MasterFile Table - Storage

This is a discussion on MasterFile Table - Storage ; I am a CS student working on a research project concerning forensic data recovery. The project will recover data from both Unix and Windows OS. For Unix I have been able to find the methodology og how files are created ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: MasterFile Table

  1. MasterFile Table

    I am a CS student working on a research project concerning forensic data
    recovery. The project will recover data from both Unix and Windows OS. For
    Unix I have been able to find the methodology og how files are created
    (http://www.cag.lcs.mit.edu/~rinard/osnotes/h13.html). My question concerns
    how files are generated in the NT File System. When I create a file, what
    happens? How is the MFT populated. What happens when I delete a file? How
    does the MFT know the file has been deleted.

    I have been researching this topic for several days and have been able to
    find information about the MFT. What I have not been able to find is how the
    MFT is populated.

    I don't mind doing the research, I have just ran out of ideas of where to
    look.
    Please help.

    Thanks
    --
    the goal of all computer programmers should be to make life simpler for
    those using their applications.

  2. Re: MasterFile Table

    On MSDN you can start with:

    http://msdn2.microsoft.com/en-us/library/bb470206.aspx

    or

    Inside Windows Storage (Naik)

    or (my favorite)

    Windows Internals, 4th edition
    It will actually walk through the processes you describe.

    Basically, what happens when a file is created is an entry is added to the
    MFT (or a blank one is re-used). All entries are the same size and the data
    structures are described on MSDN, but basically they describe the block
    layouts of the file, etc. A file that is very small (<800 bytes or so) may
    be imbedded in the MFT itself, but on modern systems this doesn't happen
    often (too much metadata embedded in the files).

    Once the MFT entry is created then the file data is written to disk. When
    the write occurs, each block on disk will be zero'd. If the write fails,
    then the MFT update is rolled back out. If a file is extended, and the
    subsequent blocks needed are non-contiguous, additional extents information
    is written to the MFT. A highly fragmented file may exceed the 1k MFT size
    limit due to the number of extents needed, in which case a second MFT entry
    is created.

    When a file is deleted, only the MFT entry is eliminated. The blocks will
    be zero'd when/if accessed later. There are API's that may allow the
    zero'ing to be skipped, but this requires that the user/thread context be
    administrator.

    From a forensic standpoint, things can get pretty tricky - Sparse Files,
    Compressed files, Encrypted Files (EFS), BitLocker (Volume encryption), and
    multi-stream files can complicate things a bit.

    In addition to the above references, you should also check out the Win32
    APIs for file management:
    CreateFile, ReadFile, WriteFile (and the Ex versions of the above as well).
    There are links to additional relevant APIs included in their writeups, but
    more importantly they have a number of flags that will provide some insight
    into the number of permutations that a given file can have on creation &
    access.


    Pat


    "frankjr" wrote in message
    news:65DD7156-2628-41EE-8E21-C8334D1A0F16@microsoft.com...
    >I am a CS student working on a research project concerning forensic data
    > recovery. The project will recover data from both Unix and Windows OS.
    > For
    > Unix I have been able to find the methodology og how files are created
    > (http://www.cag.lcs.mit.edu/~rinard/osnotes/h13.html). My question
    > concerns
    > how files are generated in the NT File System. When I create a file, what
    > happens? How is the MFT populated. What happens when I delete a file?
    > How
    > does the MFT know the file has been deleted.
    >
    > I have been researching this topic for several days and have been able to
    > find information about the MFT. What I have not been able to find is how
    > the
    > MFT is populated.
    >
    > I don't mind doing the research, I have just ran out of ideas of where to
    > look.
    > Please help.
    >
    > Thanks
    > --
    > the goal of all computer programmers should be to make life simpler for
    > those using their applications.



  3. Re: MasterFile Table

    Thank you Pat.

    --
    the goal of all computer programmers should be to make life simpler for
    those using their applications.


    "Pat [MSFT]" wrote:

    > On MSDN you can start with:
    >
    > http://msdn2.microsoft.com/en-us/library/bb470206.aspx
    >
    > or
    >
    > Inside Windows Storage (Naik)
    >
    > or (my favorite)
    >
    > Windows Internals, 4th edition
    > It will actually walk through the processes you describe.
    >
    > Basically, what happens when a file is created is an entry is added to the
    > MFT (or a blank one is re-used). All entries are the same size and the data
    > structures are described on MSDN, but basically they describe the block
    > layouts of the file, etc. A file that is very small (<800 bytes or so) may
    > be imbedded in the MFT itself, but on modern systems this doesn't happen
    > often (too much metadata embedded in the files).
    >
    > Once the MFT entry is created then the file data is written to disk. When
    > the write occurs, each block on disk will be zero'd. If the write fails,
    > then the MFT update is rolled back out. If a file is extended, and the
    > subsequent blocks needed are non-contiguous, additional extents information
    > is written to the MFT. A highly fragmented file may exceed the 1k MFT size
    > limit due to the number of extents needed, in which case a second MFT entry
    > is created.
    >
    > When a file is deleted, only the MFT entry is eliminated. The blocks will
    > be zero'd when/if accessed later. There are API's that may allow the
    > zero'ing to be skipped, but this requires that the user/thread context be
    > administrator.
    >
    > From a forensic standpoint, things can get pretty tricky - Sparse Files,
    > Compressed files, Encrypted Files (EFS), BitLocker (Volume encryption), and
    > multi-stream files can complicate things a bit.
    >
    > In addition to the above references, you should also check out the Win32
    > APIs for file management:
    > CreateFile, ReadFile, WriteFile (and the Ex versions of the above as well).
    > There are links to additional relevant APIs included in their writeups, but
    > more importantly they have a number of flags that will provide some insight
    > into the number of permutations that a given file can have on creation &
    > access.
    >
    >
    > Pat
    >
    >
    > "frankjr" wrote in message
    > news:65DD7156-2628-41EE-8E21-C8334D1A0F16@microsoft.com...
    > >I am a CS student working on a research project concerning forensic data
    > > recovery. The project will recover data from both Unix and Windows OS.
    > > For
    > > Unix I have been able to find the methodology og how files are created
    > > (http://www.cag.lcs.mit.edu/~rinard/osnotes/h13.html). My question
    > > concerns
    > > how files are generated in the NT File System. When I create a file, what
    > > happens? How is the MFT populated. What happens when I delete a file?
    > > How
    > > does the MFT know the file has been deleted.
    > >
    > > I have been researching this topic for several days and have been able to
    > > find information about the MFT. What I have not been able to find is how
    > > the
    > > MFT is populated.
    > >
    > > I don't mind doing the research, I have just ran out of ideas of where to
    > > look.
    > > Please help.
    > >
    > > Thanks
    > > --
    > > the goal of all computer programmers should be to make life simpler for
    > > those using their applications.

    >


+ Reply to Thread