Parsing the NTFS file system to get the content of a specific file

To find the contents of a file (for example, to read a file D:\dir\dir2\text.txt, the detailed procedure is as follows:
(1) Read the partition table/partition list information and find the starting sector of disk F.

(2) Read the first sector of the D-Disk (partition of the Bootsetor) to obtain the partition size of each cluster, the MFT table starting cluster number and other information.

(3) Read the fifth record (root folder) of the MFT table to find the cluster number where the folder index is located.
(4) Read the root folder index to find the MFT record number where the Dir folder resides
(5) Read the MFT Record of dir folder and find the cluster number where the folder index is located.
(6) Read the Dir folder index to find the MFT record number of the Dir2 folder
(7) Read the MFT record of the Dir2 folder. Locate the cluster number where the folder index is located.

(8) Read the index of the Dir2 folder to find the MFT record number where Test.txt is located
(9) Read the MFT record of the Test.txt file. Find its Data property.
(10) The data from the Test.txt file is read from the location of the file data specified in this data property.

Below we use tool Winhex to find the content of D:\dir\dir2\text.txt

1. Read the partition table/partition link list information. Locate the starting sector for disk F.

Open disk number No. 0 sector

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbgl5dw4xmjnnea==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

The Red Line section is the information for the D partition. Within the blue box is the physical starting sector 0XEA58BC of the D partition.

2. Read the first sector of the D drive (partition Bootsetor) to obtain information such as the partition size, the MFT table starting cluster number, and so on.

Open a sector where the physical sector code is 0XEA58BC, for example, where the red line is the number of sectors per cluster (0x1, one sector per cluster).

The Blue Line section is the logical cluster number of the $MFT (0x00 xx, 0A F3, which is the cluster number that starts with the D partition)

The Purple Line portion is the number of clusters of an MFT record (0x00 00 00 02)

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbgl5dw4xmjnnea==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

3. Read the fifth record (root folder) of the MFT table to find the cluster number where the folder index is located.

Open the $MFT table, the cluster number relative to the D partition is 0x00 xx, 0A F3, the cluster number relative to the entire disk is 0XEA58BC + 0x00, 0A F3 = 0xec63af.

Because the number of sectors per cluster is 1 from the first sector of the D partition, the offset of the $MFT on the D partition is the 0X020AF3 sector.

The total number of clusters per MFT record is 2. The root folder is the 5th record in the MFT (recorded from 0), the number of clusters where the MFT record entry for the root folder is 0X020AF3 + 5 * 2 = 0x20afd.

Number of sectors is 0X20AFD * Number of sectors per cluster 1 = 0X20AFD

4. Read the root folder index to find the MFT record number where the Dir folder resides

Open the D partition offset sector 0X20AFD and locate the attribute 0x90. In the 0415fb80 line, the offset 0x08 is 0x01, the description is very resident attribute, get data run, 10 BB 03, that is, in the D partition migration cluster number 0X0310BB, the length is 0x8 cluster.

View the D partition offset cluster number 0X0310BB, you will see the index entry under the root folder, where you can see the index entries for $attrdef, $BadClus, $Bitmap, $Boot and other system files.

Locate the index entry for dir. For example, the Red box section is the name of this index entry dir.

The first 8 bytes are the MFT index record number of the file (the first 6 bytes 48 bits are the file record number of the parent folder. 0x0375, the second 2 bytes is the serial number)

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbgl5dw4xmjnnea==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

5. Read the MFT record of the Dir folder and find the cluster number where the folder index is located.

The following computes the cluster number in the $MFT of the MFT table entry for dir:

An MFT table entry takes up two clusters, and the 0x0375 item is the 0x0375*2= 0x6ea cluster relative to $MFT, which is the 0X02 0A F3 + 0x6ea = 0X211DD cluster (sector is 0X211DD) relative to the D partition

6. Read the Dir folder index to find the MFT record number of the Dir2 folder

Open sector 0X211DD, for example, with.

0423bb00 a row. The offset 0 position is 0x00. Description is a resident property, the record number of the MFT record entry that gets dir2 from the purple box is 0x0376

7. Read the MFT record of the Dir2 folder and find the cluster number where the folder index is located.

Now to determine the number of clusters where the MFT record entry for the DIR2

$MFT start cluster + 0x0376* per recorded cluster

0X020AF3 + 0x0376 * = 0X211DF

8. Read the index of the Dir2 folder to find the MFT record number where Test.txt is located

Open D partition offset 0X211DF cluster

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbgl5dw4xmjnnea==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

You can see that the MFT record number for Test.txt is 0x0377

9. Read the MFT record of the Test.txt file and find its Data property.

Get the test.txt of the MFT record entry on the D partition in the offset cluster number

= number of offset clusters for $MFT table + test.txt record number * Number of records per MFT

=0X020AF3 + 0x0377

= 0X211E1 (cluster number)

= 0X211E1 (Sector code)

Open 0x211e1 (Sector code):

You can see the Test.txt file name from the 0x30 file name property.

0x80 the contents of a file in a data attribute

10. read out the data from the Test.txt file according to the file data location specified in your data property.

You can know from the 0x80 data property that this property is a resident property. directly see the contents of the Test.txt file, "This was test for ntfs!".

Also, suppose I continue to write data to Test.txt. The data in the database property is added. The data between the red lines is added later.

But when the file content is increasing. The 0X80 Data property changes from a resident property to a resident property, and the file content is not stored directly in this property. Instead, it can be located in other clusters based on data run.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbgl5dw4xmjnnea==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

OX80 Data Properties. The 0x01 description is a very resident attribute.

Data run,31 4C 0D 01; Description content starts with the partition offset cluster number 0X010D4C. The length is a 0x02 cluster.

Open the cluster number is 0X010D4C sector, can see the Test.txt file content:

(If there is an error in this article.) Please correct me. Thanks a lot. ）

Parsing the NTFS file system to get the content of a specific file