Appendix F: NTFS Metafiles

$MFT

The NTFS master file table. Contains the meta data on all of the NTFS file system entities.

1

$MFTMirr

A duplicate copy of the $MFT file's first four records.

2

$LogFile

Transactional log file used for file system rollback in the event of failure during an atomic operation.

3

$Volume

Contains the serial number and time of initialization for the partition as well as the dirty bit. The dirty bit is set to indicate that the file system may be corrupted due to Windows not shutting down properly. It is set at startup and reset as the last step during shutdown before powering off. If it is set, the OS knows that there was an improper shutdown. The dirty bit set triggers a file system integrity check through a scan of the disk and rolling back of any interrupted transactions.

4

$AttrDef

A file containing the definitions of any file system attributes. The inclusion of this as a file allows for dynamic attribute creation and future extensibility.

5

.

The entry for the main (root) directory of the file system.

6

$Bitmap

A list (map of bits) of unused and used clusters. Marking a cluster "in use" without a reference in the $MFT can allow data hiding.

7

$Boot

A non-movable file that links to the boot sector of the partition.

8

$BadClus

A list of bad (unusable) clusters. Marking a cluster bad is another way to hide data, although sector-level copies will ignore this file's content and image bad clusters as well.

9

$Secure ($Quota on NT)

Contains the security identifiers for the file system in a single metafile. Earlier versions of NTFS (in earlier NT versions) kept this information with each individual file.

10

$UpCase

A Unicode list of capital letters used for file system sorting.

11

$Extend

A metadirectory contains quota information, reparse point information, and a user -readable copy of the $LogFilec

1223

Reserved

Reserved for future expandability.

24 and above

Ordinary files and directories

Inodes used by the standard Windows files and directories.