Parsing the NTFS file system to get the content of a specific file

To find the contents of a file (for example, to read a file D:\dir\dir2\text.txt, follow these steps:
(1) Read the partition table/partition list information and find the starting sector of disk F.
(2) Read the first sector of the D-Disk (partition of the Bootsetor) to obtain the partition size of each cluster, the MFT table starting cluster number and other information.
(3) Read the fifth record (root directory) of the MFT table to find the cluster number where the directory index is located.
(4) Read the root index to find the MFT record number where the Dir directory resides
(5) Read the MFT record of Dir directory and find the cluster number where the directory index is located.
(6) Read the index of Dir directory to find the MFT record number of the DIR2 directory
(7) Read the MFT record of the Dir2 directory and find the cluster number where the directory index is located.
(8) Read the index of the Dir2 directory to find the MFT record number of the Test.txt
(9) Read the MFT record of the Test.txt file and find its Data property.
(10) reads the data from the Test.txt file according to the location of the file data specified in this data property.

Below we use tool Winhex to find the content of D:\dir\dir2\text.txt

1. Read the partition table/partition list information and locate the starting sector of disk F.

Open disk number No. 0 sector

The Red Line section is the information for the D partition, and the blue box is the physical starting sector of the D partition 0XEA58BC.

2. Read the first sector of the D drive (partition Bootsetor) to obtain information such as the partition size, the MFT table starting cluster number, and so on.

Open the sector where the physical sector code is 0XEA58BC, for example, the red line is the number of sectors per cluster (0x1, one sector per cluster);

The Blue Line section is the logical cluster number of the $MFT (0x00.0A F3, which is the cluster number starting with the D partition)

The Purple Line portion is the number of clusters of an MFT record (0x00 00 00 02)

3. Read the fifth record (root directory) of the MFT table to find the cluster number where the directory index is located.

Open the $MFT table, the cluster number relative to the D partition is 0x00 xx, 0A F3, the cluster number relative to the entire disk is 0XEA58BC + 0x00, 0A F3 = 0xec63af.

Because the number of sectors per cluster is 1 from the first sector of the D partition, the offset of the $MFT on the D partition is the 0X020AF3 sector.

The number of clusters per MFT record is 2, the root directory is the 5th record in the MFT (records starting from 0), the number of clusters where the MFT record entry for the root directory is 0X020AF3 + 5 * 2 = 0X20AFD,

Number of sectors is 0X20AFD * Number of sectors per cluster 1 = 0X20AFD

4. Read the root index to find the MFT record number where the Dir directory resides

Open the D partition offset sector 0X20AFD, locate the attribute 0x90, on the 0415fb80 line, offset 0x08 is 0x01, description is non-resident property, get data Run, 10 BB 03, that is, in the D partition migration cluster number 0X0310BB, length is 0x8 cluster.

Looking at the D partition offset cluster number 0X0310BB, you will see the index entry under the root directory, where you can see $attrdef, $BadClus, $Bitmap, $Boot and other system files.

Locate the index entry for Dir, for example, the Red box section is the name of this index entry dir. The first 8 bytes are the MFT index record number of the file (as if only the first 4 bytes were used, 0x0375)

5. Read the MFT record of Dir directory and find the cluster number where the directory index is located.

The following computes the cluster number in the $MFT of the MFT table entry for dir:

An MFT table entry takes up two clusters, and the 0x0375 item is the 0x0375*2= 0x6ea cluster relative to $MFT, which is the 0X02 0A F3 + 0x6ea = 0X211DD cluster (sector is 0X211DD) relative to the D partition

6. Read the index of Dir directory to find the MFT record number of the DIR2 directory

Open sector 0X211DD, for example,

0423bb00 line, offset 0 position is 0x00, description is resident property, the record number of the MFT record entry that gets dir2 from the purple box is 0x0376

7. Read the MFT record of the Dir2 directory and find the cluster number where the directory index is located.

Now determine the number of clusters where the MFT record entry for the DIR2

$MFT start of cluster + 0x0376* per recorded cluster

0X020AF3 + 0x0376 * = 0X211DF

8. Read the index of the Dir2 directory to find the MFT record number where Test.txt is located

Open D partition offset 0X211DF cluster

You can see that the MFT record number for Test.txt is 0x0377

9. Read the MFT record of the Test.txt file and find its Data property.

Get the test.txt of the MFT record entry on the D partition in the offset cluster number

= number of offset clusters for $MFT table + test.txt record number * Number of records per MFT

=0X020AF3 + 0x0377

= 0X211E1 (cluster number)

= 0X211E1 (Sector code)

Open 0x211e1 (Sector code):

You can see the Test.txt file name from the 0x30 file name property.

0x80 the contents of the file in the data properties

10. read out the data from the Test.txt file according to the file data location specified in your data property.

You can tell from the 0x80 data property that this property is a resident property and see the file contents of Test.txt directly, "This is the test for ntfs!".

In addition, if I continue to write data to Test.txt, the data property will increase, and the data between the red lines is incremented later.

But when the file content is increasing, the 0x80 data attribute changes from the resident property to the very resident attribute, and the file content is not stored directly in this attribute, but in other clusters, which can be located according to data run.

OX80 data attribute; 0x01 description is a non-resident attribute;

Data run,31 4C 0D 01; The description begins with the partition offset cluster number 0x010d4c, and the length is 0x02 clusters.

Open the cluster number is 0X010D4C sector, you can see the Test.txt file contents:

(if there are errors in this article, please correct me, thank you!) ）

Parsing the NTFS file system to get the content of a specific file