NTFS文件系统规范(四)

 

$SDS 数据流

Offset
Size
Description
0x00
4
Hash of Security Descriptor
0x04
4
Security Id
0x08
8
Offset of this entry in this file
0x10
4
Size of this entry
0x04
V
Self-relative Security Descriptor
V+0x04
P16
Padding

Offset
Size
Value
Description
 
~
~
~
Standard Index Header
 
0x00
2
0x18
Offset to data
 
0x02
2
0x14
Size of data
 
0x04
4
0x00
Padding
 
0x08
2
0x30
Size of Index Entry
 
0x0A
2
0x08
Size of Index Key
 
0x0C
2
 
Flags
 
0x0E
2
0x00
Padding
 
0x10
4
 
Key
Hash of Security Descriptor
0x14
4
 
Key
Security Id
0x18
4
 
Data
Hash of Security Descriptor
0x1C
4
 
Data
Security Id
0x20
8
 
Data
Offset to Security Descriptor (in $SDS)
0x28
4
 
Data
Size of Security Descriptor (in $SDS)
0x2C
P8
 
Data
Padding

 

Offset
Size
Value
Description
 
~
~
~
Standard Index Header
 
0x00
2
0x14
Offset to data
 
0x02
2
0x14
Size of data
 
0x04
4
0x00
Padding
 
0x08
2
0x28
Size of Index Entry
 
0x0A
2
0x04
Size of Index Key
 
0x0C
2
 
Flags
 
0x0E
2
0x00
Padding
 
0x10
4
 
Key
Security Id
0x14
4
 
Data
Hash of Security Descriptor
0x18
4
 
Data
Security Id
0x1C
8
 
Data
Offset to Security Descriptor (in $SDS)
0x24
4
 
Data
Size of Security Descriptor (in $SDS)

在MFT 文件的属性记录集

Type
Description
Name
0x10
$STANDARD_INFORMATION
 
0x30
$FILE_NAME
$UpCase
0x80
$DATA
[Unnamed]

 
This is a directory containing the Metadata files: $ObjId, $Quota, $Reparse and $UsnJrnl.
 

Type
Description
Name
0x10
$STANDARD_INFORMATION
 
0x30
$FILE_NAME
$Extend
0x90
$INDEX_ROOT
$I30

 

This system file is an index of all the $OBJECT_ID Attributes in use on the volume.
 
Type
Description
Name
0x10
$STANDARD_INFORMATION
 
0x30
$FILE_NAME
$ObjId
0x90
$INDEX_ROOT
$O
0xA0
$INDEX_ALLOCATION
$O
0xB0
$BITMAP
$O
 

Offset
Size
Value
Description
 
~
~
~
Standard Index Header
 
0x00
2
0x20
Offset to data
 
0x02
2
0x38
Size of data
 
0x04
4
0x00
Padding
 
0x08
2
0x58
Size of Index Entry
 
0x0A
2
0x10
Size of Index Key
 
0x0C
2
 
Flags
 
0x0E
2
0x00
Padding
 
0x10
16
 
Key
GUID Object Id
0x20
8
 
Data
MFT Reference
0x28
16
 
Data
GUID Birth Volume Id
0x38
16
 
Data
GUID Birth Object Id
0x48
16
 
Data
GUID Domain Id

 Flags

Flag
Description
0x01
Entry has subnodes
0x02
Last Entry

 

Type
Description
Name
0x10
$STANDARD_INFORMATION
 
0x30
$FILE_NAME
$Quota
0x90
$INDEX_ROOT
$O
0x90
$INDEX_ROOT
$Q
0xA0
$INDEX_ALLOCATION
$O
0xA0
$INDEX_ALLOCATION
$Q
0xB0
$BITMAP
$O
0xB0
$BITMAP
$Q

 
Offset
Size
Value
Description
 
~
~
~
Standard Index Header
 
0x00
2
0x1C
Offset to data
 
0x02
2
0x04
Size of data
 
0x04
4
0x00
Padding
 
0x08
2
0x20
Size of Index Entry
 
0x0A
2
0x0C
Size of Index Key (K)
 
0x0C
2
 
Flags
 
0x0E
2
0x00
Padding
 
0x10
K
 
Key
SID
K+0x10
4
 
Data
Owner Id
K+0x14
P
 
Data
Padding8
 
 
 
本站域名:www.mrtlab.com | 站长QQ:334654353 | QQ交流群:250649022 | 备案:鄂ICP备11013447号
MRT数据恢复网,专业的硬盘固件维修与数据恢复技术资料提供站!
Copyright 2003-2013 Powered By MrtLab