|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x14
|
Offset to data
|
|
|
0x02
|
2
|
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x04
|
Size of Index Key
|
|
|
0x0C
|
4
|
0x00
|
Padding
|
|
|
0x10
|
4
|
|
Key
|
Owner Id
|
|
0x14
|
4
|
0x02
|
Data
|
Version
|
|
0x18
|
4
|
|
Data
|
Flags
|
|
0x1C
|
8
|
|
Data
|
Bytes Used
|
|
0x24
|
8
|
|
Data
|
Change Time
|
|
0x2C
|
8
|
|
Data
|
Warning Limit
|
|
0x34
|
8
|
|
Data
|
Hard Limit
|
|
0x3C
|
8
|
|
Data
|
Exceeded Time
|
|
0x44
|
V
|
|
Data
|
SID
|
|
V+0x44
|
P
|
0x00
|
Data
|
Padding8
|
|
Flag
|
Description
|
|
0x0001
|
Default Limits
|
|
0x0002
|
Limit Reached
|
|
0x0004
|
Id Deleted
|
|
0x0010
|
Tracking Enabled
|
|
0x0020
|
Enforcement Enabled
|
|
0x0040
|
Tracking Requested
|
|
0x0080
|
Log Threshold
|
|
0x0100
|
Log Limit
|
|
0x0200
|
Out Of Date
|
|
0x0400
|
Corrupt
|
|
0x0800
|
Pending Deletes
|
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Reparse
|
|
0x90
|
$INDEX_ROOT
|
$R
|
|
0xA0
|
$INDEX_ALLOCATION
|
$R
|
|
0xB0
|
$BITMAP
|
$R
|
|
Offset
|
Size
|
Value
|
Description
|
|
~
|
~
|
~
|
Standard Index Header
|
|
0x00
|
2
|
0x1C
|
Offset to data
|
|
0x02
|
2
|
0x00
|
Size of data
|
|
0x04
|
4
|
0x00
|
Padding
|
|
0x08
|
2
|
0x20
|
Size of Index Entry
|
|
0x0A
|
2
|
0x0C
|
Size of Index Key
|
|
0x0C
|
2
|
|
Flags
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
0x10
|
4
|
|
Key Reparse Tag (and Flags)
|
|
0x14
|
8
|
|
Key MFT Reference of Reparse Point
|
|
0x1C
|
4
|
0x00
|
Key Padding (align to 8 bytes)
|
$UsnJrnl
MFT record set in the properties file
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$UsnJrnl
|
|
0x80
|
$DATA
|
$J
|
|
0x80
|
$DATA
|
$Max
|
|
Offset
|
Size
|
Description
|
|
0x00
|
4
|
Size of entry
|
|
0x04
|
2
|
Major Version
|
|
0x06
|
2
|
Minor Version
|
|
0x08
|
8
|
MFT Reference
|
|
0x10
|
8
|
Parent MFT Reference
|
|
0x18
|
8
|
Offset of this entry in $J
|
|
0x20
|
8
|
Timestamp
|
|
0x28
|
4
|
Reason
|
|
0x2B
|
4
|
SourceInfo
|
|
0x30
|
4
|
SecurityID
|
|
0x34
|
4
|
FileAttributes
|
|
0x38
|
2
|
Size of filename (in bytes)
|
|
0x3A
|
2
|
Offset to filename
|
|
0x3C
|
V
|
Filename
|
|
V+0x3C
|
P
|
Padding (align to 8 bytes)
|
|
Flag
|
Description
|
|
0x01
|
Data in one or more named data streams for the file was overwritten.
|
|
0x02
|
The file or directory was added to. 0x04 The file or directory was truncated.
|
|
0x10
|
Data in one or more named data streams for the file was overwritten.
|
|
0x20
|
One or more named data streams for the file were added to.
|
|
0x40
|
One or more named data streams for the file was truncated.
|
|
0x100
|
The file or directory was created for the first time.
|
|
0x200
|
The file or directory was deleted.
|
|
0x400
|
The user made a change to the file's or directory's extended attributes. These NTFS at-tributes are not accessible to Windows-based applications.
|
|
0x800
|
A change was made in the access rights to the file or directory.
|
|
0x1000
|
The file or directory was renamed, and the file name in this structure is the previous name.
|
|
0x2000
|
The file or directory was renamed, and the file name in this structure is the new name.
|
|
0x4000
|
A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user changed the file or directory from one that can be content indexed to one that cannot, or vice versa.
|
|
0x8000
|
A user has either changed one or more file or directory attributes or one or more time stamps.
|
|
0x10000
|
An NTFS hard link was added to or removed from the file or directory.
|
|
0x20000
|
The compression state of the file or directory was changed from or to compressed.
|
|
0x40000
|
The file or directory was encrypted or decrypted.
|
|
0x80000
|
The object identifier of the file or directory was changed.
|
|
0x100000
|
The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory.
|
|
0x200000
|
A named stream has been added to or removed from the file, or a named stream has been renamed.
|
|
0x80000000
|
The file or directory was closed.
|
$UsnJrnl source info flags
|
Flag
|
Description
|
|
0x01
|
The operation provides information about a change to the file or directory made by the operating system. A typical use is when the Remote Storage system moves data from external to local storage. Remote Storage is the hierarchical storage management software. Such a move usually at a minimum adds the USN_REASON_DATA_OVERWRITE (0x01) flag to a USN record.
|
|
0x02
|
The operation adds a private data stream to a file or directory. An example might be a virus detector adding checksum information. As the virus detector modifies the item, the system generates USN records. USN_SOURCE_AUXILIARY_DATA (0x02) in-dicates that the modifications did not change the application data.
|
|
0x04
|
The operation creates or updates the contents of a replicated file. For example, the file replication service sets this flag when it creates or updates a file in a replicated direct-ory.
|
|
Offset
|
Size
|
Description
|
|
0x00
|
8
|
Maximum Size
|
|
0x08
|
8
|
Allocation Delta
|
|
0x10
|
8
|
USN ID (a)
|
|
0x18
|
8
|
Lowest Valid USN
|
NTFS volume initialization
When initializing the system first checks NTFS volume boot sector volume type signature, if the signature is not "NTFS "is that the volume is not NTFS volumes. Then read boot sector BPB volume data to determine the volume layout, and then read your own file $ MFT file record, press the record described reads $ Bitmap, $ Root file for the allocation / deallocation clusters and directory tree access.
Primary and backup partition boot sector at the end
Values in the NTFS volume, $ Boot file volume size (BS_TotSec64) score of at least a small area of a sector of the partition table size. This sector is used to store a copy of the $ Boot file first sector, this sector is positioned under a certain sector of the last sector of NTFS volumes. If the head is damaged NTFS volumes of data can be restored by this sector.
In NTFS volume, the file in the directory in the form of B + tree arrangement, when looking for files in the directory, press B + tree search method searches the root (from the root directory), and then click the file name to find the root node child nodes compared to the corresponding file name search to determine which child node corresponding storage area, and then the child nodes of the root node of the current re-search until you find the file so far.
|
