| Glossary |
The MFT is a set of FILE records. Each file of the volume is completely described by one or more of these FILE Records. File Records are equivalent to inodes in Unix terminology. The first FILE Record that describes a given file is called the Base FILE record and the others are called Extension FILE Records.
A FILE Record is built up from a header, several variable length attributes and an end marker (simply 0xFFFFFFFF).
link table to notes
See also: $MFT, Record fixup, Attributes, Standard Attribute Header,
| Offset | Size | OS | Description |
|---|---|---|---|
| 0x00 | 4 | Magic number 'FILE' | |
| 0x04 | 2 | Offset to the Update Sequence | |
| 0x06 | 2 | Size in words of Update Sequence (S) | |
| 0x08 | 8 | $LogFile Sequence Number (LSN) | |
| 0x10 | 2 | Sequence number | |
| 0x12 | 2 | Hard link count | |
| 0x14 | 2 | Offset to the first Attribute | |
| 0x16 | 2 | Flags | |
| 0x18 | 4 | Real size of the FILE record | |
| 0x1C | 4 | Allocated size of the FILE record | |
| 0x20 | 8 | File reference to the base FILE record | |
| 0x28 | 2 | Next Attribute Id | |
| 0x2A | 2 | XP | Align to 4 byte boundary |
| 0x2C | 4 | XP | Number of this MFT Record |
| 2 | Update Sequence Number (a) | ||
| 2S-2 | Update Sequence Array (a) |
(a) The offset to these two fields depends on your operating system.
| Flag | Description |
|---|---|
| 0x01 | Record is in use |
| 0x02 | Record is a directory (FileName index present) |
| 0x04 | Record is an exension (Set for records in the $Extend directory) |
| 0x08 | Special index present (Set for non-directory records containing an index: $Secure, $ObjID, $Quota, $Reparse) |
The attribute list is of variable length and terminated with FFFFFFFF. For 1K MFT records, the attribute list starts at offset 0x30.
The sequence number is a circular counter (skipping 0) describing how many
times the referenced mft record has been (re)used. This has to match the
sequence number of the mft record being referenced, otherwise the reference
is considered stale and removed (FIXME: only ntfsck or the driver itself?).
If the sequence number is zero it is assumed that no sequence number
consistency checking should be performed.
FIXME: The mft zone is defined as the first 12% of the volume. This space is
reserved so that the mft can grow contiguously and hence doesn't become
fragmented. Volume free space includes the empty part of the mft zone and
when the volume's free 88% are used up, the mft zone is shrunk by a factor
of 2, thus making more space available for more files/data. This process is
repeated everytime there is no more free space except for the mft zone until
there really is no more free space.
The mft record header present at the beginning of every record in the mft.
This is followed by a sequence of variable length attribute records which
is terminated by an attribute of type $END which is a truncated attribute
in that it only consists of the attribute type code $END and none of the
other members of the attribute structure are present.
When (re)using the mft record, we place the update sequence array at this
offset, i.e. before we start with the attributes. This also makes sense,
otherwise we could run into problems with the update sequence array
containing in itself the last two bytes of a sector which would mean that
multi sector transfer protection wouldn't work. As you can't protect data
by overwriting it since you then can't get it back...
When reading we obviously use the data from the ntfs record header.
Size defined in $Boot.
A FILE record is 1 KB large or the cluster size if larger (as far as Helen is
concerned, its maximum size is 4 KB, but Windows NT 4 limit is 64 KB). It falls into
2 parts:
Extension FILE records are used when all information about a file doesn't fit into the base FILE record (e.g. if the sequence of file attributes grows because the file has a lot of file attributes or because the data attribute of the file has a long runlist because its stream is very fragmented). Only the base FILE record is used for referencing the file it describes. Since the type of the Attribute List file attribute is small enough, we are sure that this file attribute will be in the base FILE record. And this file attribute provides the references to all the extension FILE records describing the file.
When a file is deleted, NTFS can't simply remove the associated FILE records from the MFT, otherwise FILE record numbers wouldn't be constant over time, and all file references would have to be updated! Instead, the in-use flag of a FILE record indicates when it is no longer in use. When a file is created, an unused FILE record can be re-used for it, but its sequence number is incremented by one. This mechanism allow NTFS to check that file references don't point to deleted files.
seq num = inode for 0x00 < i < 0x10 (inode 0 (MFT) has seq num of 1)
see also attribute id page and file reference page
flags 1 in use, 2 dir, 4 ???, 8??? (4+8 ARE used)