This guide is part of the
Linux NTFS Project.
The latest version can be found online at
readntfs.html
Do you want to know how NTFS works?
This guide should give you an idea of how complicated NTFS is.
Be warned! It's not for the faint of heart.
Don't be fooled by its brevity. Each link takes you to a complicated
piece of technical documentation. Some day it might mature into a proper
NTFS Overview
.
Don't worry too much about the details to start with. Take a hex editor, a simple NTFS volume and the documentation.
At the beginning of the volume you'll find $Boot. It tells us about the sizes of various structures and where to find the MFT (Master File Table). It's a list of every file on disk.
The MFT. is made up of FILE Records which are fixed-up to make errors easier to spot. Each FILE Record has a header and a list of attributes.
Each attribute. has a header and a data section. The attributes. contain all the data about the file (metadata) and the actual contents of the file too.
The attributes. are kept in numerical order and the interesting ones are 0x10 Standard Information, 0x30 Filename and 0x80 Data.
Now, small attributes. are kept resident in the FILE Record , itself. When the attributes. get bigger, they are allocated some space on disk (non-resident). Looking back at the attribute header, non-resident data streams are stored as data runs. Disk space is managed by $Bitmap. It has one binary bit per cluster of the disk.
| Copyright © flatcap (Richard Russon) |