NTFS_文件系统.ppt

Computer Forensics NTFS File System MBR and GPT Disks MBR disks for 32b 86x-compatibles GPT disks for 64b Itanium processors Start with a MBR in order to maintain compatibility MBR has a single partition with a partition table entry of 0xEE NTFS Architecture NTFS Architecture NTFS Boot Sector NTFS Boot Sector 0x00 3B Jump Instruction 0x03 8B OEM ID 0x0B 25B BPB 0x24 48B Extended BPB 0x54 426B Bootstrap Code. 0x1FE 2B End of Sector Marker NTSF Boot Sector NTSF Boot Sector Many fields are not important, but: 0x0B, Bytes per sector. 0x0D Sectors per Cluster 0x15 Media descriptor. F8: HD; F0: HD Floppy 0x28 Total sectors. 0x30 Logical cluster number for the MFT 0x38 Logical cluster number copy of the MFT 0x40 Clusters per MFT Record. 0x48 Volume serial NTFS Boot Sector WinHex allows access to an interpreted NTFS Boot Sector. Use the Access Tab. NTFS BPB NTFS BPB NTFS BPB NTFS BPB NTFS Master File Table First four entries are replicated, so that MFT can be repaired First 16 records are reserved for metadata files, their name begins with a dollar sign ($) NTFS Master File Table Master file table $MFT. Master file table mirror $MftMirr. Log file $LogFile. Volume $Volume Attribute definitions $AttrDef. The root folder “.” Cluster bitmap $Bitmap Boot sector $Boot (located at the beginning of partition) Bad cluster file $BadClus Security file $Secure Upcase table $Upcase NTFS extension file $Extend, that is used for future use. NTFS Master File Table MFT Record Structure Entries are 1KB each Entries contain File Attributes Location Data MFT Records Small Files (900B) are contained completely in the MFT entry. MFT Records Folders contain index data. Small folders reside within the MFT record Larger folders have an index structure to other data blocks. They use a B-tree structure. MFT Record Each MFT record is addressed by a 48 bit MFT entry value. First entry has address 0. Each MFT entry has a 16 bit sequence number that is incr