NTFS
| Filesystems |
|---|
| Virtual Filesystems |
| Disk Filesystems |
| CD/DVD Filesystems |
| Network Filesystems |
| Flash Filesystems |
NTFS (New Technology File System) is Windows NT's native file system. Based on HPFS, it adds support for journaling, encryption, sparse files, transparent compression and security features such as access control lists. Filenames are encoded in UTF-16, case-insensitive, with a filename length limit of 255 code points excluding /\:*"?<>| and null (\0) which are reserved.
About
NTFS doesn't only add security features to HPFS. In NTFS, there is a lot more built-in redundancy. For example: in HPFS, wiping out a sector in the wrong place can render the entire volume inaccessible. Support for multiple hard-links to a file (before NTFS, the only easy access was through the POSIX subsystem, but Windows 2000 (NT 5) added this to Win32 as well) was also added.
NTFS supports an arbitrary number of file forks (much like Mac OS, except Mac OS always has exactly 2 forks for each file).
HPFS decrees that a cluster is always 512 bytes long and a cluster is always one sector. For the sake of performance and compatibility with some (especially Japanese) machines, NTFS allows sectors of different sizes. It also supports clusters of more than one sector, which can be beneficial on performance.
In short, NTFS' most significant changes:
- Better and more security.
- Multiple hard-links to one file.
- An arbitrary number of forks.
- Variable cluster and sectors sizes (usually resulting in better performance).
Implementation
Due to its proprietary nature and lack of documentation, NTFS is a difficult file system to implement.
The NTFS-3G project (GPLv2-licensed) provides a FUSE-based read/write implementation of the filesystem for Linux, BSD, MacOS and other operating systems. Linux also support NTFS natively through the NTFS3 read/write driver since version 5.15.
Structure
The NTFS format is built around "file" tables that allow both pre-defined and custom attributes to be stored and read by the operating system.
The NTFS boot sector is similar to other file systems, like FAT.
| Field | Type |
|---|---|
| JMP | int8_t[3] |
| OEM System | char[8] |
| Bytes Per Sector | uint16_t |
| Sectors Per Cluster | int8_t |
| Reserved Sector Count | uint16_t |
| Table Count | int8_t |
| Root Entry Count | uint16_t |
| Sector Count | uint16_t |
| Media Type | int8_t |
| Sectors Per Table | uint16_t |
| Sectors Per Track | uint16_t |
| Heads | uint16_t |
| Hidden Sector Count | uint32_t |
| Sector Count (32-bit) | uint32_t |
| Reserved | uint32_t |
| Sector Count (64-bit) | uint64_t |
This is followed immediately by a NTFS specific header.
| Field | Type |
|---|---|
| Master File Table Cluster | uint64_t |
| Master File Table Mirror Cluster | uint64_t |
| Clusters Per Record | int8_t |
| Reserved | int8_t[3] |
| Clusters Per Index Buffer | int8_t |
| Reserved | int8_t[3] |
| Serial Number | uint64_t |
| Checksum | uint32_t |
Using the "Master File Table Cluster" and "Sectors Per Cluster" values, you can find the Master File Table. This table contains entries for every object in the file system, including files, folders, and the tables themselves. The size of each record in the Master File Table can be calculated using the "Clusters Per Record" and "Sectors Per Cluster" fields from the boot sector.
Each record starts with the same header structure.
| Field | Type |
|---|---|
| Record Type | char[4] |
| Update Sequence Offset | uint16_t |
| Update Sequence Length | uint16_t |
| Log File Sequence Number | uint64_t |
| Record Sequence Number | uint16_t |
| Hard Link Count | uint16_t |
| Attributes Offset | uint16_t |
| Flags | uint16_t |
| Bytes In Use | uint32_t |
| Bytes Allocated | uint32_t |
| Parent Record Number | uint64_t |
| Next Attribute Index | uint32_t |
| Reserved | uint32_t |
| Record Number | uint64_t |
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record.
Attributes have a variable length, but always start with the same sequence.
| Field | Type |
|---|---|
| Attribute Type | uint32_t |
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute "record".
| Field | Type |
|---|---|
| Attribute Length | uint32_t |
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields.
See Also
External Links
- Guide to NTFS
- NTFS Documentation, reverse-engineered, originally for the Linux-NTFS project.
- Cheat sheet
- The Linux NTFS project
- NTFS-3G Read/Write Drivers For Linux/FreeBSD/BeOS
- Linux fs/ntfs tree
- Apple Open Source NTFS site
- libfsntfs library documentation
