File systems store almost all data in files, but certain special files, collectively known as metadata structures, store essential information about other files and directories.
These structures track attributes such as timestamps (created, modified, and accessed), permissions, ownership, file size, and pointers to file locations.
Different file systems use unique mechanisms to store clusters allocated to a file.
For example:
NTFS (New Technology File System) employs a structure called a "data run" to manage file clusters.
FAT (File Allocation Table) maintains a "chain" of clusters.
The Master File Table (MFT)
NTFS revolves around the Master File Table (MFT), a highly structured database storing MFT entries (or MFT records) for every file and folder on a volume. These entries contain vital metadata, either storing the data directly (for small files) or pointing to clusters where the actual data resides.
For files larger than approximately 600 bytes, data is stored in clusters outside the MFT, making them non-resident files. Each NTFS volume has a hidden file called $MFT, which consolidates all MFT entries.
NTFS also uses another hidden file, $Bitmap, to track cluster allocation. This file maintains a bit for each cluster, indicating whether it is allocated (1) or unallocated (0). Fragmentation occurs when file clusters are non-contiguous, though Windows generally optimizes file storage to minimize fragmentation.
The MFT is the Metadata Catalog for NTFS
Key NTFS System Files
Besides $MFT and $Bitmap, NTFS relies on several other system files, most of which are hidden and start with a $ sign. The first 24 MFT entries are reserved, with the first 12 assigned to these system files:
System File | MFT Entry | |
$MFT | 0 | Stores the Master File Table, which tracks all files and directories. |
$MFTMIRR | 1 | A backup of the primary MFT to ensure recoverability. |
$LOGFILE | 2 | Contains transactional logs to maintain NTFS integrity in case of system crashes. |
$VOLUME | 3 | Stores volume information, including the volume name and NTFS version. |
$ATTRDEF | 4 | Defines NTFS attributes, detailing metadata structure. |
“.” | 5 | The root directory of the NTFS volume. |
$BITMAP | 6 | Tracks allocated and unallocated clusters on the volume. |
$BOOT | 7 | Stores boot sector information, enabling normal file I/O operations. |
$BADCLUS | 8 | Marks physically damaged clusters to prevent data storage in unreliable locations. |
$SECURE | 9 | Stores file security details, including ownership and access permissions. |
$UPCASE | 10 | Contains Unicode character mappings for case-insensitive file sorting. |
$EXTEND | 11 | Holds additional system files introduced in newer NTFS versions. |
Extended NTFS System Files
Beyond the first 12 reserved system files, NTFS also includes several additional $EXTEND files:
Extended System File | Purpose |
$EXTEND$ObjId | Tracks object IDs, allowing file tracking despite renaming or movement. |
$EXTEND$Quota | Manages user disk space quotas. |
$EXTEND$Reparse | Stores reparse points, mainly used for symbolic links. |
$EXTEND$UsnJrnl | Maintains the Update Sequence Number (USN) Journal, recording all file changes. |
Conclusion
NTFS is a powerful file system with a robust metadata structure that ensures efficient file management and system integrity. Key system files like $MFT, $Bitmap, $LogFile, and $UsnJrnl play crucial roles in tracking files, managing disk space, and ensuring recoverability in case of crashes.
Understanding these NTFS components is vital for forensic analysts, system administrators, and cybersecurity professionals who need to investigate file system activities or recover lost data.
------------------------------------------------Data--------------------------------------------------
Comments