3.2 $MFTMirr The MFTMirr table.
3.3.2 Log buffer
Log buffer header
Offset Length Content Comments
0 4 Magic number ‘RCRD’ [LÖWIS /logrecord.html] 4 2 Offset to fixups
6 2 Number of fixups
8 8 Last LSN of last entry in this block
10 8 Unknown
18 2 In use length of block
1a 6 Unknown
20 8 First LSN of last entry in this block
3.3.3 Transaction records
Structure of transaction records
Transaction record header Checkpoint
record header
Transaction record data
Update record Other Transaction
committed record
Table header Transaction table
entries
Dirty page table entries
Transaction record header
Offset Length Content Commentss
0 8 LSN Of this entry
8 8 LSN Of previous entry
10 8 LSN Of previous entry
18 8 Length of data
20 4 Log entry type Decides what entry data type.
20 4 Unknown
28 8 Entry continues in next buffer 1 if true, 0 if false
Why do LSN at both 0x08 and 0x10 exist? Both are not always present. LSN at 0x0 is always present. LSN at 0x8 is mostly present. LSN at 0x10 is only present when both LSN at 0x0 and at 0x8 is present.
Offset 0x20 Type of record
1 Transaction record or table
2 Checkpoint record
Checkpoint record data (Type = 0x02)
Offset Length Content Comments
0 8 LSN (i) Never observed
8 8 LSN (ii) Previous checkpoint record 10 8 LSN (iii) Previous transaction table
18 8 LSN (iv)
20 8 LSN (v) Previous dirty page table 28 4 Length (i) Never observed
2a 4 Length (ii) Always zero
30 4 Length (iii) Previous transaction table
34 4 Length (iv)
38 4 Length (v) Previous dirty page table
3a 4 Unkown
Transaction record data (Type = 0x01) (For update records and tables)
Offset Length Content Comments
0 2 Flag
2 2 Unknown
4 2 Offset to redo data 6 2 Length of redo data 8 2 Offset to undo data a 2 Length of undo data
c 2 Unknown
e 2 Number of clusters involved = N 10 2 This attribute starts at
12 2 Offset in this attribute
14 2 Start sector of file in cluster Used when not all of the cluster belongs to this file
16 2 Unknown
18 8 Cluster in MFT record 0 if no MFT record
Flag at offset 0x00
Value Explanation
1b Unknown, but special 1c Unknown, but special
1d Transaction table 1e Unknown, but special 1f Dirty page table other Update record
For the ones that are noted as "Unknown, but special" the structure do not fit into any of the other tables or records.
If transaction record represents a normal write to disk the data part is followed by first a list of involved clusters, then the redo data and last the undo data. All specified by the offsets above. When finding the exact data in the attribute the logging mechanism seems to use the undo information to find the parts that need to be changed. If no undo information is present then the offset in attribute field is used.
When the offset and length of the redo and undo data are exactly the same the data is a bit pattern. The first four bytes are the bit offset and the next four bytes are the bit pattern to be set. The fields at offset 0x00 and 0x02 seems to be set to 0x15 and 0x16 respectively.
The meaning of the data when the offset at 0x00 is 1b, 1c and 1e is unknown. 1b could be a transaction committed record, but a lot is very unclear here.
Table header (Flag = 0x1d, 0x1f)
Offset Length Content Comments
0 8 Identifier
8 2 Counter difference The difference that is used at the counting sequence at the end
a 2 Unknown
c 2 Number of entries
e 6 Unknown
14 4 Start marker definition Always 0xffffffff 18 4 Start counting at
1a 4 Stop counting at
All table entries start with the start marker. (The only value that I have observed is 0xffffffff)
Transaction table
A transaction table stores the transactions that have not yet been committed in transaction table entries. The data part following the table header contains a number of these. The rest is filled with number counting as stated in the table header.
Transaction table entry (Flag = 0x1d)
Offset Length Content Comments 0 4 Some strange number
4 8 File reference
c c Unknown
18 4 Attribute number
1c c Unknown
Dirty page table
The dirty page table uses dirty page table entries to keep track of the pages in the cache that have not yet been written to disk. Each entry contains the pages changed by one suboperation. The rest of the data part is filled with numbers with the interval stated in the table header.
Dirty page table entry (Flag = 0x1f)
0 4 See update record 0x0c
4 c Unknown
10 8 See update record 0x18
18 8 LSN that affected the following clusters
20 8 Cluster 28 8 Cluster * 30 8 Cluster * 38 8 Cluster * 40 8 Cluster * 48 8 Cluster * 50 8 Cluster * 58 8 Cluster *
* If less than eight clusters are affected the number are simply set to zero.
3.4 $Volume
The data attribute contains no data.
3.5 $AttrDef
The data is a list of all the attributes the NTFS can use.
Description of attribute
Offset Length Content Comments
0 80 Name in Unicode Probably terminated with 0000
80 8 Type
88 8 Flags See below
90 8 Minimum allowed size 98 8 Maximum allowed size
Flags
Value Signification
0000 0001 0000 0000 Indexable?
0000 0040 0000 0000 Need to be regenerated during the regeneration phase 0000 0080 0000 0000 May be non-resident
The list is probably terminated with an attribute with the name starting with 0000.
3.6 . (root directory)
Contains no data. All information about the root directory is stored in the attributes ($INDEX_ROOT, $INDEX_ALLOCATION and $BITMAP).
3.7 $Bitmap
Maps the clusters that are allocated (not necesary in use) on the disk. These cluster are marked with ones (1) and those not in use are marked with zeroes (0). Each byte on the disk stores 8 clusters (one per bit).
The data attribute of this file does not store anything. Bad clusters on the disk are allocated to this file, so any other file won’t use them.
3.9 $Boot
The data attribute of the $Boot file is always located at cluster 0 on the disk, and is more commonly known as the boot sector. A copy of the first 200 bytes is stored at the last 200 bytes of the disk.
Boot sector data [LÖWIS /Boot.html]
Offset Length Content Comments
0 3 Jump to boot routine
3 4 Magic number 'NTFS' ASCII
7 4 Unused
b 2 Block size Bytes
d 1 Cluster factor e 2 Reserved sectors
10 5 Unused
15 1 Media type See below
16 2 Unused
18 2 Sectors per track
1a 2 Number of heads 1c 4 Hidden sectors 20 4 Unused 24 2 Unknown Set to 80 26 2 Unknown Set to 80 28 8 Number of sectors 30 8 MFT cluster 38 8 MFTMirr cluster 40 1 MFT clusters per record 44 4 Clusters per index buffer 48 4 Volume serial number
4c 4 Unknown
50 d Unused
5d 1a1 Boot routine
1fe 2 Magic boot sector ID 'AA55'
200 ? More code Probably NT kernal loader
Media type [LÖWIS /Boot.html] type signification
f0 floppy f8 hard disk
3.10 $Quota
Contains no data since it is not used before NT5.0.
3.11 $UpCase
Upcase data [LÖWIS /upcase.html]
Offset Length Content Comments
2*i 2 the upper case version of Unicode character i
web hosting • domain names web design • online games