Scribd
Upload
91 views6 pages

Lecture # 40: Creation of A File On NTFS

The document discusses the creation of a file on an NTFS volume. It shows the contents of the Master File Table (MFT) entry for the newly created file named "TEST.TXT". It also displays the boot sector contents of the NTFS volume, which contains the Boot Parameter Block (BPB) that provides metadata about the volume.

Uploaded by

api-3812413
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
91 views6 pages

Lecture # 40: Creation of A File On NTFS

The document discusses the creation of a file on an NTFS volume. It shows the contents of the Master File Table (MFT) entry for the newly created file named "TEST.TXT". It also displays the boot sector contents of the NTFS volume, which contains the Boot Parameter Block (BPB) that provides metadata about the volume.

Uploaded by

api-3812413
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 6

System Programming Course Code: CS609

[email protected]

Lecture # 40

Now in the following example a file is created and its entry is searched in the MFT. The
following slide shows that the name of the file created is TEST.TXT.

Creation of a File on NTFS


Volume

This slide show the contents of the file created.

Creation of a File on NTFS


Volume

Virtual University of Pakistan 64


System Programming Course Code: CS609
[email protected]

The first logical block is read to read the contents of the BPB in NTFS. Following shows
the contents of boot block for this volume.

0000 EB
Boot Sector of the Volume
52 90 4E 54 46 53 20 . R . N T F S 235 82 144 78 84 70 83 32
0008 20 20 20 00 02 08 00 00 . . . . . 32 32 32 0 2 8 0 0
0010 00 00 00 00 00 F8 00 00 . . . . . . . . 0 0 0 0 0 248 0 0
0018 3F 00 FF 00 3F 00 00 00 ? . . . ? . . . 63 0 255 0 63 0 0 0
0020 00 00 00 00 80 00 80 00 . . . . . . . . 0 0 0 0 128 0 128 0
0028 44 A2 D7 01 00 00 00 00 D . . . . . . . 68 162 215 1 0 0 0 0
0030 00 00 0C 00 00 00 00 00 . . . . . . . . 0 0 12 0 0 0 0 0
0038 24 7A 1D 00 00 00 00 00 $ z . . . . . . 36 122 29 0 0 0 0 0
0040 F6 00 00 00 01 00 00 00 . . . . . . . . 246 0 0 0 1 0 0 0
00 48 6 A 94 9C 8 6 D4 9C 86 78 j . . . . . . x 1 0 6 1 48 1 56 134 2 12 15 6 1 34 12 0
00 50 0 0 00 00 00 F A 3 3 C0 8E . . . . . 3 . . 0 0 0 0 25 0 51 19 2 1 42
00 58 D 0 BC 00 7 C FB B8 C0 07 . . . | . . . . 2 0 8 1 88 0 124 2 51 18 4 1 92 7
00 60 8 E D8 E8 1 6 00 B8 00 0D . . . . . . . . 1 4 2 2 16 2 32 22 0 18 4 0 13
00 68 8 E C0 33 D B C6 06 0E 00 . . 3 . . . . . 1 4 2 1 92 51 219 1 98 6 14 0
00 70 1 0 E8 53 0 0 68 00 0D 68 . . S . h . . h 1 6 2 32 83 0 1 04 0 13 10 4
00 78 6 A 02 CB 8 A 16 24 00 B4 j . . . . $ . . 1 06 2 2 03 138 22 3 6 0 18 0
00 80 0 8 CD 13 7 3 05 B9 FF FF . . . s . . . . 8 2 0 5 19 1 15 5 1 85 2 5 5 2 5 5
00 88 8 A F1 66 0 F B6 C6 40 66 . . f . . . @ f 1 3 8 2 41 1 02 15 1 82 19 8 64 10 2
00 90 0 F B6 D1 8 0 E2 3F F7 E2 . . . . . ? . . 1 5 1 82 2 09 128 2 26 6 3 2 47 22 6
00 98 8 6 CD C0 E D 06 41 66 0F . . . . . A f . 1 3 4 2 05 1 92 237 6 6 5 1 02 1 5
00 A0 B 7 C9 66 F 7 E1 66 A3 20 . . f . . f . 1 8 3 2 01 1 02 247 2 25 10 2 1 63 3 2
00 A8 0 0 C3 B4 4 1 BB AA 55 8A . . . A . . U . 0 1 95 1 80 65 1 87 17 0 85 13 8
00 B0 1 6 24 00 C D 13 72 0F 81 . $ . . . r . . 2 2 36 0 205 19 11 4 15 12 9
00 B8 F B 55 AA 7 5 09 F6 C1 01 . U . u . . . . 2 5 1 85 1 70 117 9 24 6 1 93 1
00 C0 7 4 04 FE 0 6 14 00 C3 66 t . . . . . . f 1 16 4 2 54 6 20 0 1 95 10 2
00 C8 6 0 1E 06 6 6 A1 10 00 66 ` . . f . . . f 9 6 30 6 102 1 61 1 6 0 10 2
00 D0 0 3 06 1C 0 0 66 3B 06 20 . . . . f ; . 3 6 28 0 1 02 5 9 6 32
00 D8 0 0 0F 82 3 A 00 1E 66 6A . . . : . . f j 0 15 1 30 58 0 3 0 1 02 10 6
00 E0 0 0 66 50 0 6 53 66 68 10 . f P . S f h . 0 1 02 80 6 83 10 2 1 04 1 6
00 E8 0 0 01 00 8 0 3E 14 00 00 . . . . > . . . 0 1 0 128 62 2 0 0 0
00 F0 0 F 85 0C 0 0 E8 B3 FF 80 . . . . . . . . 1 5 1 33 12 0 2 32 17 9 2 55 12 8
00 F8 3 E 14 00 0 0 0F 84 61 00 > . . . . . a . 6 2 20 0 0 15 13 2 97 0
01 00 B 4 42 8A 1 6 24 00 16 1F . B . . $ . . . 1 8 0 66 1 38 22 36 0 22 3 1
01 08 8 B F4 CD 1 3 66 58 5B 07 . . . . f X [ . 1 3 9 2 44 2 05 1 9 1 02 8 8 91 7
01 10 6 6 58 66 5 8 1F EB 2D 66 f X f X . . - f 10 2 8 8 102 88 3 1 2 35 4 5 1 02
01 18 3 3 D2 66 0 F B7 0E 18 00 3 . f . . . . . 5 1 2 10 1 02 15 1 83 1 4 24 0
01 20 6 6 F7 F1 F E C2 8A CA 66 f . . . . . . f 1 0 2 2 47 2 41 254 1 94 13 8 2 02 10 2
01 28 8 B D0 66 C 1 EA 10 F7 36 . . f . . . . 6 1 3 9 2 08 1 02 193 2 34 1 6 2 47 5 4
01 30 1 A 00 86 D 6 8A 16 24 00 . . . . . . $ . 26 0 1 34 214 1 38 2 2 36 0
01 38 8 A E8 C0 E 4 06 0A CC B8 . . . . . . . . 1 3 8 2 32 1 92 228 6 1 0 2 04 18 4
01 40 0 1 02 CD 1 3 0F 82 19 00 . . . . . . . . 1 2 2 05 19 15 13 0 25 0
01 48 8 C C0 05 2 0 00 8E C0 66 . . . . . . f 1 4 0 1 92 5 32 0 14 2 1 92 10 2
01 50 F F 06 10 0 0 FF 0E 0E 00 . . . . . . . . 2 55 6 16 0 2 55 1 4 14 0
01 58 0 F 85 6F F F 07 1F 66 61 . . o . . . f a 1 5 1 33 1 11 255 7 3 1 1 02 9 7
01 60 C 3 A0 F8 0 1 E8 09 00 A0 . . . . . . . . 1 9 5 1 60 2 48 1 2 32 9 0 16 0
01 68 F B 01 E8 0 3 00 FB EB FE . . . . . . . . 2 51 1 2 32 3 0 25 1 2 35 25 4
01 70 B 4 01 8B F 0 AC 3C 00 74 . . . . . < . t 1 80 1 1 39 240 1 72 6 0 0 11 6
01 78 0 9 B4 0E B B 07 00 CD 10 . . . . . . . . 9 1 80 14 187 7 0 2 05 1 6
01 80 E B F2 C3 0 D 0A 41 20 64 . . . . . A d 2 3 5 2 42 1 95 13 10 6 5 32 10 0
01 88 6 9 73 6B 2 0 72 65 61 64 i s k r e a d 1 0 5 1 15 1 07 32 1 14 10 1 97 10 0
01 90 2 0 65 72 7 2 6F 72 20 6F e r r o r o 3 2 1 01 1 14 114 1 11 11 4 32 11 1
01 98 6 3 63 75 7 2 72 65 64 00 c c u r r e d . 9 9 99 1 17 114 1 14 10 1 1 00 0
01 A0 0 D 0A 4E 5 4 4C 44 52 20 . . N T L D R 1 3 10 78 84 76 6 8 82 3 2
01 A8 6 9 73 20 6 D 69 73 73 69 i s m i s s i 1 0 5 1 15 32 109 1 05 11 5 1 15 10 5
01 B0 6 E 67 00 0 D 0A 4E 54 4C n g . . . N T L 1 1 0 1 03 0 13 10 7 8 84 7 6
01 B8 4 4 52 20 6 9 73 20 63 6F D R i s c o 6 8 82 32 105 1 15 3 2 99 11 1
01 C0 6 D 70 72 6 5 73 73 65 64 m p r e s s e d 1 0 9 1 12 1 14 101 1 15 11 5 1 01 10 0
01 C8 0 0 0D 0A 5 0 72 65 73 73 . . . P r e s s 0 13 10 80 1 14 10 1 1 15 11 5
01 D0 2 0 43 74 7 2 6C 2B 41 6C C t r l + A l 3 2 67 1 16 114 1 08 4 3 65 10 8
01 D8 7 4 2B 44 6 5 6C 20 74 6F t + D e l t o 1 1 6 43 68 101 1 08 3 2 1 16 11 1
01 E0 2 0 72 65 7 3 74 61 72 74 r e s t a r t 3 2 1 14 1 01 115 1 16 9 7 1 14 11 6
01 E8 0 D 0A 00 0 0 00 00 00 00 . . . . . . . . 1 3 10 0 0 0 0 0 0
01 F0 0 0 00 00 00 0 0 0 0 00 00 . . . . . . . . 0 0 0 0 0 0 0 0
0 1F 8 83 A0 B 3 C 9 0 0 0 0 5 5 AA . . . . . . U . 1 31 1 6 0 1 79 2 01 0 0 8 5 1 70 ` ``` ` `` ` `` ` `` `` ` `` ` `` `` ` `` `` `` ` `` ` `` `` ` `` ` `` `` ` `` ` ``` ` ``

Following slides shows various parameters obtained from BPB.

00F0 0F 85 0C 00 E8 B3 FF 80 . . . . . . . . 15 133 12 0 232 179 255 128


00F8 3E 14 00 00 0F 84 61 00 > . . . . . a . 62 20 0 0 15 132 97 0
0100 B4 42 8A 16 24 00 16 1F . B . . $ . . . 180 66 138 22 36 0 22 31
0108 8B F4 CD 13 66 58 5B 07 . . . . f X [ . 139 244 205 19 102 88 91 7
0110 66 58 66 58 1F EB 2D 66 f X f X . . - f 102 88 102 88 31 235 45 102
011 8 33 D2 66 0F B7 0E 18 00 3 . f . . . . . 51 21 0 102 15 18 3 14 24 0
012 0 66 F7 F1 FE C2 8A CA 66 f . . . . . . f 1 02 24 7 241 2 54 19 4 138 2 02 10 2
012 8 8B D0 66 C1 EA 10 F7 36 . . f . . . . 6 1 39 20 8 102 1 93 23 4 16 2 47 5 4
013 0 1A 00 86 D6 8A 16 24 00 . . . . . . $ . 26 0 134 2 14 13 8 22 36 0
013 8 8A E8 C0 E4 06 0A CC B8 . . . . . . . . 1 38 23 2 192 2 28 6 10 2 04 18 4
014 0 01 02 CD 13 0F 82 19 00 . . . . . . . . 1 2 205 19 1 5 130 25 0
014 8 8C C0 05 20 00 8E C0 66 . . . . . . f 1 40 19 2 5 32 0 142 1 92 10 2
015 0 FF 06 10 00 FF 0E 0E 00 . . . . . . . . 2 55 6 16 0 25 5 14 14 0
015 8 0F 85 6F FF 07 1F 66 61 . . o . . . f a 15 13 3 111 2 55 7 31 1 02 9 7
016 0 C3 A0 F8 01 E8 09 00 A0 . . . . . . . . 1 95 16 0 248 1 23 2 9 0 16 0
016 8 FB 01 E8 03 00 FB EB FE . . . . . . . . 2 51 1 232 3 0 251 2 35 25 4
017 0 B4 01 8B F0 AC 3C 00 74 . . . . . < . t 1 80 1 139 2 40 17 2 60 0 11 6
017 8 09 B4 0E BB 07 00 CD 10 . . . . . . . . 9 18 0 14 1 87 7 0 2 05 1 6
018 0 EB F2 C3 0D 0A 41 20 64 . . . . . A d 2 35 24 2 195 13 1 0 65 32 10 0

0188 69 73 6B 20 72 65 61 64 i s k r e a d 105 115 107 32 114 101 97 100


0190 20 65 72 72 6F 72 20 6F e r r o r o 32 101 114 114 111 114 32 111
0198 63 63 75 72 72 65 64 00 c c u r r e d . 99 99 117 114 114 101 100 0
01A0 0D 0A 4E 54 4C 44 52 20 . . N T L D R 13 10 78 84 76 68 82 32
01A8 69 73 20 6D 69 73 73 69 i s m i s s i 105 115 32 109 105 115 115 105
01B0 6E 67 00 0D 0A 4E 54 4C n g . . . N T L 110 103 0 13 10 78 84 76
01B8 44 52 20 69 73 20 63 6F D R i s c o 68 82 32 105 115 32 99 111
01C0 6D 70 72 65 73 73 65 64 m p r e s s e d 109 112 114 101 115 115 101 100
01C8 00 0D 0A 50 72 65 73 73 . . . P r e s s 0 13 10 80 114 101 115 115
01D0 20 43 74 72 6C 2B 41 6C C t r l + A l 32 67 116 114 108 43 65 108
01D8 74 2B 44 65 6C 20 74 6F t + D e l t o 116 43 68 101 108 32 116 111
01E0 20 72 65 73 74 61 72 74 r e s t a r t 32 114 101 115 116 97 114 116
01E8 0D 0A 00 00 00 00 00 00 . . . . . . . . 13 10 0 0 0 0 0 0
01F0 00 00 00 00 00 00 00 00 . . . . . . . . 0 0 0 0 0 0 0 0
01F8 83 A0 B3 C9 00 00 55 AA . . . . . . U . 131 160 179 201 0 0 85 170

Sector Per Cluster = 0008 MFT Cluster # =000c0000h=786432

Virtual University of Pakistan 65


System Programming Course Code: CS609
[email protected]

For NTFS simply the following formula will be used to translate the sector number into
cluster number.

Determining the Sector # from


Cluster #

Sector # = Cluster # * Sector Per Cluster

Following slide shows how the sector number for the MFT on this volume was
calculated. The first block of MFT no this volume is 6291456.

Disassembling the File

MFT Cluster # * 8 = Sector

786432 * 8 = 6291456

6291520

Virtual University of Pakistan 66


System Programming Course Code: CS609
[email protected]

From the block number 6291456 entries was searched for TEST.TXT and this file entry
was found at the block number 6291520.

0000 46 49 4C 45 30 00 03 00 F I L E 0 . . . 70 73 76 69 48 0 3 0
0008 55 55 12 04 00 00 00 00 U U . . . . . .
00 10 0300 0100 380 0 01 00 .. . .8 . .. 3 0 1 0 56 0 1 0
85 85 18 4 0 0 0 0
00 18 7001 0000 000 4 00 00 p. . .. . .. 12 1 0 0 0 4 0 0

00 20 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0


00 28 0600 0000 200 0 00 00 .. . . . .. 6 0 0 0 32 0 0 0

00 30 0A00 0000 000 0 00 00 .. . .. . .. 10 0 0 0 0 0 0 0


00 38 1000 0000 600 0 00 00 .. . .` . .. 16 0 0 0 96 0 0 0

00 40 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0


00 48 4800 0000 180 0 00 00 H. . .. . .. 72 0 0 0 24 0 0 0

00 50 E13E 292B AD1 2 C6 01 .> ) +. . .. 25 62 41 4 3 173 1 8 98


1 1

00 58 0386 7D3F AD1 2 C6 01 .. } ?. . .. 3 134 125 6 3 173 1 8 98


1 1
00 60 0386 7D3F AD1 2 C6 01 .. } ?. . .. 3 134 125 6 3 173 1 8 98
1 1

00 68 0BB0 826D B71 2 C6 01 .. . m. . .. 11 176 130 0 9


1 183 1 8 98
1 1
00 70 2000 0000 000 0 00 00 . . .. . .. 32 0 0 0 0 0 0 0

00 78 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0

00 80 0000 0000 0B0 1 00 00 .. . .. . .. 0 0 0 0 11 1 0 0


00 88 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0

00 90 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0


00 98 3000 0000 700 0 00 00 0. . .p . .. 48 0 0 0 112 0 0 0

00 A0 0000 0000 000 0 04 00 .. . .. . .. 0 0 0 0 0 0 4 0


00 A8 5200 0000 180 0 01 00 R. . .. . .. 82 0 0 0 24 0 1 0

00 B0 0500 0000 000 0 05 00 .. . .. . .. 5 0 0 0 0 0 5 0

00 B8 E13E 292B AD1 2 C6 01 .> ) +. . .. 25 62 41 4 3 173 1 8 98


1 1
00 C0 E13E 292B AD1 2 C6 01 .> ) +. . .. 25 62 41 4 3 173 1 8 98
1 1

00 C8 E13E 292B AD1 2 C6 01 .> ) +. . .. 25 62 41 4 3 173 1 8 98


1 1
00 D0 E13E 292B AD1 2 C6 01 . > ) +. . .. 2 5 6 2 41 43 1 73 1 8 18
9 1

00 D8 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0

00 E0 0000 0000 000 0 00 00 .. . .. . .. 0 0 0 0 0 0 0 0


00 E8 2000 0000 000 0 00 00 . . .. . .. 32 0 0 0 0 0 0 0

00F0 08 03 74 00 65 00 73 00 . . . t e s . . 8 3 116 0 101 0 115 0


00F8 74 00 2E 00 74 00 78 00 t . . . t x . . 116 0 46 0 116 0 120 0
0100 74 00 2E 00 54 00 58 00 t . . . T X . . 116 0 46 0 84 0 88 0
0108 40 00 00 00 28 00 00 00 @ . . . ( . . . 64 0 0 0 40 0 0 0
0110 00 00 00 00 00 00 05 00 . . . . . . . . 0 0 0 0 0 0 5 0
0118 10 00 00 00 18 00 00 00 . . . . . . . . 16 0 0 0 24 0 0 0
0120 06 B0 B6 4A 9B 7E DA 11 . . J . . . ~ . 6 176 182 74 155 126 218 17
0128 A9 46 00 50 8D 39 66 58 . F P . . f 9 X 169 70 0 80 141 57 102 88
0130 80 00 00 00 38 00 00 00 . . . . 8 . . . 128 0 0 0 56 0 0 0
0138 00 00 18 00 00 00 01 00 . . . . . . . . 0 0 24 0 0 0 1 0
0140 1E 00 00 00 18 00 00 00 . . . . . . . . 30 0 0 0 24 0 0 0
0148 68 65 6C 6C 6F 20 74 68 h e l l o t h 104 101 108 108 111 32 116 104
0150 69 73 20 69 73 20 61 20 i s i s a 105 115 32 105 115 32 97 32
0158 4E 54 46 53 20 74 65 73 N T F S t e s 78 84 70 83 32 116 101 115
0160 74 20 66 69 6C 65 00 00 t f i l e . . 116 32 102 105 108 101 0 0
0168 FF FF FF FF 82 79 47 11 . . . . . y G . 255 255 255 255 130 121 71 17
01 70 20 00 54 0 0 6 5 00 78 00 . T . e . x. 32 0 84 0 1 01 0 12 0 0

0178 74 00 20 00 44 00 6F 00 t . . D . o . 116 0 32 0 68 0 111 0


0180 63 00 75 00 6D 00 65 00 c . u . m . e . 99 0 117 0 109 0 101 0
0188 6E 00 74 00 2E 00 74 00 n . t . . . t . 110 0 116 0 46 0 116 0
01 90 7800 7400 0000 000 0 x. t .. . .. 2 0
1 0116 0 0 0 0 0

01 98 8000 00 00 1800 000 0 .. . .. . .. 2 8


1 0 0 0 24 0 0 0
01 A0 000 0 18 00 0000 010 0 .. . .. . .. 0 0 24 0 0 0 1 0

01 A8 000 0 00 00 1800 000 0 .. . .. . .. 0 0 0 0 24 0 0 0


01 B0 FFF F FF FF 8279 4711 . . . .. y G. 55
2 255 255 55
2 1301 21 7 1 17

01 B8 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0

01 C0 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0


01 C8 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0

01 D0 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0


01 D8 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0

01 E0 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0


01 E8 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0

01 F0 000 0 00 00 0000 000 0 .. . .. . .. 0 0 0 0 0 0 0 0

0 1F8 000 0 0 000 0000 0A 00 .. . .. . .. 0 0 0 0 0 0 10 0 2 2 2 2 22

The above dump shows the file name as well as the contents of the file are stored in this
entry. Has the file been larger it would not have been possible to store the content of the
file in this entry so other clusters would have been used and there would indexes would
have been kept in the entry.
As an exercise one can try to find out the sub folders and the contents of the files stored
in it.

Virtual University of Pakistan 67


System Programming Course Code: CS609
[email protected]

The following slides explain how the NTFS volume can be accessed in DOS. Normally it
can not be accessed if the system has booted in DOS as the DOS device drivers do not
understand NTFS.7

Accessing NTFS volume in DOS


• NTFS volume can not be accessed in DOS
using DOS based function like absread( )
etc.
• DOS device drivers does not understand
the NTFS data structures like MFT etc.
• If NTFS volume is accessed in DOS, it will
fire the error of Invalid Media.

How to Access NTFS volume using


BIOS Functions
• If the system has booted in DOS then a
NTFS volume can be accessed by an Indirect
Method, using BIOS functions..
• This technique makes use of physical
addresses.
• Sector can be accessed by converting their
LSN into LBA address and then using the
LBA address in extended BIOS functions to
access the disk sectors.

Virtual University of Pakistan 68


System Programming Course Code: CS609
[email protected]

Translating LSN to LBA


Hidden Blocks

Other File System NTFS Partition Block

No. of Physical Blocks


for other Partition

LBA = No. of Physical Blocks in other Partition +


Hidden Blocks + LSN

• All this information can be retrieved from the


Partition Table + Boot Block

Virtual University of Pakistan 69

You might also like