Day 6 Flashcards
file systems
defines the way data is named, stored, organized, and accessed on a disk volume.
contain 5 layers: physical layer, file system layer, filename layer, metadata layer, data layer,
physical layer
physical file media; hard drive, cd/dvd, etc
file system layer
file system layout;
file name layer
user interface with file system. file names map to file metadata
metadata layer
file metadata containing allocation pointers and other descriptors.
data layer
each block/cluster is given a logical address where file data can be stored and located
FAT
the original file system.
has two versions: FAT (or FAT 16) and FAT32
the difference between the two is FAT16 root directory is fixed in place after FAT#2. FAT32’s root directory is located in the data area, like FAT16, but not in a defined location.
see page 83
boot sector
reserved area.
identifies the structural details of the FAT file systems
(file systems layer
FAT
allocation table that identifies cluster allocations. Two allocation tables are maintained for redundancy (FAT#1 and FAT#2) (metadata layer)
root directory
contains directory entries for all files and folders (filename and metadata layers)
data area
stores the root directory and file data (data layer)
FAT16 file systems root directory is located directly after FAT #2.
allocation table
the FAT identifies cluster allocations and manages the linked allocation for files
FAT16
16-bit table entries that can allocate 65,536 clusters
FAT32
32-bit table entries that can address 200+ million clusters (4 bits reserved)
linked allocation
the table entry contains the cluster address where the next piece of the file is located.
Each piece of the file is linked along until the end of file (EOF) is reached (FFFF is the EOF marker for FAT16)
see figure 47 on p84
bad clusters in FAT
FAT 16 bad cluster 0xFFF7
FAT32 bad cluster 0xFFFFFFF7
directory entry
every file on a FAT volume has a 32-byte directory entry containing information such as file name, starting cluster address, size, file attributes (i.e. RASH) and timestamps R-read only A-archive S-system H-hidden
filenames
stored in the directory entry using the 8.3 naming convention, using eight characters for the name of the file and three characters for the file’s extension. File names longer than eight characters are truncated.
ex. THISISMYFILE.txt is truncated to THISIS~1.txt
long file name (LFN)
support up to 255 characters for path and filename is provided by linking multiple directory entries together
starting cluster
the directory entry contains the STARTING CLUSTER address for the first piece of the file. if the file requires multiple clusters, the FAT is sued for the linked allocation metadata
file size
the file size identifies the space required to store the file in the data layer
file attribute
file attribute status is stored in the 12th byte of the directory entry.
time stamps
there are three main timestamps stored in the directory entry: created, accessed, and written/modified.
created
set when a new directory entry is made or time a file was created in its present location
accessed
FAT file systems access timestamp is only accurate to the day. there is not enough room in the 32-byte directory entry to track an access time.
accessing file properties or opening a file for viewing updates this time.
files that are moved to another volume will have their content accessed and read prior to being updated.
written (modified)
updated when new file content is written.
time is based on content, not directory entry creation.
time remains the same as data is moved and copied.
step 1
create file results in a new directory entry
step 2
locate directory and starting cluster where the file will reside by processing entries until an unallocated directory entry is located. Write filename, size, and create time in new directory entry.
step 3
search the FAT to find an available cluster and set its value to EOF.
step 4
update directory entry with the starting cluster. fi the file is larger than the size of the cluster, a second cluster is located in FAT, and OEF is marked there.
step 5
update first cluster with the location of the second cluster.
file deletion
step1. locate directory entry and process clusters until the file is found.
step 2. change first byte in directory entry to 0xE5 and set all FAT cluster entries to 0. Data is physically still there; only the reference to it is gone.
file copy.
when a file is copied within the same volume or between two volumes, a new directory entry is created requiring new cluster allocations (s). The new file has a new creation time while retaining the original written time.
file move
the original written and creation time is retained when moved within the same volume. If moved to a different volume, a new directory entry is created requiring new cluster allocations. The file has an updated creation time while retaining the original written time.
NTFS
the most common file system offered by Microsoft Windows
Key features of NTFS
compression
encryption
disk quotas are set on a per-volu
Key features of NFTS
compression
encryption
disk quotas are set on a per-volume, per-user basis
file and folder security….permissions!
mounted volumes
reliability using transaction-based logging
Two registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDLG32\LastVisitedPidlMRU
contains the names of recently used executable files and their paths
and….
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDLG32\OpenSavedPidlMRU
contains list of all recently opened or saved files organized in sub-keys based on their file extension
Master File Table (MFT)
NTFS uses the MFT to manage filename and metadata for the NTFS file system and is considered the heart of the file system.
$MFT
First MFT entry which shows disk location of the MFT (entry 0). There is a backup copy, $MFTMirr (entry 1)
$LogFile
used for transaction-based logging (entry 2)
$Volume
Contains information about the volume (entry 3)
.
Root directory of the file system C:\ (entry 5)
$Bitmap
used to allocate clusters in the volume (entry 6)
allocated (bit value-1)
unallocated (bit value-0)
$Boot
contains location and description of boot sector used when system is started (entry 7)
$BadClus
Used to mark bad clusters (entry 8). When a bad cluster is found, it will be marked with a bit-value of 1. The size of this file is unlimited.
$Secure
used as a security settings file (entry 9)
MFT entry
each MFT entry is subject to a 1KB size constraint .
resident
a resident attribute is stored completely within the MFT entry.
<1K
non-resident
a non-resident attribute’s data is stored outside of the MFT entry
>=1K
Common mft entry attributes for files and directories
.
$Standard Information ($SIA)
Resident attribute that provides the most accurate timestamps and file attributes such as archive, hidden, and read-only
$File_Name
Resident attribute that contains a reference to the parent directory. It also contains the file name, size, and inherits the time stamps from the $Standard_Information attribute. ($SIA)
$DATA
Contains file data or a pointer to the location of file data. may be either resident or non-resident
VCN to LCN mapping
Virtual cluster number (VCN) identifies how many clusters are needed. Always starts with 0 and is used to keep the pieces in order.
Logical Cluster number (LCN) identifies the cluster address
Similar to FATS linked allocation
NTFS Timestamps
Creation time - timestamp when file was created, based on MFT entry
Modified Time- Timestamp when the contents of $DATA attribute was last modified.
MFT Modified Time–Timestamp when file MFT entry metadata was last modified; also known as change time.
Accessed Time–Timestamp when file was last accessed. (accurate to the second)
