NTFS File System Overview
NTFS (New Technology File System) was introduced in 1993 by Microsoft as a replacement of FAT and provided improved support of performance, reliability and security. It is the standard file system of Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7.
Unlike FAT, everything is a file in the NTFS file system environment. There is a boot sector located at the starting sector of the file system. It records many important parameters, such as the position of the MFT (Master File Table), the size of the partition and so on. Metadata is indexed by the MFT and treated as files. Each file in NTFS has a unique MFT entry which always has 2 sectors length and is divided into two main parts: a file record header and a multiple of attributes. File record attributes are classified as residential attribute or non-residential attribute. Some actual file content will be stored in a residential attribute if it is small enough to fit in a certain length, or it will be stored at a different place where assigned by a space management system and being indexed by a certain number and/or level of pointers. Obviously, file pointers information will be also stored in a residential attributes. A series of pointers which point to the address of the file content is called a data stream, which will be introduced in a later post.
MFT file records/entries are numbered from 0 and file record 0 is always $MFT. The first few file records are used to store file system metadata files, e.g. $MFT, $MFTMirr, $Bitmap, $Boot. $MFT is a file containing the MFT entries including $MFT itself. Thus, $MFT as a pointer points itself. $MFTMirr (file record 1 of the MFT) backups the first four file records of the MFT. Therefore, if the MFT is damaged, the disk may be recovered by the $MFTMirr.
$Bitmap (file record 6) lists the usage status of all the clusters and $Boot points to the boot sector of the partition. The ROOT directory of the file system is recognised by a “.”. All the user files and metadata files are stored under ROOT directory of “.”.
The last sector of the volume is reserved for backing up the boot sector of NTFS. This sector is being included in the total partition size in the partition table of MBR or EBR, but it is being excluded from total partition size in DBR. Thus they are 1 sector off.
The numeric representation of “Little-endian” is used in the NTFS file system. Thus, the numbers of bytes are always stored on media or in memory in a reverse order. This is the same as what has been used in FAT32 file system. For clarity, the hex number used to describe values such as offset and size are given in the translated/normal order, whereas others such as signatures are not.