IT 4100 : File Systems and Storage Technologies
NTFS
Preliminary
- New Technology File System
- First introduced in 1993
- Used in Windows XP through windows 10.
About
- Can support hard drives of almost 16 EB
- Individual file size of 256TB
- Supports disk quotas
- Supports Encrypting File System (EFS)
- Can encrypt individual files (different than full-disk encryption)
- Allows file ACL’s (permissions)
NTFS Journaling
- Journaling provides a way for system changes to be written to a log, or a journal, before the changes are actually written. This allows the file system to revert to previous, well-working conditions in the event of a failure because the new changes have yet to be committed.
NTFS
When formatted the disk will consist of the following:
- partition boot sector
- Master file table
- System files
- File Area
NTFS boot sector
- First 16 sectors
- Includes the bootstrap code
- Last sector of the NTFS partition contains a copy of the boot sector.
NTFS Master file table
- There is at least one entry in the MFT for every file on an NTFS file system volume
- All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
NTFS System files
- A system file is one used by the file system to store its metadata and to implement the file system.
- System files are placed on the volume by the Format utility.
NTFS tidbits
- They are capable of supporting alternate data streams (we did this in ethical hacking)
- http://www.ntfs.com/ntfs-multiple.htm
- Could be used for valid data, can also be used to hide stuff.
- When files are deleted from an NTFS file system volume, their MFT entries are marked as free and may be reused. However, disk space that has been allocated for these entries is not reallocated, and the size of the MFT does not decrease. (So you could recover your file)
NTFS EFS
- Encrypts files and folders (transparently)
- You have to turn it on.