No replies to this topic

[ant0ine]

I wasn't really sure where to post this, so forgive me if I've posted in the wrong place. My inquiry is rooted in Information theory so, at the very least, people of this subforum will most likely be able to understand what I'm talking about. Alright, so, I've posted this question in two forums already. In fact, I posted them yesterday. One in the "Programming" subforum of bleepingcomputer and the other in "microsoft.public.windows.file_systems" of Usenet, easily accesible via Google Groups. But, to my impatience, nobody has answered yet. So I'm hoping this fora is more apt to answer my questions. And I want you to know that I'm very greatful for the information you reveal.

Anyways, my inquiry regards the NTFS file system. As you may know, there are several "SYSTEM FILES" of NTFS:

File Name	MFT Record	Description

$MFT		0		Master File Table

$MFTmirr	1		MFT Mirror

$LogFile	2		Log file

$Volume		3		Volume

$AttrDef	4		Attribute definitions

$		5		Root file name index

$Bitmap		6		Cluster Bitmap

$Boot		7		Boot Sector

$BadClus	8		Bad cluster file

$Secure		9		Security file

$Upcase		10		Upcase table

$Extend		11		NTFS extension file

		12-23		reserver for future use

$Quota		24		Quota management file

$Objld		25		Object ID file

$Reparse	26		Reparse point

You can see that each of these has an "MFT Record". This would be useful information if I knew where the MFT is, but I do not. What's more is, $MFT doesn't begin at the 1st sector of NTFS (i.e. the 5th sector of the device if NTFS is the first partition. 1st sector = MBR, 2 - 4 = 0-filled [reserved]). Instead, the 1st sector of NTFS is, logically, $Boot (i.e. the VBR and the IPL). $Boot is 16 sectors long (meaning it extends to byte offset 8192 [0x2000, 020000], since sectors are 512 bytes). The first sector contains the VBR and sectors 2 - 15 contain the IPL. These are the details of the NTFS Boot Sector (VBR):

Offset	Length		Description

0x00	3 bytes		Jump Instruction

0x03	LONGLONG	OEM ID

0x0B	25 bytes	BPB (BIOS Parameter Block)

0x24	48 bytes	Extended BPB

0x54	426 bytes	Bootstrap Code

0x01FE	WORD		End of Sector Marker

And these are the details of the BPB & Extended BPB:

Offset	Length		Sample Value		Description

0x0B	WORD		0x0002			Byts Per Sector

0x0D	BYTE		0x08			Sectors Per Cluster

0x0E	WORD		0x0000			Reserved Sectors

0x10	3 BYTES		0x000000		always 0

0x13	WORD		0x0000			not used by NTFS

0x15	BYTE		0xF8			Media Descriptor

0x16	WORD		0x0000			always 0

0x18	WORD		0x3F00			Sectors Per Track

0x1A	WORD		0xFF00			Number of Heads

0x1C	DWORD		0x3F000000		Hidden Sectors

0x20	DWORD		0x00000000		not used by NTFS

0x24	DWORD		0x80008000		not used by NTFS

0x28	LONGLONG	0x4AF57F0000000000	Total Sectors

0x30	LONGLONG	0x4000000000000000	Logical Cluster Number for the file $MFT

0x38	LONGLONG	0x54FF070000000000	Logical Cluster Number for the file $MFTmirr

0x40	DWORD		0xF6000000		Clusters Per File Record Segment

0x44	DWORD		0x01000000		Clusters Per Index Block

0x48	LONGLONG	0x14A51B74C91B741C	Volume Serial Number

0x50	DWORD		0x00000000		Checksum

While this is all useful information to me, it doesn't reveal the byte offset of the other metadata files. True, 0x30 contains the Logical Cluster Number for $MFT which, in turn, could reveal the byte offset $BadClus since it should have an MFT Record. However, I'm not really sure how sectors translates to cylinders and vice-versa. So, if you could, let me know the byte offset for each of these metadata files. Also, tell me anything you know about NTFS in general. This is all for educational purposes.