1 / 23

Metadata Files

Metadata Files. Excellent reference: http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h. Metadata Files. The metadata files in NTFS contain information used to implement the file system structure. Their names begin with $ The $ is usually hidden

lorene
Download Presentation

Metadata Files

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Metadata Files Excellent reference: http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h

  2. Metadata Files • The metadata files in NTFS contain information used to implement the file system structure. • Their names begin with $ • The $ is usually hidden • With the exception of these $ files all the rest of the MFT entries are for normal files and directories

  3. Metadata Files 0 $Mft – MFT • $MftMirr – MFT Mirror • $LogFile – Log File • $Volume – Volume File • $AttrDef – Attribute definition table • \ - Root directory • $Bitmap - Voume cluster allocation file • $Boot – Boot sector • $BadClus – Bad-cluster file • $Secure – Security settings file • $UpCase – Uppercase character mapping • $Extend – Extended metadata directory • Unused • Unused • Unused • Unused Files 0 – 15 are reserved for metadata files in the MFT, usually only the first 12 are used by MS.

  4. $MFT • Entry 0 • Master File Table • Contains an entry for every file • First entry in the MFT • Has a $BITMAP attribute • Its $DATA attribute contains the clusters used by the MFT • Also has $STANDARD_INFORMATION and $FILE_NAME attributes

  5. $MFTMirr • Entry 1 • Backup for the MFT • Second entry (entry #1) in the MFT • Has a non-resident attribute • Contains a few entries in the MFT • $MFT, $MFTMirr, $LogFile, $Volume • Located in the middle of the file system • Allocated by the $DATA attributte • Problems with $MFT • Find midddle of file system • Look for signatures “FILE”

  6. $LogFile • Entry 2 • Used as the NTFS journal • Has standard attributes • Log data is stored in $DATA • Appears to have signature “RSTR” • And entries with signature “RCRD”

  7. $Volume • MFT entry number 3 • Contains volume label and version info • Has 2 important attributes • $VOLUME_NAME • $VOLUME_INFORMATION • Has $STD_INFO, FILE_NAME, OBJECT_ID attributes • $DATA has 0 bytes

  8. $VOLUME_NAME • Type ID 96 • Name of volume in UTF-16 Unicode • Nothing more

  9. $VOLUME_INFORMATION • Type ID – 112 • Unique to $Volume file Fields 0 – 7 Unused 8 – 8 Major version 9 – 9 Minor version 10 – 11 Flags Flags 0x0001 Dirty 0s0002 Resize $LogFile (File system journal) 0x0004 Upgrade volume next time 0x0008 Mounted in NT 0x0010 Deleting change journal 0x0020 Repair object Ids 0x0080 Modified by chkdsk

  10. $AttrDef • Entry 4 • Defines the attribute names and Ids • $DATA attribute for this file contains a list of entries Entry: 0 – 127 Name of attribute 128 – 131 Type of identifier 132 – 135 Display rule 136 – 139 Collation rule 140 – 143 Flag 144 – 151 Minimum size 152 – 159 Maximum size Flags: 0x02 Attribute can be used in an index 0x04 Attribute is always resident 0x08 Attributte can be non-resident

  11. \ - Root directory • Entry 5

  12. $Bitmap • Entry 6 • Bitmap of allocated dlusters is maintained in the $DATA attribute

  13. $Boot • Entry 7 • Contains the boot sector of the file system • Static location for $DATA attribute • Located in the first sector of the file system • Used to boot the system • Sirst sector is the VBR • Trailing file sig of first sector is 0xAA55 • Usually 16 sectors are reserved for $Boot • About half is used

  14. VBR for NTFSSector 1 of $DATA of $Boot www.NTFS.com

  15. $Boot (cont’d) • The sectors following #1 is for actual boot code • Only significant for bootable partitions • Exercise • Format a disk with a non-bootable NTFS partition • What do the first 16 clusters of the file system look like. • Backup of the boot sector is in the last sector of the volume • One sector past the file system

  16. $BadClus • Entry 8 • Bad cluster file

  17. $Secure • Entry 9 • Security settings

  18. $UpCase • Entry 10 • Uppercase character mapping

  19. $Extend • Entry 11 • Extended metadata directory • Contains • $ObjId • $Reparse • $Quota • $UsnJrnl

  20. $Quota • Located in \$Extend\ • Contains two indexes • Both indexes use • $INDEX_ROOT • $INDEX_ALLOCATION • $O index • Correlates a SID to an owner ID • $Q index • Correlates an owner ID to quota information

  21. $UsnJrnl • Located in \$Extend\ • Acts as a change journal • Changes are stored in $DATA attribute • This attribute is named $J • Also has another $SATA attribute named $Max • Maximum settings for the UsnJrnl

  22. $J Attribute Entries 0 – 3 Size of this journal entry 4 – 5 Major version 6 – 7 Minor version 8 – 15 File reference of the file that caused this entry 16 – 23 Parent directory file reference for the file that caused this entry 24 – 31 USN (Update Sequence Number) for entry 32 – 39 Time stamp 40 – 43 Flags for type of change 44 – 47 Source information (OS or user caused) 48 – 51 Security ID (SID) 52 – 55 File attributes 56 – 57 Size of file name 58+ File name

  23. $J Entry Flags 0x00000001 Default $DATA attribute was overwritten 0x00000002 Default $DATA attribute was extended 0x00000004 Default $DATA attribute was truncated 0x00000010 A named $DATA attribute was overwritten 0x00000020 A named $DATA attribute was extended 0x00000040 A named $DATA attribute was truncated 0x00000100 The file or directory was created 0x00000200 The fiile or directory was deleted 0x00000400 The extended attributes of the file were changed 0x00000800 The security descriptor was changed 0x00001000 The name was changed – changge journal entry has old name 0x00002000 The name was changed – changge journal entry has new name 0x00004000 Content index status changed Etc.

More Related