Scribd Logo
Importer

Bienvenue sur Scribd !

  • Lecture # 39: User Data User Data MFT (Mirror) MFT

    Transféré par

    api-3812413
    40 vues5 pages
    The FAT and root directory has been replaced by the MFT. It will generally have two copies the other copy will be a mirror image of the original. In the middle of the volume is a copy of the first 16 MTF record which are very important to the system.

    Description originale:

    Titre original

    39

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    DOC, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    The FAT and root directory has been replaced by the MFT. It will generally have two copies the other copy will be a mirror image of the original. In the middle of the volume is a copy of the first 16 MTF record which are very important to the system.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOC, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    40 vues5 pages

    Lecture # 39: User Data User Data MFT (Mirror) MFT

    Transféré par

    api-3812413
    The FAT and root directory has been replaced by the MFT. It will generally have two copies the other copy will be a mirror image of the original. In the middle of the volume is a copy of the first 16 MTF record which are very important to the system.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOC, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 5

    System Programming Course Code: CS609

    Cs609@vu.edu.pk

    Lecture # 39

    The following slide shows the anatomy of an NTFS based system. The FAT and root
    directory has been replaced by the MFT. It will generally have two copies the other copy
    will be a mirror image of the original. Rests of the blocks are reserved for user data. In
    the middle of the volume is a copy of the first 16 MTF record which are very important to
    the system.

    MFT MFT User Data User Data


    (Mirror)

    Boot Block Copy of First 16 MFT records

    Virtual University of Pakistan 59


    System Programming Course Code: CS609
    Cs609@vu.edu.pk

    The following slides show the Boot sector structure for a NTFS based system.

    NTFS General Boot Sector Structure


    Byte Offset Field Length Field Name
    0x00 3 bytes Jump
    Instruction
    0x03 LONGLONG OEM ID

    0x0B 25 bytes BPB

    0x24 48 bytes Extended BPB

    0x54 426 bytes Bootstrap


    Code
    0x01FE WORD End of Sector
    Marker

    Virtual University of Pakistan 60


    System Programming Course Code: CS609
    Cs609@vu.edu.pk

    The following slide shows a sample of the boot block dump. The following slides depict
    various parameters placed in the Boot block.

    Sample of NTFS Boot Block


    Physical Sector:Cyl 0, Side 1, Sector 1
    00000000:EB 52 90 4E 54 46 53 20 -20 20 20 00 02 08 00 00 .R.NTFS ........
    00000010:00 00 00 00 00 F8 00 00 -3F 00 FF 00 3F 00 00 00 ........?...?...
    00000020:00 00 00 00 80 00 80 00 -4A F5 7F 00 00 00 00 00 ........J.......
    00000030:04 00 00 00 00 00 00 00 -54 FF 07 00 00 00 00 00 ........T.......
    0000 00 40: F6 00 00 00 01 0 0 0 0 0 0 - 14 A5 1B 74 C 9 1 B 7 4 1C ... ... .. ...t.. t. 00 00 005 0:0 0 0 0 00 00 FA 33 C0 8E -D 0 BC 00 7C FB B8 C0 0 7 . ... .3. .. ..| ... . 000 00 060 :8E D8 E 8 1 6 0 0
    B8 0 0 0D -8E C0 3 3 D B C 6 06 0E 00 .. ... ... ..3 .. ... 0 000 007 0: 10 E8 53 00 68 00 0 D 6 8 - 6A 02 CB 8A 16 2 4 0 0 B 4 . .S .h. .hj .. ..$ .. 00 000 080 :0 8 C D 1 3 73 05 B9 FF FF -8 A F 1 66 0F
    B6 C 6 40 66 ... s. ... ..f .. .@f 0 000 009 0:0 F B6 D1 80 E2 3F F7 E 2 - 86 CD C0 ED 06 4 1 6 6 0 F . .. ..? ... ... .A f. 00 000 0A0 :B 7 C 9 6 6 F 7 E1 66 A3 20 -0 0 C 3 B4 41 BB AA 55 8A
    ..f. .f ... .A. .U. 0 00 000 B0: 16 24 00 CD 13 7 2 0 F 8 1 -FB 55 AA 7 5 0 9 F 6 C 1 01 .$. .. r.. .U. u.. .. 00 00 00C 0:7 4 0 4 FE 06 14 00 C3 66 - 60 1E 06 66 A1 10 0 0 6 6 t ... .. .f` ..f ... f
    0000 00 D0: 03 06 1C 00 66 3 B 0 6 2 0 - 00 0F 82 3A 0 0 1 E 6 6 6A ... .f; .. ..: ..f j 000 00 0E0 :00 66 5 0 0 6 5 3 6 6 68 10 -00 0 1 0 0 8 0 3E 14 00 00 .f P.S fh. .. ..> ... 0 000 00 F0: 0F 85 0C 00 E8
    B3 F F 80 -3E 14 0 0 0 0 0 F 84 61 00 .. ... ... >.. .. .a. 0 000 010 0: B4 42 8A 16 24 00 1 6 1 F - 8B F4 CD 13 66 5 8 5 B 0 7 . B. .$. ... ..fX [.. 0 000 011 0: 66 58 66 58 1F EB 2 D 6 6 - 33 D2 66 0F
    B7 0 E 18 00 fXf X. -f3 .f. .. ... 0 000 012 0:6 6 F7 F1 FE C2 8A CA 6 6 - 8B D0 66 C1 EA 1 0 F 7 3 6 f .. ... .f. .f. .. .6 0 00 001 30: 1A 00 86 D6 8 A 1 6 2 4 0 0 -8A E8 C 0 E 4 0 6 0 A CC B8
    .... .. $.. ... ... . 00 000 140 :01 0 2 C D 1 3 0 F 82 19 00 -8 C C 0 0 5 20 00 8E C0 66 .. .. ... ... ... .f 00 00 015 0:F F 0 6 10 00 FF 0E 0E 00 - 0F 85 6F FF 07 1F 6 6 6 1 . ... .. ... .o. ..f a

    00000160:C3 A0 F8 01 E8 09 00 A0 -FB 01 E8 03 00 FB EB FE ................


    00000170:B4 01 8B F0 AC 3C 00 74 -09 B4 0E BB 07 00 CD 10 .....<.t........
    00000180:EB F2 C3 0D 0A 41 20 64 -69 73 6B 20 72 65 61 64 .....A disk read
    00000190:20 65 72 72 6F 72 20 6F -63 63 75 72 72 65 64 00 error occurred.
    000001A0:0D 0A 4E 54 4C 44 52 20 -69 73 20 6D 69 73 73 69 ..NTLDR is missi
    000001B0:6E 67 00 0D 0A 4E 54 4C -44 52 20 69 73 20 63 6F ng...NTLDR is co
    000001C0:6D 70 72 65 73 73 65 64 -00 0D 0A 50 72 65 73 73 mpressed...Press
    000001D0:20 43 74 72 6C 2B 41 6C -74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
    000001E0:20 72 65 73 74 61 72 74 -0D 0A 00 00 00 00 00 00 restart........
    000001F0:00 00 00 00 00 00 00 00 -83 A0 B3 C9 00 00 55 AA ..............U.

    Sector Per Cluster =0008

    MFT File Cluster #


    Physical Sector:Cyl 0, Side 1, Sector 1
    00000000:EB 52 90 4E 54 46 53 20 -20 20 20 00 02 08 00 00 .R.NTFS ........
    00000010:00 00 00 00 00 F8 00 00 -3F 00 FF 00 3F 00 00 00 ........?...?...
    00000020:00 00 00 00 80 00 80 00 -4A F5 7F 00 00 00 00 00 ........J.......
    00000030:04 00 00 00 00 00 00 00 -54 FF 07 00 00 00 00 00 ........T.......
    000 00 040 :F 6 0 0 00 00 0 1 0 0 00 00 - 14 A5 1 B 7 4 C9 1B 7 4 1 C ... .. .. ... .t ..t . 0 000 00 50 :00 0 0 0 0 00 FA 3 3 C 0 8E -D 0 BC 00 7 C F B B8 C0 0 7 . .. ..3 .. .. .|. .. . 00 00 006 0: 8E D8 E 8 1 6 00
    B8 00 0D - 8E C0 3 3 D B C6 06 0 E 0 0 ... .. .. ... 3. ... . 0 000 00 70 :10 E 8 5 3 00 68 0 0 0 D 68 -6 A 02 CB 8 A 1 6 24 00 B 4 . .S .h. .h j. ... $. . 00 00 008 0: 08 CD 1 3 7 3 05 B9 F F F F -8 A F 1 66 0F
    B6 C6 40 6 6 . .. s. ... .. f.. .@ f 00 00 00 90: 0F B6 D 1 80 E2 3F F 7 E2 -8 6 C D C0 ED 0 6 4 1 66 0F . ... .? .. ... .. Af. 00 000 0A 0: B7 C9 66 F 7 E1 66 A3 2 0 -00 C 3 B 4 41 BB A A 5 5 8A
    ..f .. f.. .. A.. U. 000 00 0B 0:1 6 24 00 C D 1 3 72 0F 8 1 - FB 55 A A 75 09 F6 C 1 01 .$ ... r. .. U.u .. .. 0 00 000 C0 :7 4 0 4 FE 06 1 4 0 0 C3 66 - 60 1E 06 6 6 A1 10 00 6 6 t.. .. ..f `. .f ... f
    000 00 0D0 :0 3 0 6 1C 00 6 6 3 B 06 20 - 00 0F 8 2 3 A 00 1E 6 6 6 A ... .f ;. ... :. .fj 00 000 0E 0: 00 66 50 0 6 53 66 68 1 0 -00 0 1 0 0 80 3E 1 4 0 0 00 .f P. Sfh .. .. .>. .. 000 00 0F0 :0 F 85 0C 00 E 8
    B3 FF 80 - 3E 14 0 0 0 0 0F 84 6 1 0 0 ... .. .. .>. .. ..a . 0 000 01 00 :B4 4 2 8 A 16 24 0 0 1 6 1F -8 B F4 CD 1 3 6 6 58 5B 0 7 . B. .$. .. .. .fX [ .. 0 00 001 10 :6 6 5 8 66 58 1 F E B 2D 66 - 33 D2 66 0 F
    B7 0E 18 0 0 f Xf X. -f3 .f ... .. . 00 00 01 20: 66 F7 F 1 FE C2 8A C A 66 -8 B D 0 66 C1 E A 1 0 F7 36 f ... .. .f ..f .. ..6 0 00 001 30 :1 A 0 0 86 D6 8 A 1 6 24 00 - 8A E8 C0 E 4 06 0A CC B 8
    ... .. .$. .. ... .. . 00 00 01 40: 01 02 C D 13 0F 82 1 9 00 -8 C C 0 05 20 0 0 8 E C0 66 . ... .. .. ... .. .f 0 00 001 50 :F F 0 6 10 00 F F 0 E 0E 00 - 0F 85 6F F F 07 1F 66 6 1 ... .. ... .. o. ..f a

    00000160:C3 A0 F8 01 E8 09 00 A0 -FB 01 E8 03 00 FB EB FE ................


    00000170:B4 01 8B F0 AC 3C 00 74 -09 B4 0E BB 07 00 CD 10 .....<.t........
    00000180:EB F2 C3 0D 0A 41 20 64 -69 73 6B 20 72 65 61 64 .....A disk read
    00000190:20 65 72 72 6F 72 20 6F -63 63 75 72 72 65 64 00 error occurred.
    000001A0:0D 0A 4E 54 4C 44 52 20 -69 73 20 6D 69 73 73 69 ..NTLDR is missi
    000001B0:6E 67 00 0D 0A 4E 54 4C -44 52 20 69 73 20 63 6F ng...NTLDR is co
    000001C0:6D 70 72 65 73 73 65 64 -00 0D 0A 50 72 65 73 73 mpressed...Press
    000001D0:20 43 74 72 6C 2B 41 6C -74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
    000001E0:20 72 65 73 74 61 72 74 -0D 0A 00 00 00 00 00 00 restart........
    000001F0:00 00 00 00 00 00 00 00 -83 A0 B3 C9 00 00 55 AA ..............U.

    MFT File Cluster # =00000004

    The first 16 entries of the MFT are reserved. Rests of the entries are used for user files.
    There is an entry for each file in the MFT. There can be difference in the way a file is
    managed depending upon the size of the file.

    Virtual University of Pakistan 61


    System Programming Course Code: CS609
    Cs609@vu.edu.pk

    MFT Internal Structure


    MFT
    Log File

    Small File Record

    Large File Record

    Small Directory
    Record

    Following slide shows the detail about the first 16 system entries within the MFT.

    Virtual University of Pakistan 62


    System Programming Course Code: CS609
    Cs609@vu.edu.pk

    Virtual University of Pakistan 63

    Vous aimerez peut-être aussi