NTFS Structure

Excellent reference:

http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ntfs/attrib.h
http://data.linux-ntfs.org/ntfsdoc.pdf
 NTFS Partition
MBR
VBR
$Mft Directories and Files

Measured in Measured in Clusters

Sectors
 MBR

Offset to 1st partition

In sectors = 0x7E00 bytes
 NTFS
• Everything is a file
• Directories, files
• Bootstrap data
• File allocation bitmaps
• Metadata
• Master File Table is the heart of NTFS
• Start of the MFT is in the VBR
• VBR is $Boot entry in the MFT
 VBR for NTFS
Byte Offset Field Length Sample Value Field Name
0x00 3 Jump to boot code
0s03 8 NTFS OEM Name
0x0B 2 0x0200 Bytes Per Sector
0x0D 1 0x08 Sectors Per Cluster
0x0E 2 0x0000 Reserved Sectors
0x10 3 0x000000 always 0
0x13 2 0x0000 not used by NTFS
0x15 1 0xF8 Media Descriptor
0x16 2 0x0000 always 0
0x18 2 0x3F00 Sectors Per Track
0x1A 2 0xFF00 Number Of Heads
0x1C 4 0x3F000000 Hidden Sectors
0x20 4 0x00000000 not used by NTFS
0x24 4 0x80008000 not used by NTFS
0x28 8 0x4AF57F0000000000 Total Sectors
0x30 8 0x0000000000040000 Logical Cluster Number for the file $MFT
Logical Cluster Number for the file
0x38 8 0x54FF070000000000
$MFTMirr
0x40 4 0xF6000000 Clusters Per File Record Segment
0x44 4 0x01000000 Clusters Per Index Block
0x48 8 0x14A51B74C91B741C Volume Serial Number
0x50 4 0x00000000 Checksum
0x54 426 Bootstrap program code
0xFE 2 0x55AA Signature bytes
 VBR

Location of
$MFT
Little Endian
0x0C0000 * 8 + 0x3F =
Sector count of $MFT
 MFT
• The MFT is an array of file records
• Each record is 1024 bytes
• The first record in the MFT is for the MFT
itself
• The name of the MFT is $MFT
• The first 16 records in the MFT are reserved
for metadata files
 MFT

Sector 0 MBR

VBR

$MFT – Clusters 32 - 34, 48 - ...

Cluster 32

Cluster 33

Cluster 34

Cluster 48
 MFT Entry
• Consists of
• Entry header
• Attributes
– Attribute header
– Attribute data
• Attributes are free form
– Fixed list of attributes
 MFT Entry Layout

MFT Entry
Header
Attributes
Unused
Space

1024 Bytes
 MFT Entry Fields
1 - Entry signature
2, 3 – Fixup arrays (later)
4 – The logical sequence number(LSN) for this record/entry is
incremented each time this entry is modified. It is an index into
$LogFile used for journaling.
5 – Sequence value is used the keep track of how many times this entry
has been used
6 – Link count keeps track of the number of hard links to directories, i.e.
The number of directories referencing this record/entry
7 – Offset to first attribute address of first attribute relative to start of
entry. Others are found by advancing the size of the first one. The
end of attributes is 0xffff ffff, ie end of file
 MFT Entry Fields
8 – Flags
9 – Used size of the MFT entry
10 – Allocated size of MFT entry
11 – File reference to base record is used when the attribute list requires
more than one MFT entry. 0 indicates that this is the base record.
12 – Next attribute ID - the attributes are numbered sequentially if
another is assigned. Therefore there are ID – 1 attributes assigned
to this MFT entry.
 Fixup Values
For Large Structures
Signature: 0x0000
Array: 0x0000, 0x0000, 0x0000

MFT Entry 0x3596 0x7A12 0xBF81

Header

Sector 0 Sector 1 Sector 2

In memory
Signature: 0x0001
Array: 0x3596, 0x7A12, 0xBF81

MFT Entry 0x0001 0x0001 0x0001

Header

Sector 0 Sector 1 Sector 2

On Disk
 MFT Entry Header
0x0 0 – 3 Signature (“FILE”) if good otherwise (“BAAD”) No
0x4 4 – 5 Offset to fixup array Yes
0x6 6 – 7 Number of entries in fixup array Yes
0x8 8 – 15 $LogFile LSN No
0x10 16 – 17 Sequence value No
0x12 18 – 19 Link Count No
0x14 20 – 21 Offset to first attribute Yes
0x16 22 – 23 Flags (in-use and directory) Yes
0x18 24 – 27 Used size of MFT entry Yes
0x1A 28 – 31 Allocated size of MFT entry Yes
0x20 32 – 39 File reference to base record No
0x28 40 – 41 Next attribute ID No
0x2A 42 – 1023 Attributes and fixup areas Yes
Fixups
Location of fixup
array = 0x30

Number of entries
in the fixup array
=3
Signature

Fixup array – all zeros

 MFT Entry Header
0x0 0 – 3 Signature (“FILE”) if good otherwise (“BAAD”) No
0x4 4 – 5 Offset to fixup array Yes
0x6 6 – 7 Number of entries in fixup array Yes
0x8 8 – 15 $LogFile LSN No
0x10 16 – 17 Sequence value No
0x12 18 – 19 Link Count No
0x14 20 – 21 Offset to first attribute Yes
0x16 22 – 23 Flags (in-use and directory) Yes
0x18 24 – 27 Used size of MFT entry Yes
0x1A 28 – 31 Allocated size of MFT entry Yes
0x20 32 – 39 File reference to base record No
0x28 40 – 41 Next attribute ID No
0x2A 42 – 1023 Attributes and fixup areas Yes
$MFT Header
Sequence value

Link count
 MFT Entry Header
0x0 0 – 3 Signature (“FILE”) if good otherwise (“BAAD”) No
0x4 4 – 5 Offset to fixup array Yes
0x6 6 – 7 Number of entries in fixup array Yes
0x8 8 – 15 $LogFile LSN No
0x10 16 – 17 Sequence value No
0x12 18 – 19 Link Count No
0x14 20 – 21 Offset to first attribute Yes
0x16 22 – 23 Flags (in-use and directory) Yes
0x18 24 – 27 Used size of MFT entry Yes
0x1A 28 – 31 Allocated size of MFT entry Yes
0x20 32 – 39 File reference to base record No
0x28 40 – 41 Next attribute ID No
0x2A 42 – 1023 Attributes and fixup areas Yes
$MFT Sequence number :
Incremented by one
every time the MFT
is used (deleted).

In Use flag
00 - File deleted
01 - File allocated
1- Dir deleted
2- Dir allocated
$MFT
0x14 - Offset to first
attribute =0x38

0x28 - Next attribute ID

= 0x6, therefore there
Are 5 attributes to the
$MFT entry.

Beginning of the
first attribute.
MFT Attribute Layout

MFT Entry
Header
Attributes
Unused
Space

Attribute
Headers
 MFT Attribute Header
First 16 Bytes
0x0 0 – 3 Attribute type identifier Yes
0x4 4 – 7 Lenght of attribute Yes
0x8 8 – 8 Non-resident flag Yes
0x9 9 – 9 Length of name Yes
0xA 10 – 11 Offset to name Yes
0xC 12 – 13 Flags Yes
0xE 14 – 15 Attribute identifier Yes

Attributes can be either resident or non-resident

Resident – The data is contained in the MFT entry
Non-resident – The data is contained in clusters not in the MFT entry
Attribute identifier – the sequence number of each of these types of identifier. There might
be more than one of this type.
 Header Values
• Size is used to locate next attribute
• Next entry after last attribute is 0xffff ffff
• Resident flag = 0
– Attribute is contained within the MFT entry
• Non-resident flag = 1
– Attribute is contained elsewhere
• Flag value
– 0x0001 – Attribute is compressed
– 0x4000 – Attribute is encrypted
– 0x8000 – Attribute is sparse
• Attribute identifier is the sequential number unique to this attribute in this
MFT entry
Attribute Header Beginning of the
first attribute.
Type = 0x10

Length of the attribute

= 0x60
Offset to next attribute

Beginning of the next

attribute.
Type = 0x30

Length of this attribute

= 0x68
Offset to next attribute
 Resident Attribute Header
0x0 0 – 15 General header (Previous slide) Yes
0x10 16 – 19 Size of content Yes
0x14 20 – 21 Offset to content Yes
General Attribute Header Beginning of the
first attribute.
Type = 0x10

Length of the attribute

= 0x60

Offset to content
= 0x18

Size of content
= 0x48
 Non-Resident Attribute Header
0x0 0 – 15 General header (Previous slide) Yes
0x10 16 – 23 Starting Virtual Cluster Number (VCN) of the runlist Yes
0x18 24 – 31 EndingVCN of the runlist Yes
0x20 32 – 33 Offset to the runlist Yes
0x22 34 – 35 Compression unit size Yes
0x24 36 – 39 Unused No
0x28 40 – 47 Allocated size of attribute content No
0x30 48 – 55 Actual size of attribute content Yes
0x38 56 – 63 Initialized size of attribute content No
 VCN to LCN and back
• VCN – Virtual Cluster Number
• 1st, 2nd, etc cluster of the file/attribute regardless of where it is
in the file system

• LCN – Logical Cluster Number

• Cluster number relative to the first cluster after the
VBR
 Non-Resident Attribute Header
Values
• Starting and ending VCNs are used when multiple MFT entries are
needed to describe a single attribute
• Offset to the runlist is relative to the start of attribute
• The run list is a sequence of cluster runs that contain the data for this
file

Byte 1 Byte 2 Byte 3 Byte 4

Number of bytes in the length field

Number of bytes in the run offset field

 Runlists

0 1 2 3 4
48 49 50 51 52 LCNs
1 Start: 48 Len: 5
2 Start: 80 Len: 2 7 8 9 10 VCNs
3 Start: 56 Len: 4 56 57 58 59

5 6
80 81
Standard Attributes
 Standard Attributes
Type IDs
• 16(0x10) $STANDARD_INFORMATION
• Contains basic metadata for the dile or directory

• 48(0x30) $FILE_NAME
• File’s name and parent OR directory index

• 128(0x80) $DATA
• Raw content

• 32(0x20) $ATTRIBUTE_LIST
• Location of other attributes

• 64(0x40) $OBJECT_ID
• Global object identifier

• 192(0xC0) $REPARSE_POINT
• Used for reparse points –soft links Win 2000+
 $STANDARD_INFORMATION

• Type Identifier – 16 (0x10)

• Times are in 100-nanoseconds from 1/1/1601
• Same time fields are in the $FILE_NAME attribute
• These are shown in file properties
• ID values used for application-level features or security
• Security ID is the index to the $Secure file not the
Windows SID value
 $STANDARD_INFORMATION
Attribute
0x0 0 – 7 Creation time
0x8 8 – 15 File altered time
0x10 16 – 23 MFT altered time - not shown in file properties
0x18 24 – 31 File accessed time
0x20 32 – 35 Flags
0x26 36 -39 Maximum number of versions
0x2A 40 – 43 Version number
0x2C 44 – 47 Class ID
0x30 48 -51 Owner ID
0x34 52 – 55 Security ID
0x38 56 – 63 Quota charged
0x40 64 – 71 Update Sequence Number(USN)
$STANDARD_INFORMATION attribute

MFT creation time

File altered time

MFT accessed time

MFT altered time

Next attribute
 $STANDARD_INFORMATION
Flag Values
0x0001 Read Only
0x0002 Hidden
0x0004 System
0x0008 ???
0x0010 Directory
0x0020 Archive
0x0040 Device
0x0080 Normal
0x0100 Temporary
0x0200 Sparse file
0x0400 Reparse point
0x0800 Compressed
0x1000 Offline
0x2000 Content is not indexed
0x4000 Encrypted
 $FILE_NAME
Attribute
• Type Identifier – 48 (0x30)
• Stores the file’s name
• Parent directory
• Directory index
• For standard files or directories $FILE_NAME is
the second attribute and is resident
• If a file requires multiple MFT entries the
$ATTRIBUTE_LIST occurs second
 $FILE_NAME
Attribute
0x0 0 – 7 File reference of a parent directory
0x8 8 – 15 File Creation time
0x10 16 -23 File modification time
0x18 24 – 31 MFT modification time - not shown in file properties
0x20 32 – 39 File access time
0x28 40 – 47 Allocated size of file
0x30 48 – 55 Real size of file
0x38 56 – 59 Flags (same as $STANDARD_INFORMATION flags)
0x3C 60 – 63 Reparse value
0x40 64 – 64 Lengthe of name
0x41 65 – 65 Namespace
0x42 66+ Name
$FILE_NAME attribute

General attribute header

File reference to parent

directory
File creation time

MFT modification time

File modification time

File accessed time

File name

Length of file name

Next attribute
$FILE_NAME attribute

File reference to parent

directory
5 * 1024 from this $MFT
Record

???
 $FILE_NAME
Namespace
0 Posix: Case sensitive, all Unicode characters except ‘/’ and NULL

1 Win32: Case sensitive, all Unicode characters except ‘/’, ‘\’, ‘:’, ‘<‘, ‘>’, and
‘?’

1 DOS: Case insensitive, upper case and no special characters

1 Win32 & DOS: Used when the original name already fits in the DOS
namespace and two names are not needed
 $DATA
Attribute
• Type ID – 128 (0x80)
• Still has the generic attribute header fields
• The first $DATA attribute does not have a name
• Additional $DATA attributes can be used for Alternate
Data Streams and as such each must have a name.
C:\>echo “Hello world” > file.txt:stuff
• If the contents > 700 bytes it goes non-resident
• Directories can have $DATA attributes
 Harlan Carvey
http://windowsir.blogspot.com/2010/05/analysis-tips.html

• MFT
I've worked a number of incidents where malware has been
placed on a system and it's MAC times 'stomped', either through
something similar to timestomp, or through copying the times
from a legitimate file. In such cases, extracting $FILE_NAME
attribute times for the file from the MFT have been essential for
establishing accuracy in a timeline. Once this has been done,
everything has fallen into place, including aligning the time with
other data sources in the timeline (Scheduled Task log, Event
Logs,
 $ATTRIBUTE_LIST
Attribute
• Type ID – 32 (0x20)
• Used when there are more attributes than can fit in
one MFT
• Contains a list of where other attributes can be
found
• Each entry in the list has 7 fields in addition to the
standard fields common to every attribute
 $ATTRIBUTE_LIST
Structure
0x0 0 – 3 Attribute type
0x4 4- 5 Length of this entry
0x6 6 – 6 Length of name of this attribute
0x7 7 – 7 Offset to name (relative to start of this entry)
0x8 8 – 15 Starting VCN in attribute
0x10 16 – 23 File reference where attribute is located
0x18 24 – 24 Attribute ID
 Example
First 5152 cluster descriptions
4919
$Mft $DATA (VCN: 0)

5009
$Mft $STD_INFO $ATTRIBUTE_LIST $FILE_NAME $FILE_NAME

Type: 16 Entry: 5009

Type: 48 Entry: 5009
Type: 128 Entry: 4919
Type: 128 Entry: 5037
Remaining cluster descriptions
5037

$Mft $DATA (VCN: 5152)

 $OBJECT_ID
• Type ID – 64 (0x40)
• The file’s 128 bit Global Object Identifier
• Used in place of file name
• Remains constant with file name change
• The $Volume metadata file has a $OBJECT_ID
attribute
 $OBJECT_ID
Structure
0x0 0 – 15 Object ID
0x10 16 – 31 Birth volume ID
0x20 32 – 47 Birth object ID
0x40 48 – 63 Birth Domain ID
 $REPARSE_POINT

• Type ID – 192 (0xC0)

• Used for files that are reparse points
• Symbolic links
• Junctions
• Mount points for volumes

• Most attribute fields a \re application

specific
 $REPARSE_POINT
Fields
0x0 0 – 3 Reparse type flags
0x4 4 – 5 Size of reparse data
0x6 6 – 7 Unused
0x8 8 – 9 Offset to target name (relative to byte 16)
0xA 10 – 11 Length of target name
0xC 12 – 13 Offset to print name of target (relative to byte 16)
0xD 14 – 15 Length of print name
Other Attributes
 Other Attributes
• 80(0x50) $SECURITY_DESCRIPTOR
• Access control and security properties of the file

• 96(0x60) $VOLUME_VERSION
• Volume name

• 112(0x70) $VOLUME_INFORMATION
• File system version adn other flags

• 144(0x90) $INDEX_ROOT
• Root node of an index tree

• 160(0xA0) $INDEX_ALLOCATION
• Nodes of an index tree rooted in $INDEX_ROOT attribute

• 176(0xB0) $BITMAP
• A bitmap for the $MFT file and for indexes
 Other Attributes cont’d
• 192(0xC0) $SYMBOLIC_LINK
• Soft link information. Windows NT version 1.2 anad lesser

• 208(0xD0) $EA_INFORAMTION
• Used for backward compatibility with version 1.2 applications (HPFS)

• 224(0xE0) $EA
• Used for backward compatibility with version 1.2 applications (HPFS)

• 256(0xF0) $LOGGED_UTILTIY_STREAM
• Contains keys and information about encrypted attributes in version 3.0+
 Index Attributes & Data Structures

• Attributes and data structures for indexes

• Index
• Structure in a sorted tree

• Tree
• One or more nodes

• Node
• One or more index entries

• Root of tree is in the $INDEX_ROOT Attributte

• The rest of the nodes are in the $INDEX_ALLOCATION
attribute
• $BITMAP attribute is used to manage the allocation status
 $INDEX_ROOT
Attribute
• Type ID – 144 (0x90)
• Always resident
• Can only store a small list of index entries
• 16 byte header
• Node header
• A list of index entries
 $INDEX_ROOT
Structure
0x0 0 – 3 Type of attribute in index (0 if entry does not use an attribute)
0x4 4 – 7 Collation sorting rule
0x8 8 – 11 Size of each index record in bytes
0xC 12 – 12 Size in clusters
0xD 13 – 15 Unused
0x10 16+ Node header

$INDEX_ROOT Node Header

Header

Index Entry 1 Index Entry 2 Index Entry 3 Index Entry 4

 $INDEX_ALLOCATION
Attribute
• Type ID – 160 (0xA0)
• Large directories need a non-resident
$INDEX_ALLOCATION attribute
• Filled with index records
• Index record has a static size defined in the
$INDEX_ROOT attribute header
• Index record contains one node in the sorted tree
• Typical size is 4096 bytes
 $INDEX_ALLOCATION
Index Record Header
0x0 0 – 3 Signature value (“INDX”)
0x4 4 – 5 Offset to fixup array
0x6 6 – 7 Number of entries in fixup array
0x8 8 – 15 $LogFile Sequence Number (LSN)
0x10 16 – 23 VCN of this record in the full index stream
0x18 24+ Node header

Index Record Node Header

Header
Index Entries

Index Record 0

Index Record 1
 $I30 Files

• $INDEX_ROOT and $INDEX_ALLOCATION

Attributes for a directory are typically refered to as
the $I30 files

• More later
 Index Node Header

0x0 0 – 3 Offset to start of index entry list

Relative to start of node header
0x4 4 – 7 Offset to end of used portion of index entry list
Relative to start of node header
0x8 8 – 11 Offset to end of allocated index entry list buffer
Relative to start of node header
0xC 12 – 15 Flags - 0x01 is set when there are children nodes
 Index Entry
Generic
0x0 0 – 7 Undefined
0x8 8 – 9 Length of this entity
0xA 10 – 11 Length of content
0xC12 – 15 Flags
0x10 16+ Content

Last 8 bytes of entry VCN of child node in $INDEX_ALLOCATION

Flags
0x01 Child node exists
0x02 Last entry in list
 Index Entry
Directory
0x0 0 – 7 MFT file reference for file name
0x8 8 – 9 Length of this entity
0xA 10 – 11 Length of $FILE_NAME attribute
0xC 12 – 15 Flags
0x10 16+ $FILE_NAME attribute

Last 8 bytes of entry VCN of child node in $INDEX_ALLOCATION

Provided flag && 0x01 = 0x01

Flags
0x01 Child node exists
0x02 Last entry in list
 $BITMAP
Attribute
• Keeps track of which index records are in use in
the $INDEX_ALLOCATION attribute
• Index records become unused when files are
deleted