| Glossary |
Everything on an NTFS volume is a file. There are two categories: Metadata and Normal. The Metadata files contain information about the volume and the Normal files contain your data.
Below is a table of files found on a Win2K volume (Key).
| Inode | Filename | OS | Description |
|---|---|---|---|
| 0 | $MFT | Master File Table - An index of every file | |
| 1 | $MFTMirr | A backup copy of the first 4 records of the MFT | |
| 2 | $LogFile | Transactional logging file | |
| 3 | $Volume | Serial number, creation time, dirty flag | |
| 4 | $AttrDef | Attribute definitions | |
| 5 | . (dot) | Root directory of the disk | |
| 6 | $Bitmap | Contains volume's cluster map (in-use vs. free) | |
| 7 | $Boot | Boot record of the volume | |
| 8 | $BadClus | Lists bad clusters on the volume | |
| 9 | $Quota | NT | Quota information |
| 9 | $Secure | 2K | Security descriptors used by the volume |
| 10 | $UpCase | Table of uppercase characters used for collating | |
| 11 | $Extend | 2K | A directory: $ObjId, $Quota, $Reparse, $UsnJrnl |
| 12-15 | <Unused> | Marked as in use but empty | |
| 16-23 | <Unused> | Marked as unused | |
| Any | $ObjId | 2K | Unique Ids given to every file |
| Any | $Quota | 2K | Quota information |
| Any | $Reparse | 2K | Reparse point information |
| Any | $UsnJrnl | 2K | Journalling of Encryption |
| > 24 | A_File | An ordinary file | |
| > 24 | A_Dir | An ordinary directory | |
| ... | ... | ... |
On a freshly formatted volume, inodes 0x0B to 0x0F are marked as in use, but empty. Inodes 0x10 to 0x17 are marked as free and not used. This doesn't change until the volume is under a lot of stress.
When the $MFT becomes very fragmented it won't fit into one FILE Record and an extension record is needed. If a new record was simply allocated at the end of the $MFT then we encounter a problem. The $DATA Attribute describing the location of the new record is in the new record.
The new records are therefore allocated from inode 0x0F, onwards. The $MFT is always a minimum of 16 FILE Records long, therefore always exists. After inodes 0x0F to 0x17 are used up, higher, unreserved, inodes are used.
This effect may not be limited to the $MFT, but more evidence is needed.
For some reason $ObjId, $Quota, $Reparse and $UsnJrnl don't have inode numbers below 24, like the rest of the Metadata files.
Also, the sequence number for each of the system files is always equal to their mft record number and it is never modified.