Please enable JavaScript.
Coggle requires JavaScript to display documents.
NTFS Filesystem - Coggle Diagram
NTFS Filesystem
Directory ($I30)
Attributes
INDEX_ROOT(MFT) - Resident
MFT entry number
INDEX_ALLOCATION(Clusters) - Non-resident
Header (INDX)
Allocated Size of Entries
Size Entries
Slack space
Allocated Size of Entries - Size Entries
B-Tree Index Searching
root nodes
INDEX_ROOT
child nodes
INDEX_ALLOCATION
B-Tree Index Rebalancing
Analysis Tools
wisp
MFT (Metadata Catalog)
MFT Entry
Data Types
Sequential entries
Allocated/Unallocated
"File" Entry
$SI
4 timestamps
Flags
Signature
$FN
MACB Timestamps
Flags
Signatures
Namespace Type
MFT Header
Sequence Number (SN)
Hard link
$LogFile Sequence Number
Flags
Fixup Array
Next Available Attribute ID
Signature
Fixup code (Update Sequence Number & Update Sequence Array)
$DATA
Attribute
Resident
Non-resident
Header
Allocated Size
Data Runs
Alternate Data Streams
Attribute
Name Length
Content Length
Name Offset
Content Offset
Zone.Identifier (Evidence of Download)
No Zone= -1
MyComputer= 0
Intranet= 1
Trusted=2
Internet= 3
Untrusted= 4
Attribute
FILES
DIRECTORIES
Inode (Entry Number)
Analysis Tool
icat
istat
Journaling
$UsnJrnl (High level)
File/Directory Common Pattern
Delete
FileDelete
Rename/Move
RenameOldName -> RenameNewName
Create
FileCreate
ADS Create
StreamChange -> NamedDateExtend
Modified
DataOverwrite | DataExtend | DataTruncation
ADS Storage
$J
$Max
Analysis Tools
MFTECmd
$LogFile (Low-level)
File/Directory Common Pattern
Delete
DeleteIndexEntryAllocation -> DeallocateFileRecordSegment
Rename/Move
DeleteIndexEntryAllocation -> AddIndexEntryAllocation
Create
AddIndexEntryAllocation -> InitializeFileRecordSegment
ADS Create
Create attribute ":ADS"
Modified
Op codes not sufficient
Analysis Tool
Mala