{"id":625,"date":"2015-10-18T14:38:00","date_gmt":"2015-10-18T06:38:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=625"},"modified":"2023-11-04T14:48:44","modified_gmt":"2023-11-04T06:48:44","slug":"filesystem-ntfs","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/625","title":{"rendered":"FileSystem NTFS"},"content":{"rendered":"\n

limit of NTFS<\/strong>
limit of volume size is 16EB
limit of a file size is 16TB<\/p>\n\n\n\n

clutser<\/strong>
windows \u7684\u78c1\u789f\u55ae\u4f4d<\/p>\n\n\n\n

cluster size in different volume size<\/strong>
1 sector(0.5KB):volume size is smaller than 0.5GB
2 sector(1KB):volume size is 0.5~1GB
4 sector(2KB):volume size is 1~2GB
8 sector(4KB): volume size is greater than 2GB<\/p>\n\n\n\n

NTFS system File<\/strong>
include below:
$attrdef – \u5305\u542b\u6240\u6709\u5b9a\u7fa9\u7684\u5c6c\u6027\u8cc7\u6599
$badclus – \u6a19\u793a\u51fa\u6240\u6709bad clusters
$bitmap – \u5305\u542b\u6240\u6709\u503c\u7684bitmap
$boot – \u5305\u542b\u8d77\u52d5\u8cc7\u6599Bootstrap
$logfile – \u7528\u4f86\u505a\u9084\u539f\u7684\u7528\u9014 (\u7b2c\u4e09\u500bMFT)
$mft – \u5305\u542b\u6bcf\u500b\u6a94\u6848\u7684\u7d00\u9304
$mftmirr – MFT\u7684\u6620\u5c04\u6a94
$quota – \u6bcf\u500b\u4f7f\u7528\u8005\u7684quota
$upcace – \u5c07char\u8f49\u6210uppercase unicode
$volume -\u5305\u542b\u540d\u7a31\u8207\u7248\u672c<\/p>\n\n\n\n

refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view
…<\/p>\n\n\n\n

PBS(Partition boot sector)<\/strong>
first 16 sectors to the boot sectors
sector 1: boot sector with a “bootstrap” code
sectors 2~16: boot sector’s IPL (initial program loader)
refer
http:\/\/ntfs.com\/ntfs-partition-boot-sector.htm<\/p>\n\n\n\n

sector 1 structure as below<\/strong>
0x00, 3byte, jump instruction
0x03, 8byte, OEM ID
0x0B, 25byte, BPB
0x24, 48byte, Extended BPB
0x54, 426byte, Bootstrap Code
0x01FE, 1 word(2byte), end of sector marker<\/p>\n\n\n\n

…<\/p>\n\n\n\n

MFT(Master File Table)<\/strong>
all file, directory and metafile data In NTFS<\/p>\n\n\n\n

MFT table attribute<\/strong>
header
standard information attribute(attribute10)
filename attribute(attribute30)
data attribute(attribute80)
security descriptor (if the file configure security paramater)<\/p>\n\n\n\n

…<\/p>\n\n\n\n

MACB timestamps under NTFS<\/strong>
m :modification time, it is last written time in Win
a :access time
c :change time, it is nfs attribution modified time in Win
b :birth time
ps:FAT use MAB timestamps
refer
https:\/\/en.wikipedia.org\/wiki\/MAC_times<\/p>\n\n\n\n

…<\/p>\n\n\n\n

NTFS feature
data size<\/strong>
\u3000if data is small, data will only record in data attribute
\u3000if data is big , data will record in cluster
different modified time(ctime) in below<\/strong>
\u3000standard information attribute
\u3000filename attribute
ADS(alternate data stream)<\/strong>
data stream file can be made by colon( : )
\u4e00\u500bfile\u53ef\u4ee5\u639b\u591a\u500bADS file\uff0c\u800c\u4e14\u4e0d\u9700\u8981\u540c\u6a23\u7684\u985e\u578b
\u5728\u4e00\u4e9bupdate\u524d,\u82e5\u57f7\u884cADS file\u53ea\u6703\u5728\u5de5\u4f5c\u7ba1\u7406\u54e1\u4e0a\u770b\u5230\u4e00\u822cfile,\u4f46\u5be6\u969b\u57f7\u884c\u7684\u662fADS file
ex:
\u5c07aa.txt\u639b\u5728bi.txt\u4e0b
>echo Hello > c:dumpbi.txt:aa.txt
>dir c:dump
no display anything
>dir c:dump \/r
bi.txt:aa.txt
> more c:dumpbi.txt:aa.txt
hello
ps
that mean attribute$80(data atribute) repeat and repeat
slack file<\/strong>
information can be write in slack space for hidden secret<\/p>\n\n\n\n

…<\/p>\n\n\n\n

EFS(encrypting file systems)<\/strong>
encryption technology on NTFS
public key(certificate of EFS) is in directory of user profile
domain admin can recovery key when domain user’s key lost
backup key is in DRF(data recovery fields) attribute of EFS, and only domain admin can enable
ps:
encrypted file only work on NTFS, not work on other file system
ex:
if encrypted file was copied to the floppy disk, it was automatically unencrypted
refer
http:\/\/www.cc.ntu.edu.tw\/chinese\/epaper\/0023\/20121220_2305.html<\/p>\n\n\n\n


recovery tool for EFS:<\/strong>
advanced EFS data recovery
EFS key<\/p>\n\n\n\n

refer
http:\/\/blog.csdn.net\/fjb2080\/article\/details\/5617111<\/p>\n\n\n\n


…<\/p>\n\n\n\n

NTFS\u7684\u522a\u9664\u6a94\u6848\u6b65\u9a5f<\/strong>
1.\u5c07Cluster\u6a19\u793a\u70ba\u53ef\u7528
2.MFT attribute $BITMAP\u88ab\u66f4\u65b0
3.MFT\u4e2d\u7684file Attribute\u88ab\u6a19\u793a\u70ba\u53ef\u7528
4.Linking Inode\u6703\u88abMFT\u79fb\u9664
5.\u5230cluster\u7684links\u6703\u88ab\u522a\u9664
refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n

………………………………………………….<\/p>\n\n\n\n

ps:
windows basic disk<\/strong>
\u5927\u90e8\u5206\u7684\u500b\u4eba\u96fb\u8166\u90fd\u6703\u8a2d\u5b9a\u70ba\u57fa\u672c\u78c1\u789f\uff0c\u6700\u5bb9\u6613\u7ba1\u7406
\u50b3\u7d71\u529f\u80fd
\u56db\u500b\u4e3b\u8981\u78c1\u789f\u5206\u5272
\u4e09\u500b\u4e3b\u8981\u78c1\u789f\u5206\u5272\u548c\u4e00\u500b\u5ef6\u4f38\u78c1\u789f\u5206\u5272\uff0c\u5ef6\u4f38\u78c1\u789f\u5206\u5272\u53ef\u4ee5\u5305\u542b\u6700\u591a128\u500b\u908f\u8f2f\u78c1\u789f\u6a5f
\u57fa\u672c\u78c1\u789f\u4e0a\u7684\u6bcf\u500b\u78c1\u789f\u5206\u5272\u90fd\u662f\u78c1\u789f\u4e0a\u7684\u7368\u7acb\u500b\u9ad4\u3002
windows dynamic disk<\/strong>
\u57fa\u672c\u529f\u80fd
\u5927\u7d042000\u500b\u50cf\u78c1\u789f\u5206\u5272\u4e00\u6a23\u7684\u52d5\u614b\u78c1\u5340
\u652f\u63f4\u4ee5\u4e0b\u9032\u968e\u529f\u80fd
\u3000\u8de8\u8ddd: \u591a\u500b\u52d5\u614b\u786c\u789f\u7d50\u5408\u70ba\u55ae\u4e00\u52d5\u614b\u78c1\u789f\u5340
\u3000\u7b49\u91cf: \u5c07\u8cc7\u6599\u5206\u6563\u5132\u5b58\u5728\u6578\u9846\u786c\u789f
\u3000\u93e1\u50cf:\u7522\u751f\u8cc7\u6599\u8907\u672c\u4e26\u5132\u5b58\u5728\u6578\u9846\u786c\u789f
ps:
dynamic disk is complex, so the partition should never be deleted for preventing disk corrupting during forensics investigation
refer
http:\/\/windows.microsoft.com\/zh-tw\/windows-vista\/what-are-basic-and-dynamic-disks<\/p>\n","protected":false},"excerpt":{"rendered":"

limit of NTFSlimit of volume s …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[18],"tags":[],"class_list":["post-625","post","type-post","status-publish","format-standard","hentry","category-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=625"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/625\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}