Analyze the NTFS file system to get the content of a specific file, ntfs file content

Analyze the NTFS file system to get the content of a specific file, ntfs file content

Find the content of a file (for example, to read the file D: \ dir \ dir2 \ text.txt, follow these steps:
(1) read the Partition Table/partition linked list information and find the starting sector of disk F.
(2) read the first sector (BOOTSETOR of the partition) of disk D to obtain the size of each cluster in the partition and the starting cluster number of the MFT table.
(3) read the fifth record (root directory) of the MFT table and find the cluster number of the Directory Index.
(4) read the index of the root directory and find the MFT record number of the dir directory.
(5) read the MFT record of the dir directory and find the cluster number of the Directory Index.
(6) read the index of the dir directory and find the MFT record number of the dir2 directory
(7) read the mft record of the dir2 directory and find the cluster number of the Directory Index.
(8 bytes reads the dir2directory index and finds the MFT record number of test.txt .)
(9th) read the mft record of the test.txt file and find its DATA attribute.
(10) data refers to the file data storage location to read the data of the test.txt file.

The following uses Winhex to find the content of D: \ dir \ dir2 \ text.txt.

1. Read the Partition Table/partition linked list information and find the starting sector of disk F.

Open Sector 0 of the Disk

The red line is the information of the D partition, and the blue box contains the physical starting sector 0XEA58BC of the d partition.

2. Read the first sector (BOOTSETOR of the partition) of disk D to obtain the size of each cluster in the partition and the starting cluster number of the MFT table.

Open the slice with the physical sector number 0XEA58BC. For example, the red line shows the number of slice in each cluster (0X1, one slice in each cluster );

The blue line is the logical cluster number of $ MFT (0X00 00 00 00 02 0A F3, which is the cluster number starting with the D partition)

The purple line is the number of clusters occupied by an MFT record (0X00 00 00 02)

3. Read the fifth record (root directory) of the MFT table and find the cluster ID of the Directory Index.

Open the $ MFT table. The cluster number relative to the D partition is 0X00 00 00 00 02 0A F3, the cluster number relative to the entire disk is 0XEA58BC + 0X00 00 00 00 02 0A F3 = 0XEC63AF.

Because the number of sectors in each cluster is 1 in the first sector of the D partition, the offset of $ mft in the d partition is 0X020AF3.

The number of clusters occupied by each MFT record is 2, and the root directory is the 5th records in MFT (records starting from 0 ), the number of clusters where the MFT record entry in the root directory is 0X020AF3 + 5*2 = 0X20AFD,

The number of sectors is 0X20AFD * The number of sectors per cluster 1 = 0X20AFD

4. Read the index of the root directory and find the MFT record number of the dir directory.

Open the D partition offset sector 0X20AFD and find the attribute 0X90. On the 0415FB80 line, the offset 0X08 is 0X01. This indicates that it is a non-resident attribute and the Data run, 31 08 BB 10 03 is obtained, that is, the number of offset clusters in the D partition is 0X0310BB and the length is 0X8.

Check the D partition offset cluster number 0X0310BB. The index items under the root directory are displayed. The index items of $ AttrDef, $ BadClus, $ Bitmap, $ Boot, and other system files are displayed.

Find the dir index. For example, the red box shows the dir name of the index. The first 8 bytes are the file's MFT index record number (it seems that only the first 4 bytes are used, 0X0375)

5. Read the MFT record of the dir directory and find the cluster ID of the Directory Index.

The following calculates the cluster number of the dir MFT table entry in $ MFT:

An MFT table item occupies two clusters. Item 0 X 0th X 0375X2 = 0X6EA is relative to $ MFT, that is, The 0th X 02 0A F3 + 0X6EA = 0X211DD cluster relative to the D partition (the sector is 0X211DD)

6. Read the index of the dir directory and find the MFT record number of the dir2 directory.

Open Sector 0X211DD, for example,

0423BB00 row, offset 0 position is 0X00, indicating that it is resident property, from the purple box to get dir2 MFT record item record number is 0X0376

7. Read the mft record of the dir2 directory and find the cluster ID of the Directory Index.

Determine the number of clusters where the MFT record entry of dir2 is located

$ MFT start cluster count + 0X0376 * Number of clusters per record

0X020AF3 + 0X0376*2 = 0X211DF

8.read the dir2directory index and find the MFT record number of test.txt.

Turn on the D partition offset 0X211DF Cluster

The MFT record number of test.txt is 0X0377.

9.read the mft record of the test.txt file and find its DATA attribute.

The offset cluster number of the MFT record entry to test.txt in the d partition.

= $ Number of offset clusters in the MFT table + test.txt Record Number * Number of records per MFT

= 0X020AF3 + 0X0377*2

= 0X211E1 (cluster number)

= 0X211E1 (fan ID)

Open 0X211E1 (fan ID ):

From 0x30 file name, you can see the test.txt file name.

Get the file content in the Data Attribute 0x80

10.20.dataworks specifies the file data storage location to read the data of the test.txt file.

From the 0x80 data records, we can tell that This field is a regular resident. We can directly see the content of test.txt, "This is test for NTFS !".

In addition, if I continue writing DATA to test.txt, the DATA in the DATA attribute will increase, and the DATA between the red lines will increase later.

However, when the file content is increasing, the 0X80 Data attribute is changed from resident attribute to resident attribute. The file content is not directly stored in this attribute, but can be located in other clusters based on Data run.

OX80 data attribute; 0X01 indicates non-resident attribute;

Data run, 31 02 4C 0D 01; Description: The content starts from the partition offset cluster number 0X010D4C and the length is 0x02 clusters.

Open the fan area with the cluster number 0x010d4c. you can see the content of test.txt:

(If any error occurs in this article, please correct it. Thank you !)

What are the advantages of the NTFS file system?

First, you can set permissions for a single file or folder!
Second, support for larger disk capacity
Third, the compression function, including compressing or extracting drives, folders, or specific files
Fourth, file encryption
Fifth, the Active Directory requires NTFS
Sixth, the disk quota can be used to monitor and control the disk space used by a single user.
Seventh, it is not easy to generate fragments!
All advantages of NTFS

What are the three advantages of the NTFS file system?

File Allocation Table (FAT)
A file system that organizes and manages files by MS-DOS and other Windows operating systems. The file allocation table (FAT) is a data structure created by Windows when you format a specific volume using the FAT or FAT32 file system. In Windows, file-related information is stored in FAT for future file retrieval.

FAT32
A file system derived from the file allocation table (FAT) file system. Compared with FAT, FAT32 supports smaller clusters and larger capacity, thus allocating disk space more efficiently on FAT32 volumes.

NTFS file system
An advanced file system that provides performance, security, reliability, and advanced features not available in various FAT versions. For example, NTFS ensures volume consistency through the standard transaction log feature and recovery technology. If the system fails, NTFS can use log files and checkpoint information to restore file system consistency. In Windows 2000 and Windows XP, NTFS also provides advanced features such as file and folder permissions, encryption, disk quotas, and compression.

Select NTFS, FAT, and FAT32

On a computer running Windows XP, you can select from three file systems for disk partitioning: NTRS, FAT, and FAT32. NTFS is a file system that is strongly recommended for use. Compared with FAT or FAT32, NTFS has more powerful functions and includes functions required for Active Directory and other important security features. Only when NTFS is selected as the file system can you use features such as Active Directory and domain-based security.

NTFS and FAT32 options
Win 2000 supports both FAT32 and NTFS file systems. FAT32 is longer compatible with Win 9X and NTFS is longer than system security. On the premise of meeting the application requirements, how can we set up a file system to make full use of the features of Win 2000? Before discussing this issue, let's take a look at the features of the FAT32 and NTFS file systems.
FAT32 File System
Before the introduction of the FAT32 file system, the file system usually used by the PC is FAT16. Like MS-DOS, Win 95 and other systems are using the FAT16 file system. In Windows 9X, FAT16 supports a maximum partition size of 2 GB. We know that the computer stores the information in a zone called a "cluster" on the hard disk. The smaller the cluster used, the higher the information storage efficiency. In the case of FAT16, the larger the partition, the larger the cluster, the lower the storage efficiency, and the waste of storage space. With the continuous improvement of computer hardware and applications, the FAT16 file system cannot meet the requirements of the system. In this case, the enhanced File System FAT32 is introduced. Compared with FAT16, FAT32 has the following features:
1. the maximum advantage of FAT32 compared with FAT16 is that it supports 2 TB (2047 GB) disks, but cannot support partitions smaller than MB. FAT32-based Win 2000 supports a maximum partition size of 32 GB, while FAT16-based Win 2000 supports a maximum partition size of 4 GB.
2. Because smaller clusters are used, the FAT32 file system can store information more efficiently. For example, if both partitions are 2 GB in size, one partition uses the FAT16 file system, and the other uses the FAT32 file system. The cluster size in FAT16 is 32 KB, while that in FAT32 is only 4 kb. In this way, the storage efficiency of FAT32 is much higher than that of FAT16, which can be improved by 15%.
3. The FAT32 file system can locate the root directory and use the FAT backup copy. In addition, the startup records of the FAT32 partition are included in a structure containing key data, reducing the possibility of computer system crashes.
NTFS file system
NTFS file system is a security-based file system, which is unique in Windows NT... the rest of the text>