NTFS Structure

Excellent reference:
http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h
http://data.linux-ntfs.org/ntfsdoc.pdf

NTFS Partition
MBR
VBR
$Mft

Measured in
Sectors

Directories and Files

Measured in Clusters

MBR

Offset to 1st partition

In sectors = 0x7E00 bytes

NTFS
Everything is a file

Directories, files
Bootstrap data
File allocation bitmaps
Metadata

Master File Table is the heart of NTFS

Start of the MFT is in the VBR
VBR is $Boot entry in the MFT

VBR for NTFS

Byte Offset

Field Length

Sample Value

Field Name

0x00
0s03
0x0B

3
8
2

NTFS
0x0200

Jump to boot code

OEM Name
Bytes Per Sector

0x0D

0x08

Sectors Per Cluster

0x0E
0x10
0x13
0x15
0x16
0x18
0x1A
0x1C
0x20
0x24
0x28

2
3
2
1
2
2
2
4
4
4
8

0x0000
0x000000
0x0000
0xF8
0x0000
0x3F00
0xFF00
0x3F000000
0x00000000
0x80008000
0x4AF57F0000000000

Reserved Sectors
always 0
not used by NTFS
Media Descriptor
always 0
Sectors Per Track
Number Of Heads
Hidden Sectors
not used by NTFS
not used by NTFS
Total Sectors

0x30

0x0000000000040000

Logical Cluster Number for the file $MFT

0x38

0x54FF070000000000

Logical Cluster Number for the file

$MFTMirr

0x40

0xF6000000

Clusters Per File Record Segment

0x44

0x01000000

Clusters Per Index Block

0x48

0x14A51B74C91B741C

Volume Serial Number

0x50
0x54
0xFE

4
426
2

0x00000000

Checksum
Bootstrap program code
Signature bytes

0x55AA

VBR

Location of
$MFT

Little Endian
0x0C0000 * 8 +
0x3F =
Sector count of $MFT

MFT
The MFT is an array of file records
Each record is 1024 bytes
The first record in the MFT is for the MFT
itself
The name of the MFT is $MFT
The first 16 records in the MFT are reserved
for metadata files

MFT
Sector 0

MBR
VBR

$MFT Clusters 32 - 34, 48 - ...

Cluster 32
Cluster 33
Cluster 34

Cluster 48

MFT Entry
Consists of
Entry header
Attributes
Attribute header
Attribute data

Attributes are free form

Fixed list of attributes

MFT Entry Layout

MFT Entry
Header

Attributes
Unused
Space

1024 Bytes

MFT Entry Fields

1 - Entry signature
2, 3 Fixup arrays (later)
4 The logical sequence number(LSN) for this record/entry is
incremented each time this entry is modified. It is an index into
$LogFile used for journaling.
5 Sequence value is used the keep track of how many times this entry
has been used
6 Link count keeps track of the number of hard links to directories, i.e.
The number of directories referencing this record/entry
7 Offset to first attribute address of first attribute relative to start of
entry. Others are found by advancing the size of the first one. The
end of attributes is 0xffff ffff, ie end of file

MFT Entry Fields

8 Flags
9 Used size of the MFT entry
10 Allocated size of MFT entry
11 File reference to base record is used when the attribute list requires
more than one MFT entry. 0 indicates that this is the base record.
12 Next attribute ID - the attributes are numbered sequentially if
another is assigned. Therefore there are ID 1 attributes assigned
to this MFT entry.

Fixup Values
For Large Structures
Signature: 0x0000
Array: 0x0000, 0x0000, 0x0000

0x7A12

0x3596

MFT Entry
Header

Sector 0

Sector 1
In memory

0xBF81

Sector 2

Signature: 0x0001
Array: 0x3596, 0x7A12, 0xBF81

0x0001

0x0001

MFT Entry
Header

Sector 0

Sector 1
On Disk

0x0001

Sector 2

MFT Entry Header

0x0
0x4
0x6
0x8
0x10
0x12
0x14
0x16
0x18
0x1A
0x20
0x28
0x2A

03
45
67
8 15
16 17
18 19
20 21
22 23
24 27
28 31
32 39
40 41
42 1023

Signature (FILE) if good otherwise (BAAD)

Offset to fixup array
Number of entries in fixup array
$LogFile LSN
Sequence value
Link Count
Offset to first attribute
Yes
Flags (in-use and directory)
Used size of MFT entry
Allocated size of MFT entry
File reference to base record
Next attribute ID
Attributes and fixup areas

No
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
Yes

Fixups

Location of fixup
array = 0x30

Number of entries
in the fixup array
=3
Signature

Fixup array all zeros

MFT Entry Header

0x0
0x4
0x6
0x8
0x10
0x12
0x14
0x16
0x18
0x1A
0x20
0x28
0x2A

03
45
67
8 15
16 17
18 19
20 21
22 23
24 27
28 31
32 39
40 41
42 1023

Signature (FILE) if good otherwise (BAAD)

Offset to fixup array
Number of entries in fixup array
$LogFile LSN
Sequence value
Link Count
Offset to first attribute
Yes
Flags (in-use and directory)
Used size of MFT entry
Allocated size of MFT entry
File reference to base record
Next attribute ID
Attributes and fixup areas

No
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
Yes

$MFT Header
Sequence value

Link count

MFT Entry Header

0x0
0x4
0x6
0x8
0x10
0x12
0x14
0x16
0x18
0x1A
0x20
0x28
0x2A

03
45
67
8 15
16 17
18 19
20 21
22 23
24 27
28 31
32 39
40 41
42 1023

Signature (FILE) if good otherwise (BAAD)

Offset to fixup array
Number of entries in fixup array
$LogFile LSN
Sequence value
Link Count
Offset to first attribute
Yes
Flags (in-use and directory)
Used size of MFT entry
Allocated size of MFT entry
File reference to base record
Next attribute ID
Attributes and fixup areas

No
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
Yes

$MFT

Sequence number :
Incremented by one
every time the MFT
is used (deleted).

In Use flag
00
File dele
01
File allo
10Dir deleted
11Dir allocated

$MFT
0x14 - Offset to first
attribute =0x38
0x28 - Next attribute ID
= 0x6, therefore there
Are 5 attributes to the
$MFT entry.

Beginning of the
first attribute.

MFT Attribute Layout

MFT Entry
Header

Attributes
Unused
Space

Attribute
Headers

MFT Attribute Header

First 16 Bytes
0x0 0 3 Attribute type identifier
0x4 4 7 Lenght of attribute
Yes
0x8 8 8 Non-resident flag
Yes
0x9 9 9 Length of name
Yes
0xA
10 11
Offset to name
0xC
12 13
Flags
Yes
0xE14 15
Attribute identifier

Yes

Yes
Yes

Attributes can be either resident or non-resident

Resident The data is contained in the MFT entry
Non-resident The data is contained in clusters not in the MFT entry
Attribute identifier the sequence number of each of these types of identifier. There might
be more than one of this type.

Header Values

Size is used to locate next attribute

Next entry after last attribute is 0xffff ffff
Resident flag = 0

Non-resident flag = 1

Attribute is contained elsewhere

Flag value

Attribute is contained within the MFT entry

0x0001 Attribute is compressed

0x4000 Attribute is encrypted
0x8000 Attribute is sparse

Attribute identifier is the sequential number unique to this attribute in this

MFT entry

Attribute Header

Beginning of the
first attribute.
Type = 0x10

Length of the attribute

= 0x60
Offset to next attribute
Beginning of the next
attribute.
Type = 0x30
Length of this attribute
= 0x68
Offset to next attribute

Resident Attribute Header

0x0
0x10
0x14

0 15
16 19
20 21

General header (Previous slide)

Size of content
Offset to content

Yes
Yes
Yes

General Attribute Header

Beginning of the
first attribute.
Type = 0x10
Length of the attribute
= 0x60
Offset to content
= 0x18

Size of content
= 0x48

Non-Resident Attribute Header

0x0
0x10
0x18
0x20
0x22
0x24
0x28
0x30
0x38

0 15
16 23
24 31
32 33
34 35
36 39
40 47
48 55
56 63

General header (Previous slide)

Starting Virtual Cluster Number (VCN) of the runlist
EndingVCN of the runlist
Offset to the runlist
Compression unit size
Unused
Allocated size of attribute content
Actual size of attribute content
Initialized size of attribute content

Yes
Yes
Yes
Yes
Yes
No
No
Yes
No

VCN to LCN and back

VCN Virtual Cluster Number
1st, 2nd, etc cluster of the file/attribute regardless of where it is
in the file system

LCN Logical Cluster Number

Cluster number relative to the first cluster after the
VBR

Non-Resident Attribute Header

Values

Starting and ending VCNs are used when multiple MFT entries are
needed to describe a single attribute
Offset to the runlist is relative to the start of attribute
The run list is a sequence of cluster runs that contain the data for this
file

Byte 1

Byte 2

Byte 3

Number of bytes in the length field

Number of bytes in the run offset field

Byte 4

Runlists

48

49

50

51

52

Start: 48 Len: 5

Start: 80 Len: 2

Start: 56 Len: 4

56

57

58

80

81

10

59

LCNs
VCNs

Standard Attributes

Standard Attributes
Type IDs
16(0x10)

$STANDARD_INFORMATION

Contains basic metadata for the dile or directory

48(0x30)

$FILE_NAME

Files name and parent OR directory index

128(0x80) $DATA
Raw content

32(0x20)

$ATTRIBUTE_LIST

Location of other attributes

64(0x40)

$OBJECT_ID

Global object identifier

192(0xC0) $REPARSE_POINT
Used for reparse points soft links Win 2000+

$STANDARD_INFORMATION

Type Identifier 16 (0x10)

Times are in 100-nanoseconds from 1/1/1601
Same time fields are in the $FILE_NAME attribute
These are shown in file properties
ID values used for application-level features or security
Security ID is the index to the $Secure file not the
Windows SID value

$STANDARD_INFORMATION
Attribute
0x0
0x8
0x10
0x18
0x20
0x26
0x2A
0x2C
0x30
0x34
0x38
0x40

07
8 15
16 23
24 31
32 35
36 -39
40 43
44 47
48 -51
52 55
56 63
64 71

Creation time
File altered time
MFT altered time - not shown in file properties
File accessed time
Flags
Maximum number of versions
Version number
Class ID
Owner ID
Security ID
Quota charged
Update Sequence Number(USN)

$STANDARD_INFORMATION attribute
MFT creation time
File altered time
MFT accessed time
MFT altered time

Next attribute

$STANDARD_INFORMATION
Flag Values
0x0001
0x0002
0x0004
0x0008
0x0010
0x0020
0x0040
0x0080
0x0100
0x0200
0x0400
0x0800
0x1000
0x2000
0x4000

Read Only
Hidden
System
???
Directory
Archive
Device
Normal
Temporary
Sparse file
Reparse point
Compressed
Offline
Content is not indexed
Encrypted

$FILE_NAME
Attribute

Type Identifier 48 (0x30)

Stores the files name
Parent directory
Directory index
For standard files or directories $FILE_NAME is
the second attribute and is resident
If a file requires multiple MFT entries the
$ATTRIBUTE_LIST occurs second

$FILE_NAME
Attribute
0x0
0x8
0x10
0x18
0x20
0x28
0x30
0x38
0x3C
0x40
0x41
0x42

07
8 15
16 -23
24 31
32 39
40 47
48 55
56 59
60 63
64 64
65 65
66+

File reference of a parent directory

File Creation time
File modification time
MFT modification time - not shown in file properties
File access time
Allocated size of file
Real size of file
Flags (same as $STANDARD_INFORMATION flags)
Reparse value
Lengthe of name
Namespace
Name

$FILE_NAME attribute

General attribute header

File reference to parent
directory
File creation time
MFT modification time
File modification time
File accessed time
File name
Length of file name
Next attribute

$FILE_NAME attribute

File reference to parent

directory
5 * 1024 from this $MFT
Record

???

$FILE_NAME
Namespace
0

Posix: Case sensitive, all Unicode characters except / and NULL

Win32: Case sensitive, all Unicode characters except /, \, :, <, >, and
?

DOS: Case insensitive, upper case and no special characters

Win32 & DOS: Used when the original name already fits in the DOS
namespace and two names are not needed

$DATA
Attribute

Type ID 128 (0x80)

Still has the generic attribute header fields
The first $DATA attribute does not have a name
Additional $DATA attributes can be used for Alternate
Data Streams and as such each must have a name.
C:\>echo Hello world > file.txt:stuff

If the contents > 700 bytes it goes non-resident

Directories can have $DATA attributes

Harlan Carvey
http://windowsir.blogspot.com/2010/05/analysis-tips.html

MFT
I've worked a number of incidents where malware has been
placed on a system and it's MAC times 'stomped', either through
something similar to timestomp, or through copying the times
from a legitimate file. In such cases, extracting $FILE_NAME
attribute times for the file from the MFT have been essential for
establishing accuracy in a timeline. Once this has been done,
everything has fallen into place, including aligning the time with
other data sources in the timeline (Scheduled Task log, Event
Logs,

$ATTRIBUTE_LIST
Attribute
Type ID 32 (0x20)
Used when there are more attributes than can fit in
one MFT
Contains a list of where other attributes can be
found
Each entry in the list has 7 fields in addition to the
standard fields common to every attribute

$ATTRIBUTE_LIST
Structure
0x0
0x4
0x6
0x7
0x8
0x10
0x18

03
4- 5
66
77
8 15
16 23
24 24

Attribute type
Length of this entry
Length of name of this attribute
Offset to name (relative to start of this entry)
Starting VCN in attribute
File reference where attribute is located
Attribute ID

Example
First 5152 cluster descriptions

4919
$Mft

$DATA (VCN: 0)

5009
$Mft

$STD_INFO

$ATTRIBUTE_LIST

$FILE_NAME

$FILE_NAME

Type: 16 Entry: 5009

Type: 48 Entry: 5009
Type: 128 Entry: 4919
Type: 128 Entry: 5037
Remaining cluster descriptions

5037
$Mft

$DATA (VCN: 5152)

$OBJECT_ID

Type ID 64 (0x40)
The files 128 bit Global Object Identifier
Used in place of file name
Remains constant with file name change
The $Volume metadata file has a $OBJECT_ID
attribute

$OBJECT_ID
Structure
0x0
0x10
0x20
0x40

0 15
16 31
32 47
48 63

Object ID
Birth volume ID
Birth object ID
Birth Domain ID

$REPARSE_POINT
Type ID 192 (0xC0)
Used for files that are reparse points
Symbolic links
Junctions
Mount points for volumes

Most attribute fields a \re application

specific

$REPARSE_POINT
Fields
0x0
0x4
0x6
0x8
0xA
0xC
0xD

03
45
67
89
10 11
12 13
14 15

Reparse type flags

Size of reparse data
Unused
Offset to target name (relative to byte 16)
Length of target name
Offset to print name of target (relative to byte 16)
Length of print name

Other Attributes

Other Attributes
80(0x50)

$SECURITY_DESCRIPTOR

Access control and security properties of the file

96(0x60)

$VOLUME_VERSION

Volume name

112(0x70) $VOLUME_INFORMATION
File system version adn other flags

144(0x90) $INDEX_ROOT
Root node of an index tree

160(0xA0) $INDEX_ALLOCATION
Nodes of an index tree rooted in $INDEX_ROOT attribute

176(0xB0) $BITMAP
A bitmap for the $MFT file and for indexes

Other Attributes contd

192(0xC0) $SYMBOLIC_LINK
Soft link information. Windows NT version 1.2 anad lesser

208(0xD0) $EA_INFORAMTION
Used for backward compatibility with version 1.2 applications (HPFS)

224(0xE0) $EA
Used for backward compatibility with version 1.2 applications (HPFS)

256(0xF0) $LOGGED_UTILTIY_STREAM
Contains keys and information about encrypted attributes in version 3.0+

Index Attributes & Data Structures

Attributes and data structures for indexes
Index
Structure in a sorted tree

Tree
One or more nodes

Node
One or more index entries

Root of tree is in the $INDEX_ROOT Attributte

The rest of the nodes are in the $INDEX_ALLOCATION
attribute
$BITMAP attribute is used to manage the allocation status

$INDEX_ROOT
Attribute

Type ID 144 (0x90)

Always resident
Can only store a small list of index entries
16 byte header
Node header
A list of index entries

$INDEX_ROOT
Structure
0x0
0x4
0x8
0xC
0xD
0x10

03
47
8 11
12 12
13 15
16+

$INDEX_ROOT
Header

Type of attribute in index (0 if entry does not use an attribute)

Collation sorting rule
Size of each index record in bytes
Size in clusters
Unused
Node header

Node Header

Index Entry 1

Index Entry 2

Index Entry 3

Index Entry 4

$INDEX_ALLOCATION
Attribute
Type ID 160 (0xA0)
Large directories need a non-resident
$INDEX_ALLOCATION attribute
Filled with index records
Index record has a static size defined in the
$INDEX_ROOT attribute header
Index record contains one node in the sorted tree
Typical size is 4096 bytes

$INDEX_ALLOCATION
Index Record Header
0x0
0x4
0x6
0x8
0x10
0x18

Index Record
Header

Index Record 0
Index Record 1

03
45
67
8 15
16 23
24+

Signature value (INDX)

Offset to fixup array
Number of entries in fixup array
$LogFile Sequence Number (LSN)
VCN of this record in the full index stream
Node header

Node Header

Index Entries

$I30 Files
$INDEX_ROOT and $INDEX_ALLOCATION
Attributes for a directory are typically refered to as
the $I30 files
More later

Index Node Header

0x0

03

0x4

47

0x8

8 11

0xC

12 15

Offset to start of index entry list

Relative to start of node header
Offset to end of used portion of index entry list
Relative to start of node header
Offset to end of allocated index entry list buffer
Relative to start of node header
Flags - 0x01 is set when there are children nodes

Index Entry
Generic
0x0
07
0x8
89
0xA
10 11
0xC12 15
0x10 16+

Undefined
Length of this entity
Length of content
Flags
Content

Last 8 bytes of entry

Flags
0x01
0x02

Child node exists

Last entry in list

VCN of child node in $INDEX_ALLOCATION

Index Entry
Directory
0x0
0x8
0xA
0xC
0x10

07
89
10 11
12 15
16+

MFT file reference for file name

Length of this entity
Length of $FILE_NAME attribute
Flags
$FILE_NAME attribute

Last 8 bytes of entry

VCN of child node in $INDEX_ALLOCATION
Provided flag && 0x01 = 0x01

Flags
0x01
0x02

Child node exists

Last entry in list

$BITMAP
Attribute
Keeps track of which index records are in use in
the $INDEX_ALLOCATION attribute
Index records become unused when files are
deleted