Explain how to write a file in NTFS
- Read $BOOT to find location for $MFT
- read first entry of $MFT to find $MFT layout
- Allocate $MFT entry for new file
- Initialize $STANDARD_INFORMATION attribute
- Find free clusters in $BITMAP
- Set cluster status to 1 (allocated)
- Write contents to clusters and update $DATA attribute in $MFT
- Read the root directory, and find dir1/
- Read $INDEX_ROOT attribute for dir1/ and determine where file1.txt should go
- Create new index entry, Resort index tree
Enter all steps in $LogFile (as each one is taken)
Explain how to Delete a file in NTFS
- Read volume boot record to locate $MFT
- Determine layout of $MFT
- Locate dir1 in the Root Directory
- Find file1.txt in dir1’s $INDEX_ROOT entry
- Remove filename from index, resort index.
- Unallocate the $MFT entry
- Set $Bitmap entries to 0
- Record steps in $Logfile as each is taken
What is NTFS
NTFS - New Technology File System
What are the files that make up an NTFS File System
- MFT (Master file table)
- MFTMirror (copy of MFT)
- LogFile (logs all metadata file changes)
- Volume (information about file system)
- . (information on root directory)
- Bitmap (1 bit for each cluster showing its allocation status)
- Boot (similar to FAT boot sector)
Where is $BOOT stored
$BOOT is stored in same location for every NTFS volume (Sector 0)
What endian are multi bytes stored in for NTFS
All multibyte structures are stored in LE for NTFS unless otherwise states
Explain how to identify $MFT starting location
Bytes per Sector / Sector Size: 0x0002 (LE) -> 0x0200 = 512 bytes per sector
Number of Sectors per Cluster = 0x08 (BE) -> 8 = 8 sectors per cluster
Cluster size = 512*8 = 4,096 bytes
Starting Cluster of MFT = 0x0400 0000 0000 0000 (LE) = 4
First cluster of MFT is at cluster 4
What is the $MFT file
$MFT - master file table
- Similar to FAT Directory entries
- Contains one file record entry for each file
- Each file entry is usually 1024 bytes
- File Record contains header, and then attributes (metadata)
Explain how to identify the number of attributes for a file
File Record Entry Example:
File Signature: 0x4649 = FILE0
Offset to first attribute: 0x3800 (LE) = 0x0038 (number of bytes in hex of header)
Allocation status: 0x0100 (LE) = 0x01 = Allocated
Number of Attributes: 0400 (LE) = 0x04 = 4 attributes
What are the two types of attributes in NTFS
- Resident: data is stored in attribute
- Non-Resident: contains pointer to data (using run lists)
What is a run list
tells how many clusters are in it and where they are located (by finding two byes at 0x20 in Non-Resident Attribute)
Interpret this run list:
21 03 03 22
21 - add the nibbles of the first byte to get the number of bytes in this portion
- 2 , 1 = nibbles
- 2+1 = 3
- 3 is the number of bytes of run list
The high order nibble(2) = number of bytes in starting cluster
Starting cluster = 03 22 -> (LE) -> 2203 -> 8707(decimal)
Low order nibble (1) = number of bytes in run list length
Number of clusters (length of run list) = 03
Run list contains 3 clusters beginning at 8707
- Would be 8707, 8708, 8709 in total
- Can check with istat ntfs.dd 65
What information is stored in $Standard_Information
-Creation: File creation time
- Modification: File content modification time
- Change: File metadata modification time
- Access: File access / read time
