Filename Attribute
DOS Attributes (Flags)
Flag |
Description |
01 00 00 00 |
Read Only |
02 00 00 00 |
Hidden |
04 00 00 00 |
System |
10 00 00 00 |
Directory |
20 00 00 00 |
Archive |
40 00 00 00 |
Device |
80 00 00 00 |
Normal |
Flag |
Description |
00 01 00 00 |
Temporary |
00 02 00 00 |
Sparse File |
00 04 00 00 |
Reparse Point |
00 08 00 00 |
Compressed |
00 10 00 00 |
Offline |
00 20 00 00 |
Not Content Indexed |
00 40 00 00 |
Encrypted |
44
File Name Attribut
always resident
Attribut-Typ (Name) |
Length of Attr. |
|
non-resident Flag |
Offset to the data |
|
portion |
||
|
File Name attribute always resident
Record number of the father directory
Times are UTC |
Actual size |
|
Physical size |
File Name attribute always resident
Record number of the father |
Times are UTC |
directory |
|
|
Flags |
Number of characters for the name |
|
File Name Attribut
immer resident
File Name attribute always |
Times are UTC |
resident |
|
Type the name |
|
|
|
File name in |
|
0x00 Posix |
|
Unicode |
0x01 WIN32 |
|
|
|
|
|
0x02 DOS8.3 Name |
|
|
0x03 WIN 32+8.3 Name |
|
|
The pointer to the father directory, ie the directory where the file is stored corresponding to the number in the MFT.
Example: The directory "DIR1" is on the root (file no. 5) and has in the MFT, the number 500, that is, it is the 500th entry. The pointer to the father of "Dir1" contains the number 5 (root) and all files that have are in the directory "DIR1" the number 500 as a reference to the father directory.
MFT
…
498
499
500
501
502
…
Dir1, Pointer to the father = 5 File 1, pointer to the father = 500 File 2, pointer to the father = 500
etc.
Data Attribut (ID 0x80)
The contents of a file as the data itself will be treated in NTFS as an attribute.
If the data type of the attribute is so small that it fits in the MFT record (as in the standard and file name attribute) is the part in the Master File Table.
Header |
Standard Info |
Name: |
Data: In the |
end identifier |
|
03.06.2004, 19.38 |
MFT.txt |
Masterfile |
FF FF FF FF |
||
|
|||||
|
|
|
|
|
MFT record with resident data part
Attribut-Type (Std.) |
length of Attr. |
Attribut-Type (Name) |
|
length of Attr. |
|
|
Attribut-Type (Data) |
|
length of Attr. |
resident Flag |
|
|
||
|
|
|
|
Offset to the data |
portion |
Contents of Boot.ini |
Exercise
Create a text file on your own computer, which contains only a few lines of text and copy it to the virtual disk already generated.
Read Virtual disk and look for the File entry newly created and evaluate the attributes.
Standard attribute name Data. Which attributes are resident?
Data Runs
Attributes that are not resident, i.e. whose data part does not fit in the MFT record, must be stored outside the MFT.
Storage is done in contiguous i.e. consecutive clusters.
Each run is determined by its starting cluster and its length
The Start Cluster of a run is stored as an offset to the starting cluster of the previous runs. The offset of 1 Runs 0.
The length of a data runs depends on the available contiguous clusters and is therefore variable.