Day 6

Question 1

file systems

Answer 1

defines the way data is named, stored, organized, and accessed on a disk volume.
contain 5 layers: physical layer, file system layer, filename layer, metadata layer, data layer,

Question 2

physical layer

Answer 2

physical file media; hard drive, cd/dvd, etc

Question 3

file system layer

Answer 3

file system layout;

Question 4

file name layer

Answer 4

user interface with file system. file names map to file metadata

Question 5

metadata layer

Answer 5

file metadata containing allocation pointers and other descriptors.

Question 6

data layer

Answer 6

each block/cluster is given a logical address where file data can be stored and located

Question 7

FAT

Answer 7

the original file system.
has two versions: FAT (or FAT 16) and FAT32
the difference between the two is FAT16 root directory is fixed in place after FAT#2. FAT32’s root directory is located in the data area, like FAT16, but not in a defined location.
see page 83

Question 8

boot sector

Answer 8

reserved area.
identifies the structural details of the FAT file systems
(file systems layer

Question 9

FAT

Answer 9

allocation table that identifies cluster allocations. Two allocation tables are maintained for redundancy (FAT#1 and FAT#2) (metadata layer)

Question 10

root directory

Answer 10

contains directory entries for all files and folders (filename and metadata layers)

Question 11

data area

Answer 11

stores the root directory and file data (data layer)

FAT16 file systems root directory is located directly after FAT #2.

Question 12

allocation table

Answer 12

the FAT identifies cluster allocations and manages the linked allocation for files

Question 13

FAT16

Answer 13

16-bit table entries that can allocate 65,536 clusters

Question 14

FAT32

Answer 14

32-bit table entries that can address 200+ million clusters (4 bits reserved)

Question 15

linked allocation

Answer 15

the table entry contains the cluster address where the next piece of the file is located.
Each piece of the file is linked along until the end of file (EOF) is reached (FFFF is the EOF marker for FAT16)
see figure 47 on p84

Question 16

bad clusters in FAT

Answer 16

FAT 16 bad cluster 0xFFF7

FAT32 bad cluster 0xFFFFFFF7

Question 17

directory entry

Answer 17

every file on a FAT volume has a 32-byte directory entry containing information such as file name, starting cluster address, size, file attributes (i.e. RASH) and timestamps
R-read only
A-archive
S-system
H-hidden

Question 18

filenames

Answer 18

stored in the directory entry using the 8.3 naming convention, using eight characters for the name of the file and three characters for the file’s extension. File names longer than eight characters are truncated.
ex. THISISMYFILE.txt is truncated to THISIS~1.txt

Question 19

long file name (LFN)

Answer 19

support up to 255 characters for path and filename is provided by linking multiple directory entries together

Question 20

starting cluster

Answer 20

the directory entry contains the STARTING CLUSTER address for the first piece of the file. if the file requires multiple clusters, the FAT is sued for the linked allocation metadata

Question 21

file size

Answer 21

the file size identifies the space required to store the file in the data layer

Question 22

file attribute

Answer 22

file attribute status is stored in the 12th byte of the directory entry.

Question 23

time stamps

Answer 23

there are three main timestamps stored in the directory entry: created, accessed, and written/modified.

Question 24

created

Answer 24

set when a new directory entry is made or time a file was created in its present location

Question 25

accessed

Answer 25

FAT file systems access timestamp is only accurate to the day. there is not enough room in the 32-byte directory entry to track an access time.
accessing file properties or opening a file for viewing updates this time.
files that are moved to another volume will have their content accessed and read prior to being updated.

Question 26

written (modified)

Answer 26

updated when new file content is written.
time is based on content, not directory entry creation.
time remains the same as data is moved and copied.

Question 27

step 1

Answer 27

create file results in a new directory entry

Question 28

step 2

Answer 28

locate directory and starting cluster where the file will reside by processing entries until an unallocated directory entry is located. Write filename, size, and create time in new directory entry.

Question 29

step 3

Answer 29

search the FAT to find an available cluster and set its value to EOF.

Question 30

step 4

Answer 30

update directory entry with the starting cluster. fi the file is larger than the size of the cluster, a second cluster is located in FAT, and OEF is marked there.

Question 31

step 5

Answer 31

update first cluster with the location of the second cluster.

Question 32

file deletion

Answer 32

step1. locate directory entry and process clusters until the file is found.
step 2. change first byte in directory entry to 0xE5 and set all FAT cluster entries to 0. Data is physically still there; only the reference to it is gone.

Question 33

file copy.

Answer 33

when a file is copied within the same volume or between two volumes, a new directory entry is created requiring new cluster allocations (s). The new file has a new creation time while retaining the original written time.

Question 34

file move

Answer 34

the original written and creation time is retained when moved within the same volume. If moved to a different volume, a new directory entry is created requiring new cluster allocations. The file has an updated creation time while retaining the original written time.

Question 35

NTFS

Answer 35

the most common file system offered by Microsoft Windows

Question 36

Key features of NTFS

Answer 36

compression
encryption
disk quotas are set on a per-volu

Question 37

Key features of NFTS

Answer 37

compression
encryption
disk quotas are set on a per-volume, per-user basis
file and folder security….permissions!
mounted volumes
reliability using transaction-based logging

Question 38

Two registry keys

Answer 38

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDLG32\LastVisitedPidlMRU

contains the names of recently used executable files and their paths

Question 39

and….

Answer 39

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDLG32\OpenSavedPidlMRU

contains list of all recently opened or saved files organized in sub-keys based on their file extension

Question 40

Master File Table (MFT)

Answer 40

NTFS uses the MFT to manage filename and metadata for the NTFS file system and is considered the heart of the file system.

Question 41

$MFT

Answer 41

First MFT entry which shows disk location of the MFT (entry 0). There is a backup copy, $MFTMirr (entry 1)

Question 42

$LogFile

Answer 42

used for transaction-based logging (entry 2)

Question 43

$Volume

Answer 43

Contains information about the volume (entry 3)

Question 44

.

Answer 44

Root directory of the file system C:\ (entry 5)

Question 45

$Bitmap

Answer 45

used to allocate clusters in the volume (entry 6)
allocated (bit value-1)
unallocated (bit value-0)

Question 46

$Boot

Answer 46

contains location and description of boot sector used when system is started (entry 7)

Question 47

$BadClus

Answer 47

Used to mark bad clusters (entry 8). When a bad cluster is found, it will be marked with a bit-value of 1. The size of this file is unlimited.

Question 48

$Secure

Answer 48

used as a security settings file (entry 9)

Question 49

MFT entry

Answer 49

each MFT entry is subject to a 1KB size constraint .

Question 50

resident

Answer 50

a resident attribute is stored completely within the MFT entry.
<1K

Question 51

non-resident

Answer 51

a non-resident attribute’s data is stored outside of the MFT entry
>=1K

Question 52

Common mft entry attributes for files and directories

Answer 52

.

Question 53

$Standard Information ($SIA)

Answer 53

Resident attribute that provides the most accurate timestamps and file attributes such as archive, hidden, and read-only

Question 54

$File_Name

Answer 54

Resident attribute that contains a reference to the parent directory. It also contains the file name, size, and inherits the time stamps from the $Standard_Information attribute. ($SIA)

Question 55

$DATA

Answer 55

Contains file data or a pointer to the location of file data. may be either resident or non-resident

Question 56

VCN to LCN mapping

Answer 56

Virtual cluster number (VCN) identifies how many clusters are needed. Always starts with 0 and is used to keep the pieces in order.

Logical Cluster number (LCN) identifies the cluster address

Similar to FATS linked allocation

Question 57

NTFS Timestamps

Answer 57

Creation time - timestamp when file was created, based on MFT entry
Modified Time- Timestamp when the contents of $DATA attribute was last modified.
MFT Modified Time–Timestamp when file MFT entry metadata was last modified; also known as change time.
Accessed Time–Timestamp when file was last accessed. (accurate to the second)