The first 16 sectors in a NTFS volume is allocated to contain the boot code. Only half of them contains the code and the other half contains null bytes. Windows will refuse to mount the volume if these null bytes contains non-null value.
After the boot sectors is the Master File Table (MFT). MFT contains metadata on file. It consists a series of records. Each file and director has at least 1 record in MFT. MFT record is 1K in size.
The first 16 records in MFT describes special system files created toge4ther with the NTFS volume. They are hidden files. These files implement the file system and its metadata.
Rec 0 - $Mft - The MFT itself
Rec 1 - $MftMorr - Partial mirror of the MFT's first 4 records
Rec 2 - $LogFile - transaction log
Rec 3 - $Volume - volume metadata such as label, creation time
Rec 4 - $AttDef - metadata on NTFS attributes
Rec 5 - . - root directory folder
Rec 6 - $Bitmap - allocation status of cluster (adjacent sectors)
Rec 7 - $Boot - code and data used to bootstrap the system
Rec 8 - $BadClus - bad clusters
Rec 9 - $Secure - contains security descriptor for all files
Rec 10 - $Upcase - contains upper case table to convert lower case character to upper case unicode characters
Rec 11 - $Extend - used for NTFS extension such as quota and object ID
Rec 12- 15 - reserved
No comments:
Post a Comment