Scribd
Upload
87 views

Lecture # 39: User Data User Data MFT (Mirror) MFT

The document describes the structure and components of an NTFS file system. It contains two copies of the master file table (MFT) for redundancy. The first 16 records of the MFT are copied in the middle of the volume for critical system information. The boot sector structure is also outlined, including byte offsets for fields like the jump instruction, OEM ID, and bootstrap code. A sample boot block dump is displayed with hexadecimal values.

Uploaded by

api-3812413
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
87 views

Lecture # 39: User Data User Data MFT (Mirror) MFT

The document describes the structure and components of an NTFS file system. It contains two copies of the master file table (MFT) for redundancy. The first 16 records of the MFT are copied in the middle of the volume for critical system information. The boot sector structure is also outlined, including byte offsets for fields like the jump instruction, OEM ID, and bootstrap code. A sample boot block dump is displayed with hexadecimal values.

Uploaded by

api-3812413
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 5

System Programming Course Code: CS609

[email protected]

Lecture # 39

The following slide shows the anatomy of an NTFS based system. The FAT and root
directory has been replaced by the MFT. It will generally have two copies the other copy
will be a mirror image of the original. Rests of the blocks are reserved for user data. In
the middle of the volume is a copy of the first 16 MTF record which are very important to
the system.

MFT MFT User Data User Data


(Mirror)

Boot Block Copy of First 16 MFT records

Virtual University of Pakistan 59


System Programming Course Code: CS609
[email protected]

The following slides show the Boot sector structure for a NTFS based system.

NTFS General Boot Sector Structure


Byte Offset Field Length Field Name
0x00 3 bytes Jump
Instruction
0x03 LONGLONG OEM ID

0x0B 25 bytes BPB

0x24 48 bytes Extended BPB

0x54 426 bytes Bootstrap


Code
0x01FE WORD End of Sector
Marker

Virtual University of Pakistan 60


System Programming Course Code: CS609
[email protected]

The following slide shows a sample of the boot block dump. The following slides depict
various parameters placed in the Boot block.

Sample of NTFS Boot Block


Physical Sector:Cyl 0, Side 1, Sector 1
00000000:EB 52 90 4E 54 46 53 20 -20 20 20 00 02 08 00 00 .R.NTFS ........
00000010:00 00 00 00 00 F8 00 00 -3F 00 FF 00 3F 00 00 00 ........?...?...
00000020:00 00 00 00 80 00 80 00 -4A F5 7F 00 00 00 00 00 ........J.......
00000030:04 00 00 00 00 00 00 00 -54 FF 07 00 00 00 00 00 ........T.......
0000 00 40: F6 00 00 00 01 0 0 0 0 0 0 - 14 A5 1B 74 C 9 1 B 7 4 1C ... ... .. ...t.. t. 00 00 005 0:0 0 0 0 00 00 FA 33 C0 8E -D 0 BC 00 7C FB B8 C0 0 7 . ... .3. .. ..| ... . 000 00 060 :8E D8 E 8 1 6 0 0
B8 0 0 0D -8E C0 3 3 D B C 6 06 0E 00 .. ... ... ..3 .. ... 0 000 007 0: 10 E8 53 00 68 00 0 D 6 8 - 6A 02 CB 8A 16 2 4 0 0 B 4 . .S .h. .hj .. ..$ .. 00 000 080 :0 8 C D 1 3 73 05 B9 FF FF -8 A F 1 66 0F
B6 C 6 40 66 ... s. ... ..f .. .@f 0 000 009 0:0 F B6 D1 80 E2 3F F7 E 2 - 86 CD C0 ED 06 4 1 6 6 0 F . .. ..? ... ... .A f. 00 000 0A0 :B 7 C 9 6 6 F 7 E1 66 A3 20 -0 0 C 3 B4 41 BB AA 55 8A
..f. .f ... .A. .U. 0 00 000 B0: 16 24 00 CD 13 7 2 0 F 8 1 -FB 55 AA 7 5 0 9 F 6 C 1 01 .$. .. r.. .U. u.. .. 00 00 00C 0:7 4 0 4 FE 06 14 00 C3 66 - 60 1E 06 66 A1 10 0 0 6 6 t ... .. .f` ..f ... f
0000 00 D0: 03 06 1C 00 66 3 B 0 6 2 0 - 00 0F 82 3A 0 0 1 E 6 6 6A ... .f; .. ..: ..f j 000 00 0E0 :00 66 5 0 0 6 5 3 6 6 68 10 -00 0 1 0 0 8 0 3E 14 00 00 .f P.S fh. .. ..> ... 0 000 00 F0: 0F 85 0C 00 E8
B3 F F 80 -3E 14 0 0 0 0 0 F 84 61 00 .. ... ... >.. .. .a. 0 000 010 0: B4 42 8A 16 24 00 1 6 1 F - 8B F4 CD 13 66 5 8 5 B 0 7 . B. .$. ... ..fX [.. 0 000 011 0: 66 58 66 58 1F EB 2 D 6 6 - 33 D2 66 0F
B7 0 E 18 00 fXf X. -f3 .f. .. ... 0 000 012 0:6 6 F7 F1 FE C2 8A CA 6 6 - 8B D0 66 C1 EA 1 0 F 7 3 6 f .. ... .f. .f. .. .6 0 00 001 30: 1A 00 86 D6 8 A 1 6 2 4 0 0 -8A E8 C 0 E 4 0 6 0 A CC B8
.... .. $.. ... ... . 00 000 140 :01 0 2 C D 1 3 0 F 82 19 00 -8 C C 0 0 5 20 00 8E C0 66 .. .. ... ... ... .f 00 00 015 0:F F 0 6 10 00 FF 0E 0E 00 - 0F 85 6F FF 07 1F 6 6 6 1 . ... .. ... .o. ..f a

00000160:C3 A0 F8 01 E8 09 00 A0 -FB 01 E8 03 00 FB EB FE ................


00000170:B4 01 8B F0 AC 3C 00 74 -09 B4 0E BB 07 00 CD 10 .....<.t........
00000180:EB F2 C3 0D 0A 41 20 64 -69 73 6B 20 72 65 61 64 .....A disk read
00000190:20 65 72 72 6F 72 20 6F -63 63 75 72 72 65 64 00 error occurred.
000001A0:0D 0A 4E 54 4C 44 52 20 -69 73 20 6D 69 73 73 69 ..NTLDR is missi
000001B0:6E 67 00 0D 0A 4E 54 4C -44 52 20 69 73 20 63 6F ng...NTLDR is co
000001C0:6D 70 72 65 73 73 65 64 -00 0D 0A 50 72 65 73 73 mpressed...Press
000001D0:20 43 74 72 6C 2B 41 6C -74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
000001E0:20 72 65 73 74 61 72 74 -0D 0A 00 00 00 00 00 00 restart........
000001F0:00 00 00 00 00 00 00 00 -83 A0 B3 C9 00 00 55 AA ..............U.

Sector Per Cluster =0008

MFT File Cluster #


Physical Sector:Cyl 0, Side 1, Sector 1
00000000:EB 52 90 4E 54 46 53 20 -20 20 20 00 02 08 00 00 .R.NTFS ........
00000010:00 00 00 00 00 F8 00 00 -3F 00 FF 00 3F 00 00 00 ........?...?...
00000020:00 00 00 00 80 00 80 00 -4A F5 7F 00 00 00 00 00 ........J.......
00000030:04 00 00 00 00 00 00 00 -54 FF 07 00 00 00 00 00 ........T.......
000 00 040 :F 6 0 0 00 00 0 1 0 0 00 00 - 14 A5 1 B 7 4 C9 1B 7 4 1 C ... .. .. ... .t ..t . 0 000 00 50 :00 0 0 0 0 00 FA 3 3 C 0 8E -D 0 BC 00 7 C F B B8 C0 0 7 . .. ..3 .. .. .|. .. . 00 00 006 0: 8E D8 E 8 1 6 00
B8 00 0D - 8E C0 3 3 D B C6 06 0 E 0 0 ... .. .. ... 3. ... . 0 000 00 70 :10 E 8 5 3 00 68 0 0 0 D 68 -6 A 02 CB 8 A 1 6 24 00 B 4 . .S .h. .h j. ... $. . 00 00 008 0: 08 CD 1 3 7 3 05 B9 F F F F -8 A F 1 66 0F
B6 C6 40 6 6 . .. s. ... .. f.. .@ f 00 00 00 90: 0F B6 D 1 80 E2 3F F 7 E2 -8 6 C D C0 ED 0 6 4 1 66 0F . ... .? .. ... .. Af. 00 000 0A 0: B7 C9 66 F 7 E1 66 A3 2 0 -00 C 3 B 4 41 BB A A 5 5 8A
..f .. f.. .. A.. U. 000 00 0B 0:1 6 24 00 C D 1 3 72 0F 8 1 - FB 55 A A 75 09 F6 C 1 01 .$ ... r. .. U.u .. .. 0 00 000 C0 :7 4 0 4 FE 06 1 4 0 0 C3 66 - 60 1E 06 6 6 A1 10 00 6 6 t.. .. ..f `. .f ... f
000 00 0D0 :0 3 0 6 1C 00 6 6 3 B 06 20 - 00 0F 8 2 3 A 00 1E 6 6 6 A ... .f ;. ... :. .fj 00 000 0E 0: 00 66 50 0 6 53 66 68 1 0 -00 0 1 0 0 80 3E 1 4 0 0 00 .f P. Sfh .. .. .>. .. 000 00 0F0 :0 F 85 0C 00 E 8
B3 FF 80 - 3E 14 0 0 0 0 0F 84 6 1 0 0 ... .. .. .>. .. ..a . 0 000 01 00 :B4 4 2 8 A 16 24 0 0 1 6 1F -8 B F4 CD 1 3 6 6 58 5B 0 7 . B. .$. .. .. .fX [ .. 0 00 001 10 :6 6 5 8 66 58 1 F E B 2D 66 - 33 D2 66 0 F
B7 0E 18 0 0 f Xf X. -f3 .f ... .. . 00 00 01 20: 66 F7 F 1 FE C2 8A C A 66 -8 B D 0 66 C1 E A 1 0 F7 36 f ... .. .f ..f .. ..6 0 00 001 30 :1 A 0 0 86 D6 8 A 1 6 24 00 - 8A E8 C0 E 4 06 0A CC B 8
... .. .$. .. ... .. . 00 00 01 40: 01 02 C D 13 0F 82 1 9 00 -8 C C 0 05 20 0 0 8 E C0 66 . ... .. .. ... .. .f 0 00 001 50 :F F 0 6 10 00 F F 0 E 0E 00 - 0F 85 6F F F 07 1F 66 6 1 ... .. ... .. o. ..f a

00000160:C3 A0 F8 01 E8 09 00 A0 -FB 01 E8 03 00 FB EB FE ................


00000170:B4 01 8B F0 AC 3C 00 74 -09 B4 0E BB 07 00 CD 10 .....<.t........
00000180:EB F2 C3 0D 0A 41 20 64 -69 73 6B 20 72 65 61 64 .....A disk read
00000190:20 65 72 72 6F 72 20 6F -63 63 75 72 72 65 64 00 error occurred.
000001A0:0D 0A 4E 54 4C 44 52 20 -69 73 20 6D 69 73 73 69 ..NTLDR is missi
000001B0:6E 67 00 0D 0A 4E 54 4C -44 52 20 69 73 20 63 6F ng...NTLDR is co
000001C0:6D 70 72 65 73 73 65 64 -00 0D 0A 50 72 65 73 73 mpressed...Press
000001D0:20 43 74 72 6C 2B 41 6C -74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
000001E0:20 72 65 73 74 61 72 74 -0D 0A 00 00 00 00 00 00 restart........
000001F0:00 00 00 00 00 00 00 00 -83 A0 B3 C9 00 00 55 AA ..............U.

MFT File Cluster # =00000004

The first 16 entries of the MFT are reserved. Rests of the entries are used for user files.
There is an entry for each file in the MFT. There can be difference in the way a file is
managed depending upon the size of the file.

Virtual University of Pakistan 61


System Programming Course Code: CS609
[email protected]

MFT Internal Structure


MFT
Log File

Small File Record

Large File Record

Small Directory
Record

Following slide shows the detail about the first 16 system entries within the MFT.

Virtual University of Pakistan 62


System Programming Course Code: CS609
[email protected]

Virtual University of Pakistan 63

You might also like