NTFS File System Specification
Documentation is an essential part of the $ MFT file, all files in the volume by at least one documented to describe, for the use of multiple files recorded file, its first record called basic documentation file, and the rest is called Extended File records.
Documented by the recording head, a number of file attributes and end marker (0xFFFFFFFF) components.
File record header format:
Name
|
Offset
|
Size
|
Description
|
FR_Sign
|
0
|
4
|
Record Signature: value: 'ELIF'
|
FR_USOff
|
4
|
2
|
Claim offset sequence number (M) ( Relative file recording head)
|
FR_USNSz
|
6
|
2
|
Update Sequence Number Number +1 (N)
|
FR_LSN
|
8
|
8
|
Log file sequence number, this value is modified each time the record will be altered
|
FR_SN
|
0x10
|
2
|
Repeat using the update sequence number (delete one plus one)
|
FR_LnkCnt
|
0x12
|
2
|
Contents of this document recorded in the reference count, the value is only used for basic documentation
|
FR_USAOff
|
0x14
|
2
|
The first attribute data offset
|
FR_Flags
|
0x16
|
2
|
Signs, the member can be one of the following values
0x0001 record is used
0x0002 catalog file
|
FR_Size
|
0x18
|
4
|
The size of the current record
|
FR_AllocSz
|
0x1c
|
4
|
Size of the current record allocated space
|
FR_BaseFR
|
0x20
|
8
|
Basic file record index of the current record,
If the current file record is the basic document recording the value is 0, otherwise the index points to a record basic file records.
Note: the lower the value is 6 bytes MFT record number, the high two bytes are the sequence number of the record MFT
|
FR_NxtAttrId
|
0x28
|
2
|
ID next property.
The next time will be added to the property file records of ID, each time adding attributes to the file record that value increases, the value of each file record will be cleared when re-used, the first value is certainly 0
|
FR_Resvd
|
0x2a
|
2
|
Reserved (XP add, 3.1 +)
|
FR_NumOfFR
|
0x2c
|
4
|
The MFT record number (XP add, 3.1 +)
|
FR_USN
|
M
|
2
|
SEQ ID NO.
The log file records the number of times the value is modified each time you modify the value +1, (including deleted files operations) This value can not be 0
|
FR_USA
|
M +2
|
(N-1) * 2
|
Cost of the space occupied by the sequence value
|
Update Sequence Number is a Microsoft technology companies in order to ensure the reliability of the recorded data in NTFS volumes raised on NTFS volumes, all types of data records (FR, IR) is the space occupied by the sector size (512 byte) aligned. When recording data protection, write a check value in each of the last two 512-byte byte records are to ensure that all data is correctly written to disk, and data location where the checksum value is copied After the recording head to be called USA ( Update Sequence Array) data blocks, the system will record the data is read into memory from disk will check the checksum value of each recording head is the same serial number, if you use the same USA data recovery data in the corresponding position value of the position verification, otherwise it indicates that the record is not properly modified.
Each time data is recorded in writing will add a serial number, the serial number is 0 when it is coupled with 1.
|
|
|
|
|
Checksum
|
The first end of a 512-byte sector cost
|
The first two 512-byte sectors End Cost
|
. . . .
|
Finally, at the end of a 512-byte sector cost
|
|
|