Windows File System Internals (NTFS)

Objective: The NTFS (New Technology File System) is the default file system for modern Windows versions, designed to be secure, scalable, recoverable, and rich in metadata support.

Overview

The NTFS (New Technology File System) is the default file system for modern Windows versions, designed to be secure, scalable, recoverable, and rich in metadata support. Unlike FAT32 or exFAT, NTFS introduces complex data structures, a journaled metadata system, access control lists (ACLs), hard/soft links, and alternate data streams (ADS).

Key NTFS Features

FeatureDescription
Metadata-drivenEvery file and directory is stored as a metadata record in the MFT
JournalingChanges to critical metadata are recorded in the $LogFile before being committed
SecurityFull support for file permissions, ACLs, and encryption (EFS)
ADS (Alternate Data Streams)Allows multiple data streams per file
Compression & EncryptionBuilt-in per-file compression and support for EFS
Hard Links & Reparse PointsAdvanced linking and symbolic path redirection features
Sparse FilesSupport for efficiently handling large files with empty regions

The Master File Table (MFT)

At the heart of NTFS is the MFT (Master File Table). Think of it as the central database of the entire file system. Every file, folder, and metadata structure is stored as an MFT record, including internal system files.

MFT Layout

Each record in the MFT is 1024 bytes and contains:

  • File metadata (timestamps, size, attributes)
  • Pointers to the file’s data blocks (runs)
  • Named streams (e.g., ::$DATA)
  • File name entries (long and short names)

Key System Files in the MFT

Entry NamePurpose
$MFTThe Master File Table itself
$BitmapTracks which clusters are used/free
$LogFileJournals metadata changes
$SecureSecurity descriptors and ACLs
$VolumeVolume info (version, dirty flag)
$AttrDefList of valid attributes
$ExtendHouses extended features (like quotas, EFS, USN Journal)

File Record Attributes

Each NTFS file has a set of attributes that describe both the file and its contents. Attributes are stored either resident (inside the MFT entry) or non-resident (stored in separate clusters).

Common Attributes:

AttributeDescription
STANDARD_INFORMATIONBasic timestamps and permission flags
FILE_NAMELong and short name entries
DATAThe file’s actual data (can be named streams)
OBJECT_IDUnique identifier for tracking
SECURITY_DESCRIPTORNTFS ACLs
ATTRIBUTE_LISTUsed if the record can’t fit in one MFT entry

Resident Data

  • Small files (<700 bytes) are stored directly in the MFT.

Non-Resident Data

  • Larger files are stored elsewhere on disk and referenced via “data runs”.

File Metadata and Timestamps

NTFS tracks multiple timestamps:

  • Created: File creation time
  • Modified: Last content modification
  • MFT Changed: When metadata was last changed
  • Accessed: Last file access time

These are stored in STANDARD_INFORMATION and FILE_NAME attributes. Tools like MFTECmd or FTK Imager extract these for forensic timelines.

Alternate Data Streams (ADS)

NTFS supports multiple unnamed or named data streams in a single file. The main stream is usually :$DATA, but you can add hidden ones.

Example:

echo "secret" > notepad.txt:hidden
type notepad.txt:hidden

Forensics Concern:

  • ADS are often used to hide payloads or staging binaries.
  • dir /R will list streams in Windows.

Directory Structure & Indexing

NTFS directories are files themselves with INDEX_ROOT and INDEX_ALLOCATION attributes.

  • Small directories store entries directly inside the MFT (INDEX_ROOT)
  • Large directories spill over to other clusters (INDEX_ALLOCATION)

This design allows binary search indexing (B-tree like) instead of linear scanning.

Journaling with $LogFile

NTFS is a journaling file system.

  • $LogFile stores redo/undo logs for critical metadata changes.
  • Ensures metadata integrity after a power failure or crash.
  • Does not journal actual file content, only structural data.

This mechanism supports transactional consistency for files.

NTFS Recovery Concepts

NTFS uses a few safety mechanisms:

  1. $LogFile Recovery
    • Replay undo/redo entries post-crash
  2. CHKDSK
    • Scans metadata for inconsistencies
    • Can fix MFT, indexes, bitmap mismatches
  3. Volume Dirty Bit
    • Flag inside $Volume that triggers auto-CHKDSK

USN Journal (Change Journal)

Located in: $Extend\$UsnJrnl

  • Tracks all file-level changes (created, renamed, modified, deleted)
  • Used by tools like antivirus, backup software, and forensic tools
  • Each event is indexed by USN ID and timestamp

Enable / Query USN Journal:

fsutil usn queryjournal C:

NTFS Object IDs & Reparse Points

  • Object IDs: Unique GUIDs for file tracking
  • Reparse Points: Used for symbolic links, junctions, OneDrive placeholders

Types of reparse tags:

  • IO_REPARSE_TAG_SYMLINK – Symbolic link
  • IO_REPARSE_TAG_MOUNT_POINT – Junction
  • IO_REPARSE_TAG_APPEXECLINK – App execution alias

You can create symbolic links using:

mklink file2.txt file1.txt

Common NTFS Attacks and Abuses

Abuse TechniqueDescription
ADS PersistenceHide malicious DLLs or scripts in alternate streams
MFT Record AbuseCreate thousands of MFT entries to trigger slowdowns or detection blind spots
Symbolic Link HijackAbuse reparse points to redirect execution
USN Journal WipeDelete forensic history using low-level tools

Low-Level Tools for NTFS Exploration

ToolPurpose
NTFSInfo (Sysinternals)View cluster sizes, MFT layout
MFTECmd (Eric Zimmerman)Parse MFT and timestamps
FTK ImagerBrowse NTFS structure for forensics
fsutilQuery volume, reparse points, streams
NTFSWalkerInspect MFT and attributes
WinHex / 010 EditorView raw disk sectors and parse binary templates

Summary

  • NTFS is a highly advanced file system that embeds metadata, journaling, and fine-grained security into every file.
  • The MFT is the backbone of the file system, storing every file and folder as a database-like entry.
  • ADS, USN, and Reparse Points introduce both powerful features and potential attack surfaces.
  • NTFS journaling ($LogFile) and recovery structures provide strong integrity guarantees.
5 1 vote
Article Rating
guest
10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
jilikologin

That’s a great point about building skills, not just relying on luck! It reminds me of resources like jiliok login, which focuses on education within the iGaming space – a smart approach for new players! Really helps with responsible gaming.

0
Reply
ph987comlogin

Interesting analysis! Understanding game mechanics is key, and platforms like ph978 casino are evolving to help with that. Strategic play really elevates the experience, don’t you think? It’s about more than just luck!

0
Reply
apostaganha4

Fala galera do bolão! A apostaganha4 parece ter umas apostas interessantes. Preciso dar uma olhada com mais calma, mas a primeira impressão foi boa. Quem sabe a gente não faz uns gains por lá? Confere aí: apostaganha4

0
Reply
tk88bet

Yo what’s up, heard some good things from the homies about tk88bet. Gonna check them out myself. They said the odds are good and customer service is on point. Fingers crossed I win big! Definitely gonna try tk88bet out!

0
Reply
bk8vietnam

Bk8vietnam is my go-to spot for online betting. Always a smooth experience and great promotions. Check it out here: bk8vietnam

0
Reply
bk8link1

Finding a reliable BK8 link can be a pain. Thankfully, bk8link1.info has got you covered. Easy to find the latest access. Give it a look: bk8link1

0
Reply
iwinfortune

Feeling lucky? Iwinfortune might be your next favorite spot. They have a lot of games and the site is really user-friendly. See for yourself: iwinfortune

0
Reply
jilipark2

Jilipark2 is fun! Fast payouts and great customer service. I had a withdrawal issue but they fixed it really fast. It’s my favorite! jilipark2

0
Reply
123dbet

Gotta say, 123dbet caught my eye. Gave it a whirl, and I’m impressed! Cool interface. Defo worth a look-see! 123dbet

0
Reply
55bmwslot

Okay, 55bmwslot… fingers crossed for some smooth spins and big payouts! Let’s see what those reels can do! Give them a try now 55bmwslot

0
Reply
Post Views: 110