The Windows NTFS File System

Question 1

NTFS File System Features - Data Streams:

Answer 1

Files can consist of multiple attributes. NTFS object attributes, which in turn are represented as streams. The default stream represents normal file contents. Each stream can have different allocation and file sizes and can be locked separately

Question 2

NTFS File System Features - Indexing:

Answer 2

File attributes are indexable and do not require linear searches for attributes

Question 3

NTFS File System Features - Remapping:

Answer 3

When used on a fault-tolerant file system, read failures will result in sectors being marked bad and a new instance being created from another fault-tolerant copy. If no good copy can be allocated, NTFS will mark the sector as bad, but cannot retrieve the data

Question 4

NTFS File System Features - Hard Links:

Answer 4

Supported for files, but not for directories

Question 5

NTFS File System Features - Symbolic Links:

Answer 5

Supported for files and directories, dynamic strings interpreted at run time - implemented as reparse points that can also span volumes and arbitrary non-local file systems. Older version of NTFS supported only junctions

Question 6

NTFS File System Features - Compression and Sparse Files:

Answer 6

NTFS implements entropy encoding compression natively. Sparse files are also supported, i.e. for large files space is not allocated immediately for file areas that are empty when marked explicitly

Question 7

NTFS File System Features - Change Logs:

Answer 7

NTFS can notify applications of changes to selected areas and also explicitly supports change journals

Question 8

NTFS File System Features - Volume Quotas:

Answer 8

Both hard and soft quotas can be tracked on a per-user basis

Question 9

NTFS File System Features - Encryption:

Answer 9

The EFS provides file-level encryption but cannot encrypt files needed during the boot process

Question 10

NTFS File System Features - POSIX Semantics:

Answer 10

Case-sensitive file names and traversal permissions provided in compliance to POSIX 1003.1

Question 11

The Change Journal can track file system events:

Answer 11

• Implemented as a sparse meta-data file
• This tracks information on added, deleted and modified files
• Once a pre-configured maximum size is reached, NTFS will mark disk space for the oldest portions as empty
• The log file is global and shared among applications
• Access is via specific Win32 API calls

Question 12

Unlike FAT, NTFS is proprietary:

Answer 12

• This has made it difficult to develop reliable compatible implementations
• Ability to conduct forensic analysis is also affected

Question 13

The top-level structure for NTFS file systems begins with volumes…

Answer 13

Which may be on a single disk or distributed across multiple disks

Question 14

NTFS represents all data in files, including its own meta-data. These are retained in…

Answer 14

Meta-files, which are not made visible by the NTFS file system driver. This allows the file system to be extended easily with new features

Question 15

The core of the NTFS data structure is the…

Answer 15

Master File Table (MFT) containing an array of file records, each 1KByte in size irrespective of cluster size

Question 16

NTFS Structure - Each volume contains a set of…

Answer 16

Metadata files as well as entries for all user files

Question 17

For most files, a single MFT record is sufficient, but files with many attributes may require additional space. A base file record then stores…

Answer 17

Locations of all other MFT entries

Question 18

On mounting a volume, the NTFS FSD reads the metadata structures and constructs the…

Answer 18

In-memory data structures

Question 19

The volume boot sector provides the…

Answer 19

Physical address of the MFT

Question 20

The MFT is always the first entry, while the second record…

Answer 20

Points to a MFT mirror located elsewhere on disk

Question 21

The MFT mirror does not contain…

Answer 21

All records but only metadata records to help in case of a corrupt MFT

Question 22

The transaction log directory contains the TxF base log file log container files. The number of logs depends on the size of transaction log. Atleast two files always exist…

Answer 22

Kernel Transaction Manager (KTM) log stream and the TxF log stream

Question 23

All files in an NFTS volume are uniquely identified by a 64-bit value:

Answer 23

• This consists of a file and a sequence number
• The file number is the position of the record in the MFT minus one
• The sequence number is incremented on each re-use of a MFT entry

Question 24

Files are considered as structured entities containing attribute/value pairs:

Answer 24

• Actual payload data is considered the Unnamed Data Attribute
• Each attribute is stored as a separate stream of bytes within the file

Question 25

Where possible, NTFS attemps to pack all file attributes in the MFT record:

Answer 25

• Entries within the MFT entry are called resident attributes
• Each attribute begins with an Attribute Header followed by a Attribute Value
• Attrivute headers are always resident, values may not be
• For entries that do not fit into an MFT record, runs or extents are allocated
• Each file may have multiple runs associated with it
• Files with large numbers of attributes may require multiple MFT entries
• Sparse files can simply be encoded by populated runs

Question 26

Creating and Writing a NTFS File Steps:

Answer 26

1) Read volume boot sector to determine MFT location
2) Read first MFT entry, determining MFT layout
3) Allocate MFT entry for file
4) Initialise MFT entry with $Standard_Information, set flag as In Use
5) Given file size, find free clusters in MFT $Bitmap, set corresponding $Bitmap fields to 1 for allocated clusters
6) Write file content to cluster, updating $Data attribute with starting address of cluster run and run lengths
7) Read root directory, traverse index and find matching directory
8) Read $INDEX_R00T for directory
9) Once correct index entry is found, create new index entry and re-sort index tree

Each step is entered in $LogFile as these are taken

Question 27

Although user data is not protected from failures, volume consistency is maintained using a journalling mechanism:

Answer 27

• All volume-altering operations are logged and form transactions
• As a side effect, cache flushing intervals can be extended over non-transactional systems as volume consistency can be ensured

Question 28

Actual log operations are not performed directly by NTFS but by the Log File Service (LFS):

Answer 28

• The LFS received requests from the NTFS driver
• Read, write and flush operations by the LFS run through the Cache Manager
• Actual Volume Operations are performed by the FSD

Question 29

The steps involved in ensuring transactional integrity of volume data are:

Answer 29

1) The NTFS FSD calls he LFS to record a volume-altering transaction
2) NTFS modifies the volume
3) The cache manager at some point requests the LFS to flush the log file
4) After flushing the log file, volume changes are written out

Question 30

The log used by the LFS is circular, cycling through sequence numbers while retaining…

Answer 30

A restart area in a fixed location to ensure that after a system failure, outstanding records can be identified. LFS retains two copies of the restart area

Question 31

The fault detection mechanisms flag inconsistencies between…

Answer 31

Meta-data sets and result in a requirement to run chkdsk

Question 32

Other recovery mechanisms availble in NTFS make use of lower-level features:

Answer 32

• NTFS responts to “bad sector” notifications by re-mapping clusters containing bad sectors
• This typically means splicing a brief run of new clusters into the MFT for an affected file

Question 33

Instead of file-system checks, NTFS also provides self-healing from Kernel 6.0 onwards:

Answer 33

• On detecting corruption flags, a worker thread will try to repair file system damage based on logs
• The spotfix mechanism described earlier deals with problems that cannot be handled online, some repairs will still require off-line volumes

Question 34

NTFS utilises a number of more complex data structures and optimisations, making analysis somewhat more difficult besides not having a fully documented on-disk structure

Answer 34

• Indices (B-Trees) are used to provide sorted data structures
• Data structures are often more dynamic and likely to be re-used and re-allocated
• Relevant information may be retained in the MFT, log files, directory structures, the cluster bitmap and actual attributes
• Retaining short data attributes in the MFT entry makes it easier to recover short files on NTFS volumes

Question 35

On deletion of a file in an NTFS volume, the following steps are executed:

Answer 35

1) MFT is located
2) First MFT entry is read to determine and reconstruct MFT layout
3) Root directory is read, index travered and directory entry found
4) Directory hierarchy is traversed as needed
5) For the target directory, the $Index_Root structure is read to identify the target file
6) Target file name is removed from index and data structure is re-balanced
7) MFT entry is un-allocated, In-Use flag is zeroed
8) Corresponding MFT $Bitmap entries are zeroed