Understanding NTFS Data Blocks, MFT, and File System Areas
Understanding Data Blocks and Their Contents
Data blocks are pointers to the blocks containing the data for an i-node. The first twelve pointers point to the physical blocks containing data described by the i-node, and the last three pointers contain increasing levels of indirection.
Why is Data Fragmentation Less in ext2 Compared to FAT?
ext2 brings together a number of sequential blocks in a group called a block group (BG). FAT, however, places the file where slots are available, regardless of whether they remain together as much as possible.
NTFS and ACLs Explained
- NTFS: New Technology File System.
- ACLs: Access Control List.
File System Areas and Their Roles
- Partition Boot Sector: Can occupy several sectors, contains the provision in the volume and file system structure, including the location of the MFT and MTFT2, and contains the boot code.
- MFT (Master File Table): Contains information on files, directories, and space.
- MTT: A list of all the contents of the NTFS volume organized as a set of rows in a relational database structure.
- System Files: Contains MFT2, a copy of the first three rows of the MFT to ensure access in case of failure, and a bitmap showing which blocks are in use.
- File Area: The area where data in files and directories is stored.
Function and Content of the MFT
The MFT saves information on files and directories stored on the volume. It is a table where each entry contains information about a file or directory. The first 16 entries are reserved for special information, describing the MFT itself and the log file. The rest of the first 16 entries contain the defining attributes, the root directory, the bitmap, and defective groups.
Contents of $LogFile, $, $Bitmap, and $MtfMirr
- $LogFile: Contains a list of operation steps used for NTFS recoverability. The size depends on the volume size and can be 4MB or larger. It is used by Windows NT/2000 to restore the regularity of NTFS after a system failure.
- $: The root folder.
- $Bitmap: A representation of the volume showing which clusters are in use.
- $MtfMirr: Contains a duplicate image of the first four recordings of the MFT, guaranteeing access in case of failure.
Reasons for Less Data Fragmentation in NTFS Compared to FAT
NTFS allocates file space in consecutive clusters of blocks, unlike FAT’s individual clustering.
Why and Where is an NTFS Boot Sector Duplicated?
The duplicate boot sector is in the logical center of the disk to ensure access to the MFT in case of system failure and to recover the system.
Information Stored in the MFT for Each File
Standard information (properties and dates), the file’s name, security descriptor (access control list), and the data (if it fits in the entry) are stored in the MFT.
How Small and Large Files are Saved on NTFS
Small files that fit within the corresponding entry in the MFT are stored there. Large files have their data stored outside the MFT, with pointers to extensions. Each pointer contains a pointer to a block extent and its length. Because they are contiguous, reading one doesn’t require knowing what is next. If the file is too large to store all pointers, pointers to other records of the MFT are used.
An extension is a set of contiguous blocks (clusters) containing the file data.