11. Attribute -$INDEX_ALLOCATION (0xA0)
This is the basic component of an index (e.g. a directory). This is the storage location for all sub-nodes of the B+ tree that implements an index (e.g. a directory). This file attribute is always non-resident.
As defined in $AttrDef, this attribute has a no minimum or maximum size. This attribute is never resident - would use index root instead
11.2. Layout of the Attribute
It is simply a sequence of all index buffers that belong to theindex.
Table 2.28. Layout of the $INDEX_ALLOCATION (0xA0) attribute
11.2.1. Index Entry
Split into two tables, at least
Table 2.29. Layout of a data entry in the$INDEX_ALLOCATION (0xA0) attribute
|The next field is only valid when the last entry flag is not set|
|0x08||2||L = Length of the index entry|
|0x0A||2||M = Length of the stream|
|The next field is only present when the last entry flag is not set|
|The next field is only present when the sub-node flag is set|
|L - 8||8||VCN of the sub-node in the index allocation attribute|
Table 2.30. Data entry flags
|0x01||Index entry points to a sub-node|
|0x02||Last index entry in the node|
The last entry flag is used to indicate the end of a sequence of index entries. Although it does not represent a valid file, it can point to a sub-node.
11.3.1. Length of the stream
A copy is the field at offset 10 in the header part of the resident file attribute indexed by the index entry. But why the hell hasn’t these 2 fields the same size?
A copy of the stream of the resident file attribute indexed by the index entry (e.g. for a directory, the file name attribute).
Always non resident (doesn't make sense to be resident anyway!). This is an array of index blocks. Each index block starts with an INDEX_BLOCK structure containing an index header, followed by a sequence of index entries (INDEX_ENTRY structure), as described by the INDEX_HEADER.
When creating the index block, we place the update sequence array at this offset, i.e. before we start with the index entries. This also makes sense; otherwise we could run into problems with the update sequence array containing in it the last two bytes of a sector which would mean that multi sectors transfer protection wouldn't work. As you can't protect data by overwriting it since you then can't get it back..., when reading usage of the data from the NTFS record header.
As we had said, the attributes of NTFS are very important in data recovery field. From the Windows 2000 to Windows Vista, the NTFS file system becomes more and more effective.