NTFS 文件系統(tǒng)

《NTFS 文件系統(tǒng)》由會員分享，可在線閱讀，更多相關(guān)《NTFS 文件系統(tǒng)（42頁珍藏版）》請在裝配圖網(wǎng)上搜索。

1、,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Computer Forensics,NTFS File System,MBR and GPT Disks,MBR disks for 32b 86x-compatibles,GPT disks for 64b Itanium processors,Start with a MBR in order to maintain compatibility,MBR

2、has a single partition with a partition table entry of 0 xEE,NTFS Architecture,NTFS Architecture,NTFS Boot Sector,Notice that the end of sector marker is 55 AA.,You can look for this to find boot sectors for NTFS and DOS.,NTFS Boot Sector,0 x003B Jump Instruction,0 x03 8B OEM ID,0 x0B 25B BPB,0 x24

3、48B Extended BPB,0 x54 426B Bootstrap Code.,0 x1FE2B End of Sector Marker,NTSF Boot Sector,NTSF Boot Sector,Many fields are not important,but:,0 x0B,Bytes per sector.,0 x0D Sectors per Cluster,0 x15Media descriptor.F8:HD;F0:HD Floppy,0 x28 Total sectors.,0 x30Logical cluster number for the MFT,0 x38

4、Logical cluster number copy of the MFT,0 x40 Clusters per MFT Record.,0 x48 Volume serial,NTFS Boot Sector,WinHex allows access to an interpreted NTFS Boot Sector.,Use the Access Tab.,NTFS BPB,0 x0BBytes per sector:00 02,0200=512 decimal,0 x0D Sectors per cluster:0 x 08,0 x0EReserved sectors 0 x 00,

5、00,NTFS BPB,0 x15:Media Descriptor:F8 is hard drive,F0 is floppy.,0 x28 Total number of sectors:F7AF4E0900000000,000000094EAFF7 156,151,799 sectors,i.e.80GB,NTFS BPB,0 x30:Logical cluster number for MFT copy 1:cluster C07FE9(File$MFT),0 x38:Logical cluster number for MFT copy 2:cluster 40029D,NTFS B

6、PB,0 x40:Clusters per MFT record:F6,0 x48:Volume Serial Number,NTFS Master File Table,First four entries are replicated,so that MFT can be repaired,First 16 records are reserved for metadata files,their name begins with a dollar sign($),NTFS Master File Table,Master file table$MFT.,Master file table

7、 mirror$,MftMirr,.,Log file$,LogFile,.,Volume$Volume Attribute definitions$,AttrDef,.,The root folder“.”,Cluster bitmap$Bitmap,Boot sector$Boot(located at the beginning of partition),Bad cluster file$,BadClus,Security file$Secure,Upcase,table$,Upcase,NTFS extension file$Extend,that is used for futur

8、e use.,NTFS Master File Table,MFT Record Structure,Entries are 1KB each,Entries contain,File Attributes,Location Data,MFT Records,Small Files(900B)are contained completely in the MFT entry.,MFT Records,Folders contain index data.,Small folders reside within the MFT record,Larger folders have an inde

9、x structure to other data blocks.They use a B-tree structure.,MFT Record,Each MFT record is addressed by a 48 bit MFT entry value.,First entry has address 0.,Each MFT entry has a 16 bit sequence number that is incremented when the entry is allocated.,MFT entry value and sequence number combined yiel

10、d 64b file reference address.,MFT Record,NTFS uses the file reference address to refer to MTF entries.,When the system crashes during allocation,then the sequence number describes whether the MTF entry belonged to the previous file or to the current one.,MFT Record,MFT entry attributes are loosely d

11、efined.,Each attribute is preceded by the attribute header.,The attribute header identifies,Type of attribute.,Size.,Name.,MFT Record Structure,The attribute header gives basic information about the attribute.,A resident attribute is stored in the MFT entry.,A non-resident entry is stored in a clust

12、er outside the MFT.,MFT Record Structure,Resident attributes are stored in MFT record.,Non-resident attributes are stored in cluster runs.,Cluster run consists of consecutive clusters and are identified by starting cluster and run length.,NTFS distinguishes between Virtual Cluster Numbers and Logica

13、l Cluster Numbers.,LCN*(#sectors in cluster)=sector number,LCN 0 is first cluster in the volume(boot sector).,VCN 0 refers to the first cluster in a cluster run.,MFT Record Structure,MFT entry header has a fixed structure,MFT Record Structure,0 x00-0 x03:Magic Number:FILE,0 x04-0 x05:Offset to the u

14、pdate sequence.,0 x06-0 x07:Number of entries in,fixup,array,0 x08-0 x0f:$,LogFile,Sequence Number(LSN),0 x10-0 x11:Sequence number,0 x12-0 x13:Hard link count,0 x14-0 x15:Offset to first attribute,MFT Record Structure,0 x16-0 x17:Flags:0 x01:record in use,0 x02 directory.,0 x18-0 x1b:Used size of M

15、FT entry,0 x1c-0 x1f:Allocated size of MFT entry.,0 x20-0 x27:File reference to the base FILE record,0 x28-0 x29:Next attribute ID,0 x2a-0 x2b:(XP)Align to 4B boundary,0 x2c-ox2f:(XP)Number of this MFT record,0 x30-0 x100:Attributes and,fixup,value,MFT Record Structure,EXAMPLE 1:,A directory entry,M

16、FT Record,MFT records start with“FILE”.A bad cluster would start with“BAAD”,MFT Record,Bytes 4-5:Offset to update sequence.,Bytes 6-7:Number of entries in,fixup,array,Bytes 8-f:Log file sequence number,Bytes 0 x10-0 x11:Sequence number:59 00,MFT Record,Bytes 0 x12-0 x13:2 hard link count,Bytes 0 x14-0 x15:Offset to first attribute:0 x 38,Bytes 0 x16-0 x17:Flags:In use and contains a directory 0 x 0001|0 x 0002,MFT Record,Bytes 0 x14 0 x15:First attribute starts at 0 x 38 00,0 x 00 38,MFT List of