NTFS Flashcards
Describe the history of NTFS?
New Technology File System, was developed beginning in the late 1980s and early 1990s. The Microsoft file systems in use, at that time, HPFS for OS/2 and FAT12/16, lacked networking capabilities.
Version 1.0, was released in 1993 and was utilized by NT 3.1. Version 1.1 was released in 1994 with the advent of NT 3.5. Version 1.2 was an update that was available for NT 3.51 and NT 4.0 mid-1995 and mid-1996.
Windows 2000 and above are utilizing either version 3.0 or 3.1 in Windows XP and with small changes in Windows Vista and Windows 7 as their core file systems.
What are some features of NTFS?
alternate data streams, quotas, sparse files, re-parse points, volume mount points, directory junctions, hard links, hierarchical storage management, file encryption and compression, and high performance
What is little endian?
Microprocessors are discerned by the position where they store the byte of lowest value within a data type. Intel places the byte of lowest value at the first position. Data types consisting of more than one byte (e.g. 32 bit integer) will be stored starting with the lowest value byte (“little end”) and ending with the byte of highest value.
Describe MBR partitioning?
The partition information is stored in the Master Boot Record (MBR). It stores the boot information at sector 0 and can hold up to four primary partitions, smaller or equal to 2 TB each under Windows. It contains the MBR Disk Signature, the master boot code and the partition table.
The MBR Disk Signature is located in the MBR and it is a 4-byte value. It is written in the MBR at decimal offset 440
Where does the Windows registry store the MBR signature?
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
What does the mounted devices registry key store about the MBR signature?
It associates disk partitions and drive letters. This 4-byte value is written to the disk. If the disk does not have a MBR Disk Signature, windows will create one for it.
We can see the value D7 E3 94 6D, however, there are 8 bytes of information that immediately follow it. Those bytes are the byte offset of the location of the beginning of the partition. To ascertain the sector address convert the 8 bytes to little endian, then a decimal value and divide by the sector size in bytes.
What is the other partitioning scheme apart from MBR?
GUID partition table (GPT) disks are similar to MBR disks, except they use primary and backup partition structures to provide redundancy. These structures are located at the beginning and the end of the disk.
Describe the GPT structure.
GPT identifies structures by their logical block address (LBA) rather than by their relative sectors. The GUID partition table (GPT) disk partitioning style supports volumes up to 18 Exabyte’s in size and up to 128 partitions per disk, compared to the master boot record (MBR) disk partitioning style, which supports volumes up to 2 terabytes in size and up to 4 primary partitions per disk (or three primary partitions, one extended partition, and unlimited logical drives).
What is the boot sector?
Bootable partition that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Ntdlr.
What is the Master Boot Record?
Contains executable code that the system BIOS loads into memory. The code scans the MBR to find the partition table to determine which partition is the active, or bootable, partition.
What is a cluster?
A cluster (or allocation unit) is the smallest amount of disk space that can be allocated to hold a file. NTFS organizes hard disks based on cluster size, which is determined by the number of sectors (units of storage on a hard disk) that the cluster contains. For example, on a disk that uses 512-byte sectors, a 512-byte cluster contains one sector, whereas a 4-kilobyte (KB) cluster contains eight sectors.
How are clusters organised within a NTFS volume?
Clusters on an NTFS volume are numbered sequentially from the beginning of the partition into logical cluster numbers.
On NTFS volumes, clusters start at sector zero; therefore, every cluster is aligned on the cluster boundary. Contiguous clusters for file storage allow for faster processing of a file.
What are the limitations of cluster sizes?
NTFS uses different cluster sizes depending on the size of the volume therefore, each file system has a maximum number of clusters it can support. The smaller the cluster size, the more efficiently a disk potentially stores information because unused space within a cluster cannot be used by other files. And the more clusters a file system supports, the larger the volumes you can create and format by using a particular file system.
What are the default NTFS cluster sizes based on volume size?
Volume Size NTFS Cluster Size
7 MB–512 MB 512 bytes
513 MB–1,024 MB 1 KB
1,025 MB–2 GB 2 KB
2 GB–2 terabytes 4 KB
What are the maximum NTFS volume sizes?
In theory, the maximum NTFS volume size is 2^64 clusters minus 1 cluster. However, the maximum NTFS volume size as implemented in Windows Server 2003 is 2^32 clusters minus 1 cluster. For example, using 64-KB clusters, the maximum NTFS volume size is 256 terabytes minus 64 KB. Using the default cluster size of 4 KB, the maximum NTFS volume size is 16 terabytes minus 4 KB.
