive value indicates if the record number of clusters occupied; negative value indicates if the record size is smaller than the cluster size, then the method of calculating the size of the recording should be: size = 2 records ^ (~ every file record number of clusters occupied).
Example: BS_ClusPerFR = 0xF6 (-10), the dimensions of case records BytsPerRecord = 2 ^ (~ 0xf6) = 2 ^ 10 = 1024
The document records the information on the volume of bad clusters. The file is a sparse file records only bad clusters description. The document has two data attributes, the first unnamed data attribute and property is empty, the second data property named: "$ Bad", which records the volume of property VCN bad clusters, the data distribution of the property The size of the entire volume of space, but also the actual space occupied by the data size of the volume, the data size is initialized to 0. In the properties of the data stream is broken describe African sparse clusters VCN description.
Bad cluster in $ Bitmap file corresponding bit is always marked as used.
MFT record set in the properties file
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$BadClus
|
|
0x80
|
$DATA
|
[Unnamed]
|
|
0x80
|
$DATA
|
$Bad
|
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Secure
|
|
0x80
|
$DATA
|
$SDS
|
|
0x90
|
$INDEX_ROOT
|
$SDH
|
|
0x90
|
$INDEX_ROOT
|
$SII
|
|
0xA0
|
$INDEX_ALLOCATION
|
$SDH
|
|
0xA0
|
$INDEX_ALLOCATION
|
$SII
|
|
0xB0
|
$BITMAP
|
$SDH
|
|
0xB0
|
$BITMAP
|
$SII
|
|
