NTFS Documentation

### NTFS Documentation Key Points #### 1. Prologue The prologue section provides an introduction to the documentation, which is aimed at programmers and technical professionals who need to understand the inner workings of the NTFS file system. The documentation was initially created to complement the Linux NTFS driver and is maintained online for continuous updates. ##### NTFS Documentation Preface The preface acknowledges that the information provided is accurate to the best of the authors' knowledge but also notes that there may be gaps or inaccuracies. It advises readers to proceed with caution and directs them to the NTFS FAQ for simple answers to common questions. ##### About the NTFS Documentation This part provides background information about the documentation itself, including its purpose, scope, and intended audience. It emphasizes that the document is technical and designed for developers working with NTFS. ##### Tables Legend A legend is included to explain the symbols and conventions used in tables throughout the documentation, making it easier for readers to interpret the data presented. ##### Volume Layout An overview of the basic layout of an NTFS volume, including the key components such as the Master File Table ($MFT), the Log File ($LogFile), and other critical files and structures. #### 2. NTFS Attributes NTFS uses various attributes to store metadata and data associated with files and directories. This section covers each attribute in detail: ##### Overview A brief introduction to the concept of attributes and their role in NTFS. ##### Attribute - $STANDARD_INFORMATION (0x10) This attribute contains general file information, such as creation time, last access time, last modification time, and change time. It is present in every file and directory record. ##### Attribute - $ATTRIBUTE_LIST (0x20) Used to list all attributes associated with a file or directory. It includes the attribute type, attribute length, and a reference to the attribute's location. ##### Attribute - $FILE_NAME (0x30) Contains the filename, file reference number, creation time, and other details. It is essential for the file system to determine the name of a file and associate it with its content. ##### Attribute - $OBJECT_ID (0x40) Stores a unique identifier for the file, allowing for the identification of files across different volumes. ##### Attribute - $SECURITY_DESCRIPTOR (0x50) Holds security-related information, such as access control lists (ACLs), which define who can access a file and what operations they can perform. ##### Attribute - $VOLUME_NAME (0x60) Contains the name of the volume, typically the drive letter or mount point. ##### Attribute - $VOLUME_INFORMATION (0x70) Provides information about the volume, such as the version number, cluster size, and other properties. ##### Attribute - $DATA (0x80) Contains the actual file data. This attribute can be resident (stored directly within the file record) or non-resident (stored elsewhere on the volume). ##### Attribute - $INDEX_ROOT (0x90) Describes the root of an index used to organize files and directories. It specifies the type of index and a pointer to the index allocation if the index is large. ##### Attribute - $INDEX_ALLOCATION (0xA0) Allocates space for the index entries and contains the index records themselves. ##### Attribute - $BITMAP (0xB0) Tracks which clusters on the volume are allocated or free. This attribute is crucial for managing the available space on the volume. ##### Attribute - $REPARSE_POINT (0xC0) Used for symbolic links, junction points, and other types of reparse points that redirect file system operations. ##### Attribute - $EA_INFORMATION (0xD0) Contains information about extended attributes (EAs) associated with a file or directory. ##### Attribute - $EA (0xE0) Stores the actual extended attributes. EAs can hold additional metadata not covered by standard attributes. ##### Attribute - $LOGGED_UTILITY_STREAM (0x100) Allows utilities to log changes made to a file or directory. This attribute is often used for backup and recovery purposes. #### 3. NTFS Files This section provides detailed descriptions of the special files used by NTFS to manage the volume: ##### Overview An overview of the files that are essential for the proper functioning of the file system, including system files and hidden files. ##### NTFS Files: $MFT (0) The Master File Table, which is a database of file records for every file and directory on the volume. ##### NTFS Files: $MFTMirr (1) A mirror of the $MFT, used for redundancy and recovery purposes. ##### NTFS Files: $LogFile (2) A transaction log that records changes made to the file system. This log is crucial for crash recovery and maintaining the integrity of the file system. ##### NTFS Files: $Volume (3) Contains information about the volume, such as the volume serial number and label. ##### NTFS Files: $AttrDef (4) Defines the standard and non-standard attributes that can be stored in the file system. ##### NTFS Files: . (Root Directory) (5) The root directory of the volume, which contains the top-level directories and files. ##### NTFS Files: $Bitmap (6) Tracks the allocation status of clusters on the volume, indicating which clusters are in use and which are free. ##### NTFS Files: $Boot (7) Contains the boot sector of the volume, which is used to initialize the file system during the boot process. ##### NTFS Files: $BadClus (8) Lists bad clusters on the volume that should not be used for storing data. ##### NTFS Files: $Secure (9) Holds security-related information, such as access control lists (ACLs) and security descriptors for files and directories. ##### NTFS Files: $UpCase (10) Stores uppercase equivalents of all lowercase letters, which is used to maintain case-insensitive file names in the file system. ##### NTFS Files: $Extend (11) Contains additional attributes that extend the functionality of the file system, such as the $Quota and $Reparse attributes. ##### NTFS Files: $ObjId (Any) Stores object identifiers that uniquely identify files and directories across volumes. ##### NTFS Files: $Quota (NT:9, 2K:Any) Manages disk quotas for users and groups, controlling how much disk space they can use. ##### NTFS Files: $Reparse (Any) Contains reparse points, which redirect file system operations to other locations or files. ##### NTFS Files: $UsnJrnl (Any) Maintains the update sequence numbers (USNs) for files and directories, which track changes to the file system over time. #### 4. NTFS Concepts This section delves into the underlying concepts that make up the NTFS file system: ##### Overview A brief introduction to the core concepts of NTFS, including attributes, B-trees, and file records. ##### Concept - Attribute Header Details the structure of the attribute header, which is the common header used by all attributes to store metadata. ##### Concept - Attribute Id Explains the attribute ID, a unique identifier assigned to each attribute type. ##### Concept - B-Trees Discusses the B-tree data structure used by NTFS to efficiently manage and search large datasets, such as the file name index. ##### Concept - Clusters Describes the basic unit of storage allocation on an NTFS volume, which consists of one or more contiguous sectors. ##### Concept - Collation Explains the process of sorting and comparing file names according to the collation rules defined by the file system. ##### Concept - Compression Details the compression methods used by NTFS to reduce the amount of space required to store files. This extensive documentation provides a comprehensive understanding of the NTFS file system, covering both the high-level concepts and the specific attributes and files that make up its architecture. It serves as a valuable resource for developers and system administrators who need to work with NTFS on a technical level.