In this blog explain New Technology File System | NTFS (NT file system) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk.
New Technology File System (NTFS) is one of the latest file systems supported by Windows. It is a high-performance file system, which repairs itself; it supports several advanced features such as file-level security, compression, and auditing. It also supports large and powerful volume storage solutions such as self-recovering disks.
NTFS provides data security as it has the capability to encrypt or decrypt data, files, or folders. NTFS uses a 16-bit Unicode method to character set naming of files and folders. This attribute of NTFS allows users around the world to manage their files in their native languages. It has fault tolerance for the file system. If the user makes any modifications or changes to the files, NTFS makes a note of all changes in specific log files. If the system crashes, NTFS uses these log files to restore the hard disk to a reliable condition with minimal data loss. NTFS also provides the concept of metadata and master file tables. Metadata contains the information about the data stored in the computer. A master file table also contains the same information in a tabular form, but its capacity to store data in its table is comparatively less.
NTFS uses the Unicode data format. NTFS has many versions and they are as follows:
- v1,0 (found in Windows NT 3.1), v1.1 (Windows NT 3,5), and v1.2 (Windows NT 3.51 and Windows NT 4)
- 0, found in Windows 2000
- 1, found in Windows XP, Windows Server 2003, Windows Vista, and Windows 7
- These final three versions are sometimes referred to as v4.0, v5.0, and v5.1
Features of NTFS include
- Uses b-tree directory scheme to store information about file clusters
- Stores the information about a file’s clusters and other data within the cluster
- Supports files up to 16 billion bytes in size approximately
- An access control list (ACL) allows the server administrator to access specific files
- Integrated file compression
- Data security on both removable and fixed disks
NTFS Architecture
At the time of formatting the volume of the file system, the system creates Master Boot Record. it contains some executable code called a master boot code and information about the partition table for the hard disk. When a new volume is mounted, the Master Boot Record runs the executable master boot code. It also transfers control to the boot sector on the hard disk, which allows the server to boot the operating system on the file system of that particular volume. Components of the NTFS architecture are as follows:
- Hard disk: It contains one or more partitions
- Master Boot Record: It contains executable master boot code that the computer system BIOS loads into memory; this code is used to scan the Master Boot Record to locate the partition table to find out which partition is active/bootable
- Boot sector: It is a bootable partition that stores data related to the layout of the volume and the file system structures
- dll: It reads the contents of the Boot.ini file
- sys: It is a computer system file driver for NTFS
- Kernel mode: It is the processing mode that permits the executable code to have direct access to all the system components
- User mode: It is the processing mode in which an executable program or code runs
NTFS System Files
NTFS has many system files stored in root directory of the NTFS volume that store file system metadata.
NTFS Partition Book Sector
In an NTFS volume, system allocates the first 16 sectors to the boot metadata file and the next 15 sectors to the boot sector’s initial program loader OK). The first sector, which is a boot sector, contains the bootstrap including the file system type, size, and location of NUS data. The last sector contains an extra copy of the boot sector in order to increase file system reliability
The following instance demonstrates the boot sector of the NIB volume, formatted on Windows 2000. The layout has three parts, and they are as follows:
- Bytes 0x00-0x0A constitute the jump instruction and the OEM ID
- Bytes OxOB-0x53 are the BIOS parameter block BPB) and the extended BPB
- The remaining code is the bootstrap code and the end of the sector marker
Cluster Sizes of NTFS Volume
A cluster is the smallest allocation unit on the hard disk used to hold a file. NITS uses clusters of different sizes to hold files depending on the size of the NIFS volume. The NTFS file system has a maximum number of dusters it can support. If the size of the cluster is small, the hard disk can efficiently store information because the other files cannot use the empty space within a cluster. The NTFS file system is an efficient file organization structure because it uses clusters of smaller sizes.
NTFS Master File Table (MFT)
The NTFS file system consists of a unique file called the master file table (MFT). NTFS volumes have at least one entry that is stored in MFT.
MET entries or memory spaces MFT entries describe outside themselves store information regarding the file attributes such as size, time and date stamps, permissions, and data contents. With the increase in the number of files added to the NTFS volume and the entries added to the MFT, the size of the MFT increases. When the user deletes a file from the NTFS, the file system marks the values in MFT as free and makes that place reusable.
Related Product : Computer Hacking Forensic Investigator | CHFI
The utilities that defrag NTFS volumes on Windows 2000-based systems cannot move MFT entries, and as unnecessary fragmentation of the MFT breaks down the performance of the file system, the NTFS saves space for the MFT to maintain it as close as possible as it expands. NTFS reserves some space for the MFT in each volume, called as the MFT zone. The allocation of space follows certain simple rules, like allocation of the volume space exterior to the MIT zone in the first place, as well as allocation of the memory to the files and directories.
NTS considers average file size and other variables while allocating memory to the reserved MFT zone or the unreserved memory on the disk as the disk fills to its capacity. Volumes having less number of relatively large files will allocate the unreserved space first, whereas, volumes with a large number of relatively small files allocate the MFT zone first.
NTFS Master File Table (MFT) (Cont’d)
MFT– is a relational database, which consists of information regarding the files and file attributes and also defines an NTFS volume and retrieves the information about every file and directory present on it. It has a “starting point” and a sort of “table of contents” for the WITS volume. MFT maintains a record for all the new files or directories created on the NTFS where each record’s size is almost equivalent to the cluster size of the NTFS volume.
MFT stores the information regarding the files in the form of “attributes.” The rows consist of file records and the columns consist of file attributes. It has 16 records reserved for system files. The figure in the above slide illustrates the small folder of MFT.
Also Read : Understanding File Systems
The file attributes stored within its record are resident attributes, and those that lie outside MFT are non-resident attributes. If the data attributes are small in size, then the MFT record can be stored within the record without the need of additional storage space on the NTFS volume. But it is critical that, for larger files, the additional attributes that do not fit in the MFT record moved out of the MFT record as non-resident attributes and store them as external attributes.
NTFS Attributes
The NTFS regards every file as a set of attributes. Every file has unique identities such as name, security information, and metadata of file system in the file. An attribute is an entity that has a name, property, and functions. The file system identifies every attribute with the help of an attribute type code and attribute name that assist in defining the file. The system stores every file and directory in two different ways. They are as follows:
- Resident Attributes: Resident attributes refer to the information, stored in the small amount of storage space directly in the MFT record. The MFT file stores common file attributes as resident attributes. For proper operation, the NTFS requires the attributes, saved in the MFT.
- Non-Resident Attributes: If there is no sufficient space for the attributes or If the attributes require more space than what exists in the MFT record, then the system stores such attributes in a different location and places a reference in the MET to refer to the location of the file. These attributes stored out of MFT are non-resident attributes.
- STANDARD_INFORMATION: This attribute provides general information about the file, such as CreationTime, LastChangeTime, LastModificationTirne, LastAccessTime, etc.
- ATTRIBUTE_LIST: The attribute list maintains a list of all the file attribute types. This attribute is present only if at least one of the attribute types is non-resident.
- $FILE_NAME: The file name is stored in this attribute. It also consists of fields for CreationTime, LastChangeTime, LastModificationTime and LastAccessTime.
- OBJECT_ID: This attribute holds an lD that the Distributed Link Tracking Service uses.
- SECURITY_DESCRIPTOR: This attribute has the security information of the file. In the latest NTFS versions, all security information is stored in one file called SSECURE. With this attribute, the files that have same security level need not store that information in every single file.
- INDEX ROOT: A directory consists of an index, which provides information about the files related to that directory, If the index has only few entries, they are stored in the SINDEI_ROOT attribute. If there are many entries, they are stored in the SINIDEX_ALLOCATION attribute. The entries in the index form a b-tree.
NTFS Data Stream
A data stream refers to a sequence of bytes. Data addition or modification is possible to the existing files during the investigation of the disk. The data stream can be meaningless or valuable data useful for evidence either intentionally or by coincidence, it is an additional attribute of files in NTFS.
It is mandatory to use a colon (:) between the file extension and the data stream because it is the same as the data stream in the MFT.
C:\ECHO text message> myfile.txt: stream1
To display the content of the data stream, use the following command: C:\ MORE < myfile.txt.stream1
A data stream does not appear when the user opens a file stream in a text editor. The only way one can investigate whether the data stream is present in the file or not is by examining the MFT entry for the file.
NTFS Compressed Files
Windows NT/2000 supports compression of files, folders, and the WITS volumes. All the any Windows-based application can read and write the files, compressed on an NIB volume without decompressing them. The decompression occurs automatically when the system or application tries to read file and compression takes place when it closes or saves the file.
NTFS contains compression algorithms that support cluster sizes of about 4 KB. When the cluster size is greater than 4 KB on an NTFS volume, none of the NTFS compression functions are available.
Setting the Compression State of a Volume
- Right-click on the drive that is to be compressed and click Properties
- On the General tab, choose “Compress this drive to save disk space” check box and click Apply
- In the Confirm Attribute Changes dialog box, choose an option and click OK
Questions related to this topic
- What do you mean by NTFS file system?
- How does NTFS file system work?
- In which file system technology file level security is available?
- Why does Windows still use NTFS?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
