|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x14
|
Offset to data
|
|
|
0x02
|
2
|
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x04
|
Size of Index Key
|
|
|
0x0C
|
4
|
0x00
|
Padding
|
|
|
0x10
|
4
|
|
Key
|
Owner Id
|
|
0x14
|
4
|
0x02
|
Data
|
Version
|
|
0x18
|
4
|
|
Data
|
Flags
|
|
0x1C
|
8
|
|
Data
|
Bytes Used
|
|
0x24
|
8
|
|
Data
|
Change Time
|
|
0x2C
|
8
|
|
Data
|
Warning Limit
|
|
0x34
|
8
|
|
Data
|
Hard Limit
|
|
0x3C
|
8
|
|
Data
|
Exceeded Time
|
|
0x44
|
V
|
|
Data
|
SID
|
|
V+0x44
|
P
|
0x00
|
Data
|
Padding8
|
|
Flag
|
Description
|
|
0x0001
|
Default Limits
|
|
0x0002
|
Limit Reached
|
|
0x0004
|
Id Deleted
|
|
0x0010
|
Tracking Enabled
|
|
0x0020
|
Enforcement Enabled
|
|
0x0040
|
Tracking Requested
|
|
0x0080
|
Log Threshold
|
|
0x0100
|
Log Limit
|
|
0x0200
|
Out Of Date
|
|
0x0400
|
Corrupt
|
|
0x0800
|
Pending Deletes
|
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Reparse
|
|
0x90
|
$INDEX_ROOT
|
$R
|
|
0xA0
|
$INDEX_ALLOCATION
|
$R
|
|
0xB0
|
$BITMAP
|
$R
|
|
Offset
|
Size
|
Value
|
Description
|
|
~
|
~
|
~
|
Standard Index Header
|
|
0x00
|
2
|
0x1C
|
Offset to data
|
|
0x02
|
2
|
0x00
|
Size of data
|
|
0x04
|
4
|
0x00
|
Padding
|
|
0x08
|
2
|
0x20
|
Size of Index Entry
|
|
0x0A
|
2
|
0x0C
|
Size of Index Key
|
|
0x0C
|
2
|
|
Flags
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
0x10
|
4
|
|
Key Reparse Tag (and Flags)
|
|
0x14
|
8
|
|
Key MFT Reference of Reparse Point
|
|
0x1C
|
4
|
0x00
|
Key Padding (align to 8 bytes)
|
$UsnJrnl
在MFT 文件的属性记录集
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$UsnJrnl
|
|
0x80
|
$DATA
|
$J
|
|
0x80
|
$DATA
|
$Max
|
|
Offset
|
Size
|
Description
|
|
0x00
|
4
|
Size of entry
|
|
0x04
|
2
|
Major Version
|
|
0x06
|
2
|
Minor Version
|
|
0x08
|
8
|
MFT Reference
|
|
0x10
|
8
|
Parent MFT Reference
|
|
0x18
|
8
|
Offset of this entry in $J
|
|
0x20
|
8
|
Timestamp
|
|
0x28
|
4
|
Reason
|
|
0x2B
|
4
|
SourceInfo
|
|
0x30
|
4
|
SecurityID
|
|
0x34
|
4
|
FileAttributes
|
|
0x38
|
2
|
Size of filename (in bytes)
|
|
0x3A
|
2
|
Offset to filename
|
|
0x3C
|
V
|
Filename
|
|
V+0x3C
|
P
|
Padding (align to 8 bytes)
|
|
Flag
|
Description
|
|
0x01
|
Data in one or more named data streams for the file was overwritten.
|
|
0x02
|
The file or directory was added to. 0x04 The file or directory was truncated.
|
|
0x10
|
Data in one or more named data streams for the file was overwritten.
|
|
0x20
|
One or more named data streams for the file were added to.
|
|
0x40
|
One or more named data streams for the file was truncated.
|
|
0x100
|
The file or directory was created for the first time.
|
|
0x200
|
The file or directory was deleted.
|
|
0x400
|
The user made a change to the file's or directory's extended attributes. These NTFS at-tributes are not accessible to Windows-based applications.
|
|
0x800
|
A change was made in the access rights to the file or directory.
|
|
0x1000
|
The file or directory was renamed, and the file name in this structure is the previous name.
|
|
0x2000
|
The file or directory was renamed, and the file name in this structure is the new name.
|
|
0x4000
|
A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user changed the file or directory from one that can be content indexed to one that cannot, or vice versa.
|
|
0x8000
|
A user has either changed one or more file or directory attributes or one or more time stamps.
|
|
0x10000
|
An NTFS hard link was added to or removed from the file or directory.
|
|
0x20000
|
The compression state of the file or directory was changed from or to compressed.
|
|
0x40000
|
The file or directory was encrypted or decrypted.
|
|
0x80000
|
The object identifier of the file or directory was changed.
|
|
0x100000
|
The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory.
|
|
0x200000
|
A named stream has been added to or removed from the file, or a named stream has been renamed.
|
|
0x80000000
|
The file or directory was closed.
|
$UsnJrnl source info flags
|
Flag
|
Description
|
|
0x01
|
The operation provides information about a change to the file or directory made by the operating system. A typical use is when the Remote Storage system moves data from external to local storage. Remote Storage is the hierarchical storage management software. Such a move usually at a minimum adds the USN_REASON_DATA_OVERWRITE (0x01) flag to a USN record.
|
|
0x02
|
The operation adds a private data stream to a file or directory. An example might be a virus detector adding checksum information. As the virus detector modifies the item, the system generates USN records. USN_SOURCE_AUXILIARY_DATA (0x02) in-dicates that the modifications did not change the application data.
|
|
0x04
|
The operation creates or updates the contents of a replicated file. For example, the file replication service sets this flag when it creates or updates a file in a replicated direct-ory.
|
|
Offset
|
Size
|
Description
|
|
0x00
|
8
|
Maximum Size
|
|
0x08
|
8
|
Allocation Delta
|
|
0x10
|
8
|
USN ID (a)
|
|
0x18
|
8
|
Lowest Valid USN
|
NTFS卷初始化时系统首先检查引导扇区中的卷类型签名,如果签名不是“NTFS ”则认为该卷不是NTFS卷。然后读取引导扇区中的卷BPB数据确定卷布局,然后读取$MFT文件自己的文件记录,按记录中描述读取$Bitmap、$Root文件用于分配/释放簇及目录树访问。
分区结尾与备份主引导扇区
在NTFS卷,$Boot文件中的卷尺寸(BS_TotSec64)的值至少比分区表中的分区尺寸少一个扇区。这个扇区用来存放$Boot文件第一个扇区的副本,这个扇区一定位于NTFS卷的最后一个扇区的下一个扇区的位置。如果NTFS卷的头部数据被破坏可以通过这个扇区来恢复。
在NTFS卷中,文件在目录中以B+树的形式排列,在目录中查找文件时按B+树的搜索方法先搜索根节点(从根目录开始),然后按要找的文件名与根节点中的子节点对应的文件名相比较以确定在哪个子节点对应的存储区中搜索,然后以子节点为当前的根节点再搜索,直到找到文件为止。
|
