Data Recovery Software :: File systems :: NTFS recovery ::
NTFS Data Structures ($Volume File, $ObjId File)
$Volume File
The $Volume file is in MFT entry 3, and it has two unique attributes. They are described in this section.
Data structure for the $VOLUME_INFORMATION attribute
Windows NT used a major version of 1 and a minor version of 2. Windows 2000 used a major version of 3 and a minor version of 0. Windows XP used a major version of 3 and a minor version of 1. The flags shown in table apply to this data structure.
Flag values for the $VOLUME_INFORMATION flags field
$VOLUME_NAME Attribute
The $VOLUME_NAME attribute has a type identifier of 96 and is supposed to be allocated to only the $Volume file. It contains the name of the volume in UTF-16 Unicode and nothing else.$VOLUME_INFORMATION Attribute
The second attribute that is unique to the $Volume file is the $VOLUME_INFORMATION. This attribute contains the version of the file system. It has the fields given in table.Data structure for the $VOLUME_INFORMATION attribute
| Byte Range | Description | Essential |
| 0-7 | Unused | No |
| 8-8 | Major version | Yes |
| 9-9 | Minor version | Yes |
| 10-11 | Flags | No |
Windows NT used a major version of 1 and a minor version of 2. Windows 2000 used a major version of 3 and a minor version of 0. Windows XP used a major version of 3 and a minor version of 1. The flags shown in table apply to this data structure.
Flag values for the $VOLUME_INFORMATION flags field
| Flag | Description |
| 0x0001 | Dirty |
| 0x0002 | Resize $LogFile (NTFS file system journal) |
| 0x0004 | Upgrade volume next time |
| 0x0008 | Mounted in NT |
| 0x0010 | Deleting change journal |
| 0x0020 | Repair object IDs |
| 0x8000 | Modified by chkdsk |
$ObjId File
The file can be addressed using its object ID instead of its name. This allows a file to be renamed but still be found. The \$Extend\$ObjId file has an index named $O that correlates a file's object ID to its MFT entry. The $ObjId file is not typically located in a reserved MFT entry.
The index will have the typical $INDEX_ROOT and $INDEX_ALLOCATION attributes, and its index entries will have the fields given in table.
Data structure for the $ObjId index entries
The flags field has the standard values of 0x01 when child nodes exist and 0x02 when it is the last entry in the index entry list.
The index will have the typical $INDEX_ROOT and $INDEX_ALLOCATION attributes, and its index entries will have the fields given in table.
Data structure for the $ObjId index entries
| Byte Range | Description | Essential |
| 0-1 | Offset to file information | Yes |
| 2-3 | Size of file information | Yes |
| 4-7 | Unused | No |
| 8-9 | Size of index entry | Yes |
| 10-11 | Size of object ID (16-bytes) | Yes |
| 12-15 | Flags | Yes |
| 16-31 | Object ID | Yes |
| 32-39 | File reference | Yes |
| 40-55 | Birth volume ID | No |
| 56-71 | Birth object ID | No |
| 72-87 | Birth domain ID | No |
The flags field has the standard values of 0x01 when child nodes exist and 0x02 when it is the last entry in the index entry list.
Data recovery content
Articles
Data recovery software for anyone
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost