limit of NTFS
limit of volume size is 16EB
limit of a file size is 16TB
clutser
windows 的磁碟單位
cluster size in different volume size
1 sector(0.5KB):volume size is smaller than 0.5GB
2 sector(1KB):volume size is 0.5~1GB
4 sector(2KB):volume size is 1~2GB
8 sector(4KB): volume size is greater than 2GB
NTFS system File
include below:
$attrdef – 包含所有定義的屬性資料
$badclus – 標示出所有bad clusters
$bitmap – 包含所有值的bitmap
$boot – 包含起動資料Bootstrap
$logfile – 用來做還原的用途 (第三個MFT)
$mft – 包含每個檔案的紀錄
$mftmirr – MFT的映射檔
$quota – 每個使用者的quota
$upcace – 將char轉成uppercase unicode
$volume -包含名稱與版本
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
…
PBS(Partition boot sector)
first 16 sectors to the boot sectors
sector 1: boot sector with a “bootstrap” code
sectors 2~16: boot sector’s IPL (initial program loader)
refer
http://ntfs.com/ntfs-partition-boot-sector.htm
sector 1 structure as below
0x00, 3byte, jump instruction
0x03, 8byte, OEM ID
0x0B, 25byte, BPB
0x24, 48byte, Extended BPB
0x54, 426byte, Bootstrap Code
0x01FE, 1 word(2byte), end of sector marker
…
MFT(Master File Table)
all file, directory and metafile data In NTFS
MFT table attribute
header
standard information attribute(attribute10)
filename attribute(attribute30)
data attribute(attribute80)
security descriptor (if the file configure security paramater)
…
MACB timestamps under NTFS
m :modification time, it is last written time in Win
a :access time
c :change time, it is nfs attribution modified time in Win
b :birth time
ps:FAT use MAB timestamps
refer
https://en.wikipedia.org/wiki/MAC_times
…
NTFS feature
data size
if data is small, data will only record in data attribute
if data is big , data will record in cluster
different modified time(ctime) in below
standard information attribute
filename attribute
ADS(alternate data stream)
data stream file can be made by colon( : )
一個file可以掛多個ADS file,而且不需要同樣的類型
在一些update前,若執行ADS file只會在工作管理員上看到一般file,但實際執行的是ADS file
ex:
將aa.txt掛在bi.txt下
>echo Hello > c:dumpbi.txt:aa.txt
>dir c:dump
no display anything
>dir c:dump /r
bi.txt:aa.txt
> more c:dumpbi.txt:aa.txt
hello
ps
that mean attribute$80(data atribute) repeat and repeat
slack file
information can be write in slack space for hidden secret
…
EFS(encrypting file systems)
encryption technology on NTFS
public key(certificate of EFS) is in directory of user profile
domain admin can recovery key when domain user’s key lost
backup key is in DRF(data recovery fields) attribute of EFS, and only domain admin can enable
ps:
encrypted file only work on NTFS, not work on other file system
ex:
if encrypted file was copied to the floppy disk, it was automatically unencrypted
refer
http://www.cc.ntu.edu.tw/chinese/epaper/0023/20121220_2305.html
recovery tool for EFS:
advanced EFS data recovery
EFS key
refer
http://blog.csdn.net/fjb2080/article/details/5617111
…
NTFS的刪除檔案步驟
1.將Cluster標示為可用
2.MFT attribute $BITMAP被更新
3.MFT中的file Attribute被標示為可用
4.Linking Inode會被MFT移除
5.到cluster的links會被刪除
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
………………………………………………….
ps:
windows basic disk
大部分的個人電腦都會設定為基本磁碟,最容易管理
傳統功能
四個主要磁碟分割
三個主要磁碟分割和一個延伸磁碟分割,延伸磁碟分割可以包含最多128個邏輯磁碟機
基本磁碟上的每個磁碟分割都是磁碟上的獨立個體。
windows dynamic disk
基本功能
大約2000個像磁碟分割一樣的動態磁區
支援以下進階功能
跨距: 多個動態硬碟結合為單一動態磁碟區
等量: 將資料分散儲存在數顆硬碟
鏡像:產生資料複本並儲存在數顆硬碟
ps:
dynamic disk is complex, so the partition should never be deleted for preventing disk corrupting during forensics investigation
refer
http://windows.microsoft.com/zh-tw/windows-vista/what-are-basic-and-dynamic-disks