Chapter 3. NTFS Files
Everything on an NTFS volume is a file. There are two categories: Metadata and Normal. The Metadata files contain information about the volume and the Normal files contain your data.
1.1. Layout of the Volume
Below is a table of files found on a Win2K volume (Key).
Table 3.1. Layout of files on the Volume
|0||$MFT||Master File Table - An index of every file|
|1||$MFTMirr||A backup copy of the first 4 records of the MFT|
|2||$LogFile||Transactional logging file|
|3||$Volume||Serial number, creation time, dirty flag|
|5||.(dot)||Root directory of the disk|
|6||$Bitmap||Contains volume's cluster map (in-use vs. free)|
|7||$Boot||Boot record of the volume|
|8||$BadClus||Lists bad clusters on the volume|
| 9|| $Secure|| 2K|| Security descriptors used by the volume|
|10||$UpCase||Table of uppercase characters used for collating|
|11||$Extend||2K||A directory: $ObjId, $Quota, $Reparse, $UsnJrnl|
|12-15|| <Unused>||Marked as in use but empty|
|16-23||<Unused>||Marked as unused|
|Any||$ObjId||2K||Unique Ids given to every file|
|Any||$Reparse||2K||Reparse point information|
|Any||$UsnJrnl||2K||Journalling of Encryption|
|>24||A_File||An ordinary file|
| >24|| A_Dir|| An ordinary directory|
| ...|| ...|| ...|
1.2.1. Unused Inodes
On a freshly formatted volume, inodes 0x0B to 0x0F are marked asin use, but empty. Inodes 0x10 to 0x17 are marked as free and not used. This doesn't change until the volume is under a lot of stress.
When the $MFT becomes very fragmented it won't fit into one FILE Record and an extension record is needed. If a new record was simply allocated at the end of the $MFT then we encounter a problem. The $DATA Attribute describing the location of the new record is in the new record.
The new records are therefore allocated from inode 0x0F, onwards. The $MFT is always a minimum of 16 FILE Records long, therefore always exists. After inodes 0x0F to 0x17 are used up, higher, unreserved, inodes are used.
This effect may not be limited to the $MFT, but more evidence is needed.
1.2.2. Other Information
For some reason $ObjId, $Quota, $Reparse and $UsnJrnl don't have inode numbers below 24, like the rest of the Metadata files.
Also, the sequence number for each of the system files is always sequel to their MFT record number and it is never modified.
We here just want to prove one standpoint: everything in NTFS is a file including MFT itself. Hence, the MFT will record everything including itself. In this Chapter, you will see our standpoint everywhere. Please remember, everything in NTFS is a file.