Anonymous user
NTFS: Difference between revisions
Added a link to the Windows NT page.
| [unchecked revision] | [unchecked revision] |
(Added a link to the Windows NT page.) |
|||
| (11 intermediate revisions by 10 users not shown) | |||
Line 1:
{{Filesystems}}
NTFS ('''New Technology File System''') is [[Windows NT]]'s native file system. It is not only based on [[HPFS]], but also supports security features such as access control. Since Windows NT is entirely unicode, NTFS is a unicode filesystem, with each character (e.g. in names) being 16-bits instead of 8-bits.
== About ==
Line 27:
The NTFS boot sector is similar to other file systems, like FAT.
{| {{wikitable}}
! Field
! Type
|-
|JMP || int8_t[3]
|-
|OEM System || char[8]
|-
|Bytes Per Sector || uint16_t
|-
|Sectors Per Cluster || int8_t
|-
|Reserved Sector Count || uint16_t
|-
|Table Count || int8_t
|-
|Root Entry Count || uint16_t
|-
|Sector Count || uint16_t
|-
|Media Type || int8_t
|-
|Sectors Per Table || uint16_t
|-
|Sectors Per Track || uint16_t
|-
|Heads || uint16_t
|-
|Hidden Sector Count || uint32_t
|-
|Sector Count (32-bit) || uint32_t
|-
|Reserved || uint32_t
|-
|Sector Count (64-bit) || uint64_t
|}
This is followed immediately by a NTFS specific header.
{| {{wikitable}}
!Field
!Type
|-
|Master File Table Cluster || uint64_t
|-
|Master File Table Mirror Cluster || uint64_t
|-
|Clusters Per Record || int8_t
|-
|Reserved || int8_t[3]
|-
|Clusters Per Index Buffer || int8_t
|-
|Reserved || int8_t[3]
|-
|Serial Number || uint64_t
|-
|Checksum || uint32_t
|}
Using the "Master File Table Cluster" and "Sectors Per Cluster" values, you can find the Master File Table. This table contains entries for every object in the file system, including files, folders, and the tables themselves. The size of each record in the Master File Table can be calculated using the "Clusters Per Record" and "Sectors Per Cluster" fields from the boot sector.
Line 64 ⟶ 91:
Each record starts with the same header structure.
{| {{wikitable}}
! Field
! Type
|-
|Record Type || char[4]
|-
|Update Sequence Offset || uint16_t
|-
|Update Sequence Length || uint16_t
|-
|Log File Sequence Number || uint64_t
|-
|Record Sequence Number || uint16_t
|-
|Hard Link Count || uint16_t
|-
|Attributes Offset || uint16_t
|-
|Flags || uint16_t
|-
|Bytes In Use || uint32_t
|-
|Bytes Allocated || uint32_t
|-
|Parent Record Number || uint64_t
|-
|Next Attribute Index || uint32_t
|-
|Reserved || uint32_t
|-
|Record Number || uint64_t
|}
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record.
Line 86 ⟶ 128:
Attributes have a variable length, but always start with the same sequence.
{| {{wikitable}}
! Field
! Type
|-
| Attribute Type || uint32_t
|}
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute "record".
{| {{wikitable}}
! Field
! Type
|-
| Attribute Length || uint32_t
|}
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields.
==
=== External Links ===
* [https://web.archive.org/web/20210922203602/https://flatcap.org/linux-ntfs/ntfs/index.html Guide to NTFS]
* [https://www.writeblocked.org/resources/NTFS_CHEAT_SHEETS.pdf Cheat sheet]
* [http://www.linux-ntfs.org/ The Linux NTFS project]
* [http://www.ntfs-3g.org/ NTFS-3G Read/Write Drivers For Linux/FreeBSD/BeOS]
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=fs/ntfs;hb=HEAD
* [http://www.opensource.apple.com/source/ntfs/ Apple Open Source NTFS site]
* [https://github.com/libyal/libfsntfs/blob/main/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc#attribute_chains libfsntfs library documentation]
[[Category:Filesystems]]
[[de:NTFS]]
| |||