NTFS Data Structures (Fixup Values, $MFT File)

Before we look at any specific NTFS data structure, we need to discuss a storage technique that is used for increased reliability. NTFS incorporates fixup values into data structures that are over one sector in length. With fixup values, the last two bytes of each sector in large data structures are replaced with a signature value when the data structure is written to disk. The signature is later used to verify the integrity of the data by verifying that all sectors have the same signature. Note that fixups are used only in data structures and not in sectors that contain file content.

The data structures that use fixups have header fields that identify the current 16-bit signature value and an array that contains the original values. When the data structure is written to disk, the signature value is incremented by one, the last two bytes of each sector are copied to the array, and the signature value is written to the last two bytes of each sector. When reading the data structure, the OS should verify that the last two bytes of each sector are equal to the signature value, and the original values are then replaced from the array.

Fixups are used to detect damaged sectors and corrupt data structures. If only one sector of a multi-sector data structure was written, the fixup will be different from the signature, and the OS will know that the data are corrupt. When we dissect our example file system, we will need to first replace the signature values.

$MFT File

The $MFT file is located in MFT entry 0 and was already discussed in the beginning of this chapter because it is crucial to every file in the file system. It has the standard attributes, and the $DATA attribute is the MFT.

The one unique attribute of $MFT is a $BITMAP attribute, which is used to manage the allocation status of MFT entries. It is organized by bytes, and when a bit is set to 1 the entry is allocated. Otherwise, when the bit is 0 the entry is not allocated.