Windows File System!

Posted on 07/12/2009 by


The windows File system starts with the Boot Sector. This is complete each time you format an NTFS volume and its situated in the first sector of your windows partition. The boot sector holds information about the drive which is recorded in the BIOS parameter block (repeatedly called as BPB). The BPB details information about the hard disk such as its size and the objective parameters of volume. The boot sector also contains code that points to the Master File Table and its backup ($MFT and $MFTMirror). The MFT Backup ($MFT Mirror) acts as a burden tolerance mechanism and it holds a mirror copy of the first four records or the first group of the Master File Table. If any records in the MFT are corrupted NTFS will pass on to the boot sector for the position of the mirror and use the mirror copy to and not only get the acceptable information but to also repair the MFT. The Boot Sector is also the mechanism thats in charge for passing on operations from the Master Boot Record to the NT loader program. The Boot procedure on the whole goes something like this…

BIOS >> MBR >> Boot Sector >> the NT Loader (NTLDR) >> hardware detection >> Core OS loads (Ntoskrnl.exe) >> Services Start >> Logon.

The Master File Table

The MFT is the center component of the NTFS file system and through the MFT the NTFS file system…it becomes a vastly controlled collection of records… containing information telling the content of your file system. Every illustration of data on your hard disk is described within these records from the boot sector to your basic text file…
The first sixteen records of the MFT are committed to Metadata files and the files describe the structure of the MFT and basically make it a self-describing database. The use of metadata files in the MFT should not be shocking and every database uses some form of metadata to classify its data structure…The metadata files that are stored within the first sixteen records of the MFT are as follows:


Rec. | File Name  | Description
0    | $Mft       | The Master File Table
1    | $MftMirror | The Master File Table Mirror
2    | $LogFile   | A log file containing a list of transaction steps for
NFTS recoverability.
3    | $Volume    | Information about he volume.
4    | $AttrDef   | Defines attributes (discussed later)
5    | .          | The root folder
6    | $Bitmap    | Cluster bitmap representing the volume.
7    | $Boot      | Boot sector (discussed above)
8    | $BadClus   | Contains bad clusters for a volume
9    | $Secure    | Contains security descriptors for all files within the
10   | $Upcase    | Converts lowercase characters to Unicode uppercase
11   | $Extend    | Used for various option extensions (Unique file Ids,
Quota Information, Reparse point information, etc.)
12 - 15           | Reserved for future use.

The position of these files is not fixed its saved for the boot sector which must be located in the first sector of the partition. NTFS is a supple file system in which windows XP and Microsoft moved the location of the LogFile and Bitmap metadata files to develop overall performance. And nearly all of the system files described above can be moved if needed to avoid bad clusters.

Microsoft supplies every file or folder on your system as a record within the MFT beginning at whichever record seventeen or record twenty-four.

Files and their Attributes

In the MFT standard records are made up of many fields called File Attributes. A file attribute describes some part of the file that is controlled within the MFT record. Going into more detail a descriptive list of attributes is as follows:

File Attributes

Standard Information:  Old school file attributes: read only, timestamp,
link count etc.
Attribute List:        Almost like another metadata file.  It gives
locations of all attribute records that don't fit in
the actual MFT.
File name:             The name of the file.  The long name can be up to
255 Unicode characters while the short name follows
the 8.3 old-school format.  Additional names
(required to meet the POSIX standard), or hard links
are stored here also as file name attributes.
Data:                  This attribute contains the actual data (if it is a
small file) or is the base file that points to the
extent on the disk that contains the data. It is
possible to have multiple data attributes per file.
Object ID:             A volume unique identifier.  Used by the distributed
link tracking service.
Logged Tool Stream:    Similar to a data stream, but operations are logged
to the NTFS log files.  This is used by EFS.
Reparse Point:         Used for Symbolic Links (yes NTFS does have this
capability), Junction Points, Volume Mount Points,
Remote Storage Server.
Index Root:            Used to implement folders and other indexes (to be
explained below).
Index Allocation:      Used to implement the B-tree structure for large
folders or other large indexes (to be explained
Bitmap:                Used to implement the B-tree structure for large
folders and other large indexes.
Volume Information:    Used only in the $Volume system file.  Contains the
volume version.

As mentioned with small files (no more than 1kb) the data resides in the MFT record as an occupier attribute. In most cases the file is too big to fit in the MFT record. In these matters the data attribute contains the VCN-to-LCN showing information which points to the level on the disk where the data resides as a non-resident attribute. Using this map…the MFT points to the material location of the extent by referring to the Logical Cluster Number (the LCN is simply a numbered ordering of all clusters on the volume) and the length of the extent. Each extent must consist of adjacent set of clusters on the disk.

NTFS organizes the extents of each file logically by the task of a Virtual Cluster Number (VCN).

For example:

File A that is too large to fit in the MFT…NTFS writes the data attribute of file A onto the hard disk starting at LCN 127…The length of the file takes up 5 clusters – but cluster number 130 is bad or occupied…so the File on disk would look like:
|data | data | data | another file | data | data |. A VCN to LCN description for this file would be clusters 0, 1, 2, 4, 5 to 127, 128, 129, 131, 132. The MFT would point to LCN 127 as the start of the run, identify it as VCN 0 and count the length of the run. It would then point to LCN 131 continuing the run, identify it as VCN 4 and count the length of the run.

Possible Attacks on NTFS

Any illegal adjustment of file attributes is an attack on the integrity of the Windows File system. This could contain the adjustment of the safety descriptors or the timestamp for a certain file. Another exploit within the windows file system would be the cruelty of alternate data streams for a quick way to hide data. The virus Win2k…Stream is an example of this kind of abuse so is the hide program. Security Descriptors could also be totally bypassed by using another ntfs driver to read the file system. The oft referred to ntpasswd value uses this method to avoid permissions when accessing the SAM file on an NTFS drive.

Is there a need to attack the NTFS or the MFT itself?… Programs hardly ever touch the file system directly. Any needs that you issue will be passed into kernel and then to the NT I/O manager. The I/O manager then calls the NTFS File System Driver which in turn accesses the file system. Because of this approach an attack on the file system becomes pointless.

Enjoy! 🙂