NTFS 文件系统

ComputerForensicsNTFSFileSystemMBRandGPTDisksMBRdisksfor32b86x-compatiblesGPTdisksfor64bItaniumprocessorsStartwithaMBRinordertomaintaincompatibilityMBRhasasinglepartitionwithapartitiontableentryof0xEENTFSArchitectureNTFSArchitectureNTFSBootSectorNoticethattheendofsectormarkeris55AA.YoucanlookforthistofindbootsectorsforNTFSandDOS.NTFSBootSector0x003BJumpInstruction0x038BOEMID0x0B25BBPB0x2448BExtendedBPB0x54426BBootstrapCode.0x1FE2BEndofSectorMarkerNTSFBootSectorNTSFBootSectorManyfieldsarenotimportant,but:0x0B,Bytespersector.0x0DSectorsperCluster0x15Mediadescriptor.F8:HD;F0:HDFloppy0x28Totalsectors.0x30LogicalclusternumberfortheMFT0x38LogicalclusternumbercopyoftheMFT0x40ClustersperMFTRecord.0x48VolumeserialNTFSBootSectorWinHexallowsaccesstoaninterpretedNTFSBootSector.UsetheAccessTab.NTFSBPB0x0BBytespersector:00020200=512decimal0x0DSectorspercluster:0x080x0EReservedsectors0x0000NTFSBPB0x15:MediaDescriptor:F8isharddrive,F0isfloppy.0x28Totalnumberofsectors:F7AF4E0900000000000000094EAFF7156,151,799sectors,i.e.~80GBNTFSBPB0x30:LogicalclusternumberforMFTcopy1:clusterC07FE9(File$MFT)0x38:LogicalclusternumberforMFTcopy2:cluster40029DNTFSBPB0x40:ClustersperMFTrecord:F60x48:VolumeSerialNumberNTFSMasterFileTableFirstfourentriesarereplicated,sothatMFTcanberepairedFirst16recordsarereservedformetadatafiles,theirnamebeginswithadollarsign($)NTFSMasterFileTable1.Masterfiletable$MFT.2.Masterfiletablemirror$MftMirr.3.Logfile$LogFile.4.Volume$VolumeAttributedefinitions$AttrDef.5.Therootfolder“.”6.Clusterbitmap$Bitmap7.Bootsector$Boot(locatedatthebeginningofpartition)8.Badclusterfile$BadClus9.Securityfile$Secure10.Upcasetable$Upcase11.NTFSextensionfile$Extend,thatisusedforfutureuse.NTFSMasterFileTableMFTRecordStructureEntriesare1KBeachEntriescontainFileAttributesLocationDataMFTRecordsSmallFiles(900B)arecontainedcompletelyintheMFTentry.MFTRecordsFolderscontainindexdata.SmallfoldersresidewithintheMFTrecordLargerfoldershaveanindexstructuretootherdatablocks.TheyuseaB-treestructure.MFTRecordEachMFTrecordisaddressedbya48bitMFTentryvalue.Firstentryhasaddress0.EachMFTentryhasa16bitsequencenumberthatisincrementedwhentheentryisallocated.MFTentryvalueandsequencenumbercombinedyield64bfilereferenceaddress.MFTRecordNTFSusesthefilereferenceaddresstorefertoMTFentries.Whenthesystemcrashesduringallocation,thenthesequencenumberdescribeswhethertheMTFentrybelongedtothepreviousfileortothecurrentone.MFTRecordMFTentryattributesarelooselydefined.Eachattributeisprecededbytheattributeheader.TheattributeheaderidentifiesTypeofattribute.Size.Name.MFTRecordStructureTheattributeheadergivesbasicinformationabouttheattribute.AresidentattributeisstoredintheMFTentry.Anon-residententryisstoredinaclusteroutsidetheMFT.MFTRecordStructureResidentattributesarestoredinMFTrecord.Non-residentattributesarestoredinclusterruns.Clusterrunconsistsofconsecutiveclustersandareidentifiedbystartingclusterandrunlength.NTFSdistinguishesbetweenVirtualClusterNumbersandLogicalClusterNumbers.LCN*(#sectorsincluster)=sectornumberLCN0isfirstclusterinthevolume(bootsector).VCN0referstothefirstclusterinaclusterrun.MFTRecordStructureMFTentryheaderhasafixedstructureMFTRecordStructure0x00-0x03:MagicNumber:FILE0x04-0x05:Offsettotheupdatesequence.0x06-0x07:Numberofentriesinfixuparray0x08-0x0f:$LogFileSequenceNumber(LSN)0x10-0x11:Sequencenumber0x12-0x13:Hardlinkcount0x14-0x15:OffsettofirstattributeMFTRecordStructure0x16-0x17:Flags:0x01:recordinuse,0x02directory.0x18-0x1b:UsedsizeofMFTentry0x1c-0x1f:AllocatedsizeofMFTentry.0x20-0x27:FilereferencetothebaseFILErecord0x28-0x29:NextattributeID0x2a-0x2b:(XP)Alignto4Bboundary0x2c-ox2f:(XP)NumberofthisMFTrecord0x30-0x100:AttributesandfixupvalueMFTRecordStructureEXAMPLE1:AdirectoryentryMFTRecordMFTrecordsstartwith“FILE”.Abadclusterwouldstartwith“BAAD”MFTRecordBytes4-5:Offsettoupdatesequence.Bytes6-7:NumberofentriesinfixuparrayBytes8-f:LogfilesequencenumberBytes0x10-0x11:Sequencenumber:5900MFTRecordBytes0x12-0x13:2–hardlinkcountBytes0x14-0x15:Offsettofirstattribute:0x38Bytes0x16-0x17:Flags:Inuseandcontainsadirectory0x0001|0x0002MFTRecordBytes0x14–0x15:Firstattributestartsat0x38000x0038MFTListofpossibleattributesDefinedin$AttrDefentryofMFT,butdefaultis:0x10STANDARD_INFORMATION0x20$ATTRIBUTE_LIST0x30$FILE_NAME0X40(NT)$VOLUME_VERSION(2K)$OBJECT_ID0x50$SECURITY_DESCRIPTOR0x60$VOLUME_NAME0x70$VOLUME_INFORMATION0x80$DATA0x90$INDEX_ROOT0xA0$INDEX_ALLOCATION0xB0$BITMAP0xC0(NT)$SYMBOLIC_LINK,(2K)$REPARSE_POINT0xD0$EA_INFORMATION0xE0$EA0xF0NT$PROPERTY_SET0x100(2K)$LOGGED_UTILITY_STREAMMFTAttributeLayoutAttributescanberesidentornon-resident.Beginningisalwaysthesame:0x00AttributeTypeIdentifier0x04LengthofAttribute0x08non-residentflag0x09lengthofname0x0aoffsettoname0x0cflagsMFTAttributeExampleAttributeisoftype00000001.StandardInformationAttributeis0x00000060byteslong.Attributeisresident(0x00)Contentsare0x00000048byteslongandstartatoffset0x0018.MFTAttributeExample0x008FileCreationT