NTFS file system manages - MFT file analyzes

Metadata $MFT is the most important file of NTFS, which records all situations of all files and directories, including the volume information, start files, $MFT file itself etc. that located in the volume. It also records information like filenames, security attribute, file size, storage location, etc, all of which is similar to FAT+FDT function in FAT file system. It stores much more file attributes than FAT+FDT.

Metadata $MFT is composed by series of file records, while each file record is composed by the recording head and the attribute part, ended by "FF FF FF FF". The general size is 1KB, or a cluster size (generally this is bigger). Its first sector content is as the following chart:

The attribute part is the area with variable length, ended by "FF FF FF FF" (strictly speaking, it marks the end of attribute when the next attribute begins with "FF FF FF FF".) For MFT record of 1KB, the attribute part offset is generally 0x30.

Besides an attribute structure, each file attribute has an important byte sequence called "stream", which is composed by its actual value. A Metadata may visit this stream.

In the file, each file attribute may have a name: In this case, we may visit the stream by the command grammar "filename: attribute name"in form of command line (this also is why filename cannot use ":"). In order to save the system expense, Windows NT pre-defines file attribute in common use in Metadata $AttrDef, which may be used directly. For instance, file attribute defined in Metadata $AttrDef is showed in the following chart:

Content A of $AttrDef:

The content C of $AttrDef:

From above three charts, we may see, attribute of standard information name is marked by 10H, attribute name in attribute list is marked by 20H, attribute of filename is marked by 30H and so on. Saving attribute names in common use in a file can greatly save system expense.

Content part: Its structure always starts with attribute name (the length is N byte). After attribute name, it defines this attribute as resident or not. When data stream of file attribute is stored after its attribute name, it is the resident attribute. By this way, it can provide a better access to files attributes with small and unchangeable flows. If a file attribute is not resident, its stream is saved in one or more extends or runs. The run is a continual region in logical cluster number. In order to visit the runs, NTFS saves a table named run list following the file attribute name.

Head part: its structure is showed as the following chart

Head structure of attribute

Offset Size description
0x00 4 Type
0x04 4 Length
0x08 1 Non-residentflag
0x09 1 N=Namelength
0x0a 2 Offset to thecontent part
0x0c 2 Compressed flag
0x0e 2 Identificator
Thefollowing part is propitious to residentporperty
0x10 4 Length of thestream
0x14 2 Offset to thestream
0x16 2 Indexedflag

File records of $MFT:

Structure of $MFT