Вы находитесь на странице: 1из 58

New Technologies File System (NTFS)

Analysis the Windows NT File System


By Joachim Metz <joachim.metz@gmail.com>
Summary
NTFS is the primary file system for Microsoft Wino!s "ersions that are #ase on Wino!s NT.
This oc$ment is intene as a !or%ing oc$ment for the NTFS format. Which sho$l allo! e&isting
'pen So$rce forensic tooling to #e a#le to process this type of file system.
page i
Document information
Author(s): Joachim Metz <joachim.metz@gmail.com>
Abstract: This oc$ment contains information a#o$t the Ne! Technologies File System
(NTFS)
Classification: *$#lic
Keywords: NTFS+ Ne! Technologies File System
License
Copyright (c) 2009-2012 Joachim Metz <joachim.metz@gmail.com>.
Permiio! i gra!te" to copy# "itri$%te a!"&or mo"i'y thi "oc%me!t %!"er
the term o' the ()* +ree ,oc%me!tatio! -ice!e# .erio! 1./ or a!y later
0erio! p%$lihe" $y the +ree 1o't2are +o%!"atio!3 2ith !o 4!0aria!t 1ectio!#
!o +ro!t-Co0er 5e6t# a!" !o 7ac8-Co0er 5e6t. 9 copy o' the lice!e i
i!cl%"e" i! the ectio! e!title" :()* +ree ,oc%me!tatio! -ice!e:.
Version
Version Author Date Comments
,.,.- J.B. Metz .$g$st /,,0
Septem#er /,-,
'cto#er /,-,
No"em#er /,-,
1ecem#er /,-,
2nitial "ersion+ #ase on earlier notes.
,.,./ J.B. Metz March /,-- .itional information a#o$t m$lti ata r$n MFT.
,.,.3 J.B. Metz May /,-/ .itional information.
page ii
Table of Contents
-. '"er"ie!...........................................................................................................................................-
-.-. 4ersions....................................................................................................................................-
-./. Test "ersion...............................................................................................................................-
/. Terminology....................................................................................................................................../
/.-. 5l$ster......................................................................................................................................./
/./. 4irt$al cl$ster............................................................................................................................/
/.3. 6ong an short (file) name......................................................................................................../
3. The "ol$me......................................................................................................................................./
3.-. The metaata files...................................................................................................................../
7. The "ol$me heaer............................................................................................................................7
7.-. Bit6oc%er 1ri"e 8ncryption (B18)..........................................................................................9
7./. 4ol$me Shao! Snapshots (4SS)...........................................................................................:
7.3. The meia escriptor.................................................................................................................:
7.7. The #oot loaer.........................................................................................................................:
;. The Master File Ta#le (MFT)...........................................................................................................:
;.-. MFT entry.................................................................................................................................<
;.-.-. MFT entry heaer..............................................................................................................<
;.-./. MFT entry flags.................................................................................................................0
;.-.3. The file reference...............................................................................................................0
;./. The fi&=$p "al$es.......................................................................................................................0
;.3. MFT attri#$te............................................................................................................................0
;.3.-. MFT attri#$te heaer......................................................................................................-,
;.3.-.-. MFT attri#$te ata flags..........................................................................................-,
;.3./. >esient MFT attri#$te...................................................................................................-,
;.3.3. Non=resient MFT attri#$te............................................................................................--
;.3.7. .ttri#$te name.................................................................................................................--
;.3.;. 1ata r$ns.........................................................................................................................--
9. The attri#$tes..................................................................................................................................-/
9.-. The attri#$te types..................................................................................................................-/
9./. The stanar information attri#$te..........................................................................................-3
9.3. The attri#$te list attri#$te........................................................................................................-7
9.3.-. The attri#$te list entry.....................................................................................................-7
9.3.-.-. The attri#$te list entry heaer..................................................................................-;
9.3.-./. .ttri#$te name.........................................................................................................-;
9.7. The file name attri#$te............................................................................................................-;
9.7.-. Namespace......................................................................................................................-:
9.7./. 6ong to short name con"ersion.......................................................................................-:
9.;. The "ol$me "ersion attri#$te..................................................................................................-<
9.9. The o#ject ientifier attri#$te..................................................................................................-<
9.:. The sec$rity escriptor attri#$te.............................................................................................-<
9.<. The "ol$me name attri#$te......................................................................................................-0
9.0. The "ol$me information attri#$te............................................................................................-0
9.0.-. 4ol$me flags...................................................................................................................-0
9.-,. The ata stream attri#$te......................................................................................................-0
9.--. The ine& root attri#$te......................................................................................................../,
9.-/. The ine& allocation attri#$te................................................................................................/,
9.-3. The #itmap attri#$te............................................................................................................../,
9.-7. The reparse point attri#$te..................................................................................................../,
9.-;. The (?*FS) e&tene attri#$te information........................................................................../,
9.-9. The (?*FS) e&tene attri#$te............................................................................................./-
page iii
9.-:. The property set attri#$te....................................................................................................../-
9.-<. The logge $tility stream attri#$te......................................................................................../-
:. The ine&......................................................................................................................................../-
:.-. 5ommon $se ine&es............................................................................................................//
:./. The ine& root.........................................................................................................................//
:./.-. The ine& root heaer.....................................................................................................//
:././. 5ollation type................................................................................................................../3
:.3. The ine& entry......................................................................................................................./3
:.3.-. The ine& entry heaer..................................................................................................../3
:.7. The ine& noe heaer............................................................................................................/7
:.7.-. The ine& noe flags......................................................................................................../7
:.;. The ine& "al$e......................................................................................................................./7
:.;.-. The ine& "al$e flags......................................................................................................./;
:.9. The ine& "al$e ata.............................................................................................................../;
:.9.-. The irectory entry........................................................................................................../;
<. 5ompression.................................................................................................................................../;
<.-. Bloc% #ase storage................................................................................................................/9
<./. 5ompression techni@$e.........................................................................................................../9
<./.-. 8&amples........................................................................................................................./:
0. The reparse point............................................................................................................................/<
0.-. >eparse point tag..................................................................................................................../0
0.-.-. *reefine reparse point tag "al$es................................................................................./0
0.-./. >eparse point tag flags..................................................................................................../0
0./. J$nction or mo$nt point reparse ata......................................................................................3,
0.3. Sym#olic lin% reparse ata......................................................................................................3,
0.3.-. Sym#olic lin% flags..........................................................................................................3-
-,. The allocation #itmap....................................................................................................................3-
--. Apate (or change) jo$rnal...........................................................................................................3-
--.-. Apate jo$rnal metaata.......................................................................................................3-
--./. Apate jo$rnal entries...........................................................................................................3/
--./.-. Apate jo$rnal entry......................................................................................................3/
--././. Apate reason flags.......................................................................................................33
--./.3. Apate so$rce flags.......................................................................................................37
-/. Transactional NTFS (T&F)............................................................................................................37
-/.-. >eso$rce manager repair information...................................................................................3;
-/.-.-. >eso$rce manager repair config$ration information.....................................................3;
-/./. Transactional NTFS (T&F) metaata irectory.....................................................................3;
-/.3. T&F 'l *age Stream (T'*S) file........................................................................................3;
-/.3.-. T&F 'l *age Stream (T'*S) metaata.......................................................................3;
-/.3./. T&F 'l *age Stream (T'*S) file ata.........................................................................39
-/.7. Transactional NTFS (T&F) 5ommon 6og File System (56FS) files....................................3:
-/.;. Transactional ata logge $tility stream attri#$te.................................................................3:
-3. Wino!s efinitions......................................................................................................................3<
-3.-. File attri#$te flags..................................................................................................................3<
-7. Notes.............................................................................................................................................30
-7.-. B'#j21CB'............................................................................................................................30
-7./. NTFS reser"e file names.....................................................................................................7,
-7.3. File system flags....................................................................................................................7/
.ppeni& .. >eferences.....................................................................................................................79
.ppeni& B. DNA Free 1oc$mentation 6icense................................................................................7<
page i"
1. Overview
NTFS is the primary file system for Microsoft Wino!s "ersions that are #ase on Wino!s NT.
>elation to 'S/ ?*FS
Characteristics Description
Byte orer little=enian
1ate an time "al$es F268T2M8 in AT5
5haracter string .S522 strings are store in e&tene .S522 (!ith a coepageE)
Anicoe strings are store in ATF=-9 little=enian !itho$t the #yte orer
mar% (B'M).
1.1. Versions
There are m$ltiple "ersion of NTFS FW2G2H.
NTFS !ersion "emar#s
-., 2ntro$ce in Wino!s NT 3.-
-.- 2ntro$ce in Wino!s NT 3.;
-./ 2ntro$ce in Wino!s NT 3.;-
3., 2ntro$ce in Wino!s /,,,
3.- 2ntro$ce in Wino!s I*
This oc$ment mainly foc$ses on NTFS 3.- or later.
Note that the "ersions mentione a#o"e are the "ersion as $se #y NTFS. .nother common
"ersioning schema $ses the Wino!s "ersion+ e.g. NTFS ;., is the "ersion of NTFS $se on
Wino!s I* !hich is "ersion 3.- in schema mentione a#o"e.
1.2. Test version
The follo!ing "ersion of programs !ere $se to test the information !ithin this oc$mentC
T'1'C Wino!s NT7
T'1'C Wino!s /,,,
Wino!s I* S*3
T'1'C Wino!s /,,3
Wino!s 4ista
T'1'C Wino!s /,,<
Wino!s :
Wino!s <
NTFS=3D
page -
2. Terminology
2.1. Cluster
NTFS refers to it file system #loc%s as cl$sters. Note that these are not the same as the physical
cl$sters of a haris%. For clarity these are referre to as cl$ster #loc%s. 2n other so$rces they are
also referre to as logical cl$sters !hich are n$m#ere glo#ally (or a#sol$te).
Typically the cl$ster #loc% is < sectors (< & ;-/ J 7,09 #ytes) of size.
2.2. Virtual cluster
The term "irt$al cl$ster refers to cl$ster #loc%s !hich are n$m#ere locally (or relati"e).
2.3. Long and short (file) name
2n Wino!s terminology the name of a file (or irectory) can either #e short or long. The short name
is an e@$i"alent of the filename in the (1'S) <.3 format. The long name is act$al the (f$ll) name of
the file. The term long refers to the aspect that the name is longer than the short "ariant. Beca$se
most oc$mentation refer to the (f$ll) name as the long name+ for clarity sa%e so !ill this oc$ment.
3. The volme
8"erything on an NTFS "ol$me is a file. There are t!o types of filesC
files that contain "ol$me an file system metaata (referre to as metaata files)K
files that contain ata (referre to as files).
3.1. The metadata files
NTFS $ses the Master File Ta#le (MFT) to store information a#o$t files an irectories. The MFT
entries reference the ifferent "ol$me an file system metaata. There are se"eral preefine
metaata files.
The follo!ing metaata files are preefine an $se a fi&e MFT entry ine&.
$FT entry
inde%
Filename Description
, BMFT Master File Ta#le
- BMFTMirr Bac% $p of the Master File Ta#le
/ B6ogFile Metaata jo$rnal
3 B4ol$me 4ol$me information
7 B.ttr1ef File an irectory attri#$te efinitions
; . >oot irectory
9 BBitmap .llocation #itmap
: BBoot Boot coe
< BBa5l$s Ba cl$sters
page /
$FT entry
inde%
Filename Description
0 BL$ota L$ota information
6ast $se in Wino!s NT 7
0 BSec$re Sec$rity an access control information
2ntro$ce in Wino!s /,,,
-, BAp5ase Ta#le of $ppercase characters $se for ens$ring case
insensiti"ity in Wino!s an 1'S namespaces.
-- B8&ten . irectory containing e&tene metaata files
-/=-; >eser"e
Mar%e as in $se #$t empty
-9=/3 An$se
Mar%e as $n$se
As of Windows 2000
/7 B8&tenMBL$ota L$ota information
Was MFT entry 0 in Wino!s NT
/; B8&tenMB'#j2 Ani@$e file ientifiers for istri#$te lin% trac%ing
/9 B8&tenMB>eparse Bac%references to reparse points
As of Windows Vista (or server 2003?)
Transactional NTFS metadata (See section: 12 Transactional NTFS (TF))
/: B8&tenM
B>mMetaata
>eso$rce manager metaata irectory
/< B8&tenM
B>mMetaataM
B>epair
>eso$rce manager repair information
/0 B8&tenM
B>mMetaataM
BT&f6og
Transactional NTFS (T&F) log metaata irectory
3, B8&tenM
B>mMetaataM
BT&f
Transactional NTFS (T&F) metaata irectory
3- B8&tenM
B>mMetaataM
BT&f6ogMBTops
T&F 'l *age Stream (T'*S) file
3/ B8&tenM
B>mMetaataM
BT&f6ogM
BT&f6og.#lf
Transactional NTFS (T&F) #ase log metaata file
!ommon
... . file or irectory
The follo!ing metaata files are preefine+ ho!e"er the MFT entry ine& is commonly $se #$t not
fi&e.
page 3
$FT entry
inde%
Filename Description
B8&tenMBAsnJrnl Apate (or change) jo$rnal
See sectionC -- Apate (or change) jo$rnal
!. The volme hea"er
The "ol$me heaer is store at the start of the "ol$me (in the BBoot metaata file) an containsC
the "ol$me signat$re
the B2'S parameter #loc%
the #oot loaer
The "ol$me heaer is ;-/ #ytes of size an consists ofC
offset si&e !alue description
, 3 Boot entry point
'ften containsC
e#;/ jmp ,&;/
0, nop
This is a j$mp instr$ction to the #ootcoe
at offset <7 follo!e #y a no=operation
3 7 NNTFSM&/,M&/,M&/,
M&/,O
File system signat$re
(.lso %no!n as '8M anPor $mmy
ientifier)
"#S version 2$0 %&#S 'arameter (loc) (%*%)
-- / Bytes per sector
-3 - Sectors per cl$ster #loc%
-7 / ,&,, >eser"e Sectors
not $se #y NTFS F*'66.>1,9H an
m$st #e , FMS1NH
-9 - ,&,, N$m#er of File .llocation Ta#les (F.Ts)
not $se #y NTFS F*'66.>1,9H an
m$st #e , FMS1NH
-: / , >oot irectory entries
not $se #y NTFS F*'66.>1,9H an
m$st #e , FMS1NH
-0 / Total n$m#er of sectors (-9=#it)
Ase if the total of n$m#er of sectors fits
in -9=#itE
/- - Meia escriptor
See sectionC 7.3 The meia escriptor
// / ,&,, Sectors *er File .llocation Ta#le (F.T)
not $se #y NTFS F*'66.>1,9H an
m$st #e , FMS1NH
page 7
offset si&e !alue description
"#S version 3$+ %&#S 'arameter (loc) (%*%)
/7 / ,&3f Sectors per trac%
Not $se #y NTFS FMS1NH
/9 / ,&ff N$m#er of heas
Not $se #y NTFS FMS1NH
/< 7 ,&3f N$m#er of hien sectors
Not $se #y NTFS FMS1NH
3/ 7 ,&,, Total n$m#er of sectors (3/=#it)
Ase if the total of n$m#er of sectors fits
in 3/=#itE
Not $se #y NTFS m$st #e , FMS1NH
NTFS version ,$0 %&#S 'arameter (loc) (%*%) or etended %*%
&ntrod-ced in Windows NT version 3$1
39 - ,&<, An%no!n (1isc $nit n$m#er)
Not $se #y NTFS FMS1NH
3: - ,&,, An%no!n (Flags)
Not $se #y NTFS FMS1NH
3< - ,&<, An%no!n (B*B "ersion signat$re #yte)
Not $se #y NTFS FMS1NH
30 - ,&,, An%no!n (>eser"e)
Not $se #y NTFS FMS1NH
7, < Total n$m#er of sectors (97=#it)
7< < Master File Ta#le (MFT) cl$ster #loc%
n$m#er
;9 < Mirror MFT cl$ster #loc% n$m#er
97 - MFT entry size
See #elo!.
9; 3 An%no!n
Not $se #y NTFS FMS1NH
9< - 2ne& entry size
See #elo!.
90 3 An%no!n
Not $se #y NTFS FMS1NH
:/ < NTFS "ol$me serial n$m#er
See #elo!.
<, 7 ,&,, 5hec%s$m
not $se #y NTFS F*'66.>1,9H+
FMS1NH
<7 7/9 Bootcoe
What is the e&act en of the #ootcoe an
page ;
offset si&e !alue description
are there no trailing "al$esE
;-, / ,&;; ,&aa Sector signat$re
Both the MFT an ine& entry sizes are efine as follo!ingC
4al$es , to -/: represent sizes of , to -/: cl$ster #loc%s.
4al$es -/< to /;; represent sizes of /
/;9=n
#ytesK or /
=n
if consiere as a signe #yte.
'ther "al$es are not consiere "ali F*'66.>1,9H.
The cl$ster #loc% size can #e etermine as follo!ingC
cl%ter $loc8 ize ; $yte per ector 6 ector per cl%ter $loc8
4al$es a"aila#le in Wino!s areC
;-/
-,/7
/,7<
7,09
<-0/
-9G (-93<7)
3/G (3/:9<)
97G (9;;39)
The MFT offset can #e etermine as follo!ingC
M+5 o''et ; 0ol%me hea"er o''et
< ( M+5 cl%ter $loc8 !%m$er 6 Cl%ter $loc8 ize)
Note that the lo!er 3/=#it part of the NTFS "ol$me serial n$m#er is the W2N.*2 "ol$me serial
n$m#er. 8.g. compare the o$tp$t ofC
'%til 'i!'o 0ol%mei!'o C=
'%til 'i!'o !t'i!'o C=
'ften the "ol$me !ill #e smaller than the $nerlying partition. . (nearly ientical) #ac%$p of the
"ol$me heaer is store in last sector of cl$ster #loc%+ that follo!s the last cl$ster #loc% of the
"ol$me. 'ften this is the ;-/ #ytes after the last sector of the "ol$me+ #$t not necessarily. The
#ac%$p "ol$me heaer is not incl$e in the "ol$me size.
4.1. BitLocker rive !ncr"#tion (B!)
Bit6oc%er 1ri"e 8ncryption (B18) $ses the file system signat$reC N=F48=FS=O. Where F48 is an
a##re"iation of F$ll 4ol$me 8ncryption.
The ata str$ct$res of B18 on Wino!s 4ista an : iffer.
. Wino!s 4ista B18 "ol$me starts !ithC
e$ >2 90 2d 46 56 45 26 46 53 2d
. Wino!s : B18 "ol$me starts !ithC
e$ 58 90 2d 46 56 45 26 46 53 2d
page 9
B18 is largely a stan=alone #$t has some integration !ith NTFS. For more information a#o$t B18
see F62BB18H.
4.2. Volume $hado% $na#shots (V$$)
4ol$me Shao! Snapshots (4SS) $ses the DA21 3<,<<:9#=c-:9=7e7<=#:ae=,7,79e9cc:;/
(store in little=enian) to ientify its ata. 4SS is largely a stan=alone #$t has some integration
!ith NTFS.
For more information a#o$t 4SS see F62B4S?.1'WH.
4.3. The media descri#tor
'it(s) (dentifier Description
, SiesC
, J> single=sie
- J> o$#le=sie
- Trac% sizeC
, J> 0 sectors per trac%
- J> < sectors per trac%
/ 1ensityC
, J> <, trac%s
- J> 7, trac%s
3 TypeC
, J> Fi&e isc
- J> >emo"a#le isc
7 Q : .l!ays set to -
4.4. The &oot loader
offset si&e !alue description
;-/ Wino!s NT (#oot) loaer
NT61>PB''TMD>
#. The $aster File Table ($FT)
The MFT consist of an array of MFT entries. The offset of the MFT ta#le can #e fo$n in the
"ol$me heaer an the size of the MFT is efine #y the MFT entry of the BMFT metaata file.
Note that the MFT can consists of m$ltiple ata ranges+ efine #y the ata r$ns in the BMFT
metaata file.
page :
'.1. ()T entr"
.ltho$gh the size of a MFT entry is efine in the "ol$me heaer is commonly -,/7 #ytes of size
an consists ofC
The MFT entry heaer
The fi&=$p "al$es
.n array of MFT attri#$te "al$es
*aing+ !hich sho$l contain zero #ytes
#.1.1. $FT entry hea"er
The MFT entry heaer is 7< #ytes of size an consists ofC
offset si&e !alue description
, 7 NF268O Signat$re
7 / The fi&=$p "al$es offset
5ontains an offset relati"e from the start
of the MFT entry
9 / The n$m#er of fi&=$p "al$es
< < Jo$rnal se@$ence n$m#er
B6ogFile Se@$ence N$m#er (6SN)
-9 / Se@$ence ("al$e)
-< / >eference (lin%) co$nt
/, / .ttri#$tes offset
5ontains an offset relati"e from the start
of the MFT entry
// / 8ntry flags
See sectionC ;.-./ MFT entry flags
/7 7 Ase entry size
5ontains the n$m#er of #ytes of the MFT
entry that are in $se
/< 7 Total entry size
5ontains the n$m#er of #ytes of the MFT
entry
5o$l this #e $se to store ata larger
than -,/7 = heaer contin$o$sly E
3/ < Base recor file reference
See sectionC ;.-.3 The file reference
7, / First a"aila#le attri#$te ientifier
7/ / An%no!n (!fi&$p*attern)
Version 3$0 or earlier
77 7 An%no!n
Version 3$1 or later
77 7 The ine&
page <
The #ase recor file reference inicates if the MFT entry is $se to store aitional attri#$tes for
another MFT entry+ e.g. for attri#$te list attri#$tes.
#.1.2. $FT entry flags
Value (dentifier Description
,&,,,- 2n $se
,&,,,/ 2s irectory (or has B23, ine&)
,&,,,7 An%no!n (set for B'#j2+ BL$ota+ B>eparse+
BAsnJrnl)
,&,,,< An%no!n (set for B'#j2+ BL$ota+ B>eparse.
BSec$re)
#.1.3. The file reference
The file reference is < #ytes of size an consists ofC
offset si&e !alue description
, 9 MFT entry ine&
Note that the ine& "al$e in the MFT
entry is only 3/=#it of size
9 / Se@$ence n$m#er
'.2. The fi*+u# values
The fi&=$p "al$es are "aria#le of size an consists ofC
offset si&e !alue description
, / Fi&=$p placeholer "al$e
/ / & n$m#er of
fi&=$p "al$es
Fi&=$p (original) "al$e array
'n is% the last / #ytes in each sector is replace #y the fi&=$p placeholer "al$e. The original "al$e
is store in the corresponing fi&=$p (original) "al$e array entry.
Note that there can #e more fi&=$p "al$es than the amo$nt of sectors in the ata.
See F5.>>28>,;H anPor F>ASS'N,;H for e&amples on applying the fi&=$p "al$es.
'.3. ()T attri&ute
The MFT attri#$te consist ofC
the attri#$te heaer
the attri#$te resient or non=resient ata
the attri#$te name
the attri#$te ata r$ns or ata
alignment paing (<=#yte alignment)+ can contain remnant ata
page 0
#.3.1. $FT attribte hea"er
The MFT attri#$te heaer is -9 #ytes of size an consists ofC
offset si&e !alue description
, 7 .ttri#$te type
See sectionC 9.- The attri#$te types
7 7 Size
The size of the attri#$te incl$ing the <
#ytes of the attri#$te type an size
< - Non=resient flag
'nly the lo!er #it is $se+ o the other
#its ha"e any significance E
0 - Name size
5ontains the n$m#er of characters !ith=
o$t the en=of=string character
-, / Name offset
5ontains an offset relati"e from the start
of the MFT entry
-/ / .ttri#$te ata flags
See sectionC ;.3.-.- MFT attri#$te ata
flags
-7 / .ttri#$te ientifier
. $ni@$e ientifier to isting$ish #et!een
attri#$tes that contain segmente ata.
'.3.1.1. ()T attri&ute data flags
Value (dentifier Description
,&,,,- 2s compresse
,&7,,, 2s encrypte
,&<,,, 2s sparse
#.3.2. %esi"ent $FT attribte
The resient MFT attri#$te ata is present !hen the non=resient flag is not set (,). The resient
ata is < #ytes in size an consists ofC
offset si&e !alue description
, 7 1ata size
7 / 1ata offset
5ontains an offset relati"e from the start
of the MFT entry
page -,
offset si&e !alue description
9 - 2ne&e flag
'nly the lo!er #it is $se+ o the other
#its ha"e any significance E
: - ,&,, *aing
5ontains an empty #yte
#.3.3. Non&resi"ent $FT attribte
The non=resient MFT attri#$te ata is present !hen the non=resient flag is set (-). The non=
resient ata is 7< #ytes in size an consists ofC
offset si&e !alue description
, < First 4irt$al 5l$ster N$m#er (45N) of
the ata
< < 6ast 4irt$al 5l$ster N$m#er (45N) of
the ata
-9 / 1ata r$ns offset
5ontains an offset relati"e from the start
of the MFT entry
-< / 5ompression $nit n$m#er of cl$ster
#loc%s
5ontains the compression $nit size in
n$m#er of cl$ster #loc%s. This "al$e is
$se for compresse ata in the ata r$ns.
/, 7 *aing
5ontains zero=#ytes
/7 < .llocate ata size
3/ < 1ata size
7, < 2nitialize ata size
What oes it contain an !hat is it $se
forE
#.3.!. 'ttribte name
The attri#$te name is "aria#le of size an consists ofC
offset si&e !alue description
, ... Name
ATF=-9 little=enian !itho$t the en=of=
string character
#.3.#. (ata rns
The ata r$ns are store in a "aria#le size (ata) r$nlist. This r$nlist consists of r$nlist elements.
page --
. r$nlist element is "aria#le of size an consists ofC
offset si&e !alue description
,., 7 #its N$m#er of cl$ster #loc%s "al$e size
5ontains the n$m#er of #ytes $se to
store the ata r$n size
,.7 7 #its 5l$ster #loc% n$m#er "al$e size
5ontains the n$m#er of #ytes $se to
store the ata r$n size
- Size "al$e size 1ata r$n n$m#er of cl$ster #loc%s
5ontains the n$m#er of cl$ster #loc%s
... 5l$ster #loc%
n$m#er "al$e
size
1ata r$n cl$ster #loc% n$m#er
See #elo!.
The ata r$n cl$ster #loc% n$m#er is a singe "al$e+ !here the MSB is the singe #it+ e.g. if the ata
r$n cl$ster #loc% contains R#c<R it correspons to the 97=#it "al$e ,&ffffffffffff#c<.
The first ata r$n offset contains the a#sol$te cl$ster #loc% n$m#er !here s$ccessi"e ata r$n offsets
are relati"e to the last ata r$n offset.
Note that the cl$ster #loc% n$m#er #yte size is the first ni##le !hen reaing the #yte stream+ #$t here
it is represente as the $pper ni##le of the first #yte.
The last r$nlist element is an empty "al$e size t$pleK in other !ors a , #yte. For compresse or
sparse r$ns+ the offset is ,+ an the size of the offset is also ,.
2f the offset is , #$t the size contains a "al$e the ata r$n is either compresse or sparse. For e"ery
compression $nit #loc%C
if the size is less than the compression $nit size the pre"io$s ata r$n is compresse (the size
signifies the remaining $n$se ata)
if the size is e@$al to the compression $nit size the ata r$n is sparse
Note that the compression $nit #loc%s m$st #e aligne to the "irt$al cl$ster #loc%s.
.ccoring to F>ASS'N,;H the size of the r$nlist is ro$ne $p to the ne&t m$ltit$e of 7 #ytes. The
size of the trailing ata can #e e"en larger than 3 an are not al!ays zero=#ytes.
See F5.>>28>,;H anPor F>ASS'N,;H for e&amples on reaing the r$nlist.
). The attribtes
,.1. The attri&ute t"#es
Value (dentifier Description
,&,,,,,,,, An$se
,&,,,,,,-, BST.N1.>1S2NF'>M.T2'
N
Stanar information
page -/
Value (dentifier Description
,&,,,,,,/, B.TT>2BAT8S62ST .ttri#$tes list
,&,,,,,,3, BF268SN.M8 The file or irectory name
,&,,,,,,7, B4'6AM8S48>S2'N 4ol$me "ersion
>emo"e in NTFS "ersion 3.,
,&,,,,,,7, B'BJ85TS21 '#ject ientifier
2ntro$ce in NTFS "ersion 3.,
,&,,,,,,;, BS85A>2TTS18S5>2*T'> Sec$rity escriptor
,&,,,,,,9, B4'6AM8SN.M8 4ol$me name
,&,,,,,,:, B4'6AM8S2NF'>M.T2'N 4ol$me information
,&,,,,,,<, B1.T. 1ata stream
,&,,,,,,0, B2N18IS>''T 2ne& root
,&,,,,,,a, B2N18IS.66'5.T2'N 2ne& allocation
,&,,,,,,#, BB2TM.* Bitmap
,&,,,,,,c, BSTMB'625S62NG Sym#olic lin%
>emo"e in NTFS "ersion 3.,
,&,,,,,,c, B>8*.>S8S*'2NT >eparse point
2ntro$ce in NTFS "ersion 3.,
,&,,,,,,, B8.S2NF'>M.T2'N (?*FS) e&tene attri#$te information
,&,,,,,,e, B8. (?*FS) e&tene attri#$te
,&,,,,,,f, B*>'*8>TTSS8T *roperty set
>emo"e in NTFS "ersion 3.,
,&,,,,,-,, B6'DD81SAT262TTSST>8.
M
6ogge $tility stream
2ntro$ce in NTFS "ersion 3.,
,&,,,,-,,, First $ser efine attri#$te
,&ffffffff 8n of attri#$tes mar%er
,.2. The standard information attri&ute
The stanar information attri#$te (BST.N1.>1S2NF'>M.T2'N) contains the #asic file entry
metaata. 2t is store as a resient MFT attri#$te.
The stanar information ata is either 7< or :/ #ytes of size an consists ofC
offset si&e !alue description
, < 5reation ate an time
Filetime
< < 6ast moification ate an time
(.lso referre to as last !ritten ate an
time)
page -3
offset si&e !alue description
Filetime
-9 < MFT entry last moification ate an time
Filetime
/7 < 6ast access ate an time
Filetime
3/ 7 File attri#$te flags
See sectionC -3.- File attri#$te flags
39 7 Ma&im$m n$m#er of "ersions
What oes it contain an !hat is it $se
forE
7, 7 4ersion n$m#er
What oes it contain an !hat is it $se
forE
77 7 5lass ientifier
What oes it contain an !hat is it $se
forE
&ntrod-ced in NTFS version 3$0 (Windows 2000)
7< 7 '!ner ientifier
What oes it contain an !hat is it $se
forE
;/ 7 Sec$rity ientifier ine&
5ontains the ine& of the sec$rity
ientifier in the BSec$re metaata file
;9 < L$ota charge
What oes it contain an !hat is it $se
forE
97 < Apate Se@$ence N$m#er (ASN)
What oes it contain an !hat is it $se
forE
,.3. The attri&ute list attri&ute
The attri#$te list attri#$te (B.TT>2BAT8S62ST) is a list of attri#$tes in an MFT entry. The
attri#$tes store in the list are placeholers for other attri#$tes. Some of these attri#$tes co$l not #e
store in the MFT entry $e to space limitations. The attri#$te list attri#$te can #e store as either a
resient (for a small amo$nt of ata) an non=resient MFT attri#$te.
The attri#$te list ata contains an array of attri#$te list entries.
).3.1. The attribte list entry
The attri#$te list entry consists ofC
the attri#$te list entry heaer
the the attri#$te name
page -7
alignment paing (<=#yte alignment)+ can contain remnant ata
,.3.1.1. The attri&ute list entr" header
The attri#$te list entry heaer is /9 #ytes of size an consists ofC
offset si&e !alue description
, 7 .ttri#$te type
See sectionC 9.- The attri#$te types
7 / Size
The size of the attri#$te incl$ing the 9
#ytes of the attri#$te type an size
9 - Name size
5ontains the n$m#er of characters !ith=
o$t the en=of=string character
: - Name offset
5ontains an offset relati"e from the start
of the attri#$te list entry
< < 1ata first 45N
-9 < File reference
The file reference to the MFT entry that
contains (part of) the attri#$te ata
See sectionC ;.-.3 The file reference
/7 / .ttri#$te ientifier
. $ni@$e ientifier to isting$ish #et!een
attri#$tes that contain segmente ata.
The ata first 45N is $se !hen the attri#$te ata is store in m$ltiple MFT entries. The attri#$te
list contains an attri#$te list entry for e"ery MFT entry. The corresponing MFT entry !ill contain
an MFT attri#$te containing the attri#$te ata. See F5.>>28>,;H pages 39; an 399 for more
information.
,.3.1.2. -ttri&ute name
The attri#$te name is "aria#le of size an consists ofC
offset si&e !alue description
, ... Name
ATF=-9 little=enian !itho$t the en=of=
string character
,.4. The file name attri&ute
The file name attri#$te (BF268SN.M8) contains the #asic file system information+ li%e the parent
file entry+ M.5 times an filename. 2t is store as a resient MFT attri#$te.
The file name ata is "aria#le of size an consists ofC
page -;
offset si&e !alue description
, < *arent file reference
See sectionC ;.-.3 The file reference
< < 5reation ate an time
5ontain a filetime
-9 < 6ast moification ate an time
(.lso referre to as last !ritten ate an
time)
5ontain a filetime
/7 < MFT entry last moification ate an time
5ontain a filetime
3/ < 6ast access ate an time
5ontain a filetime
7, < .llocate (or reser"e) file size
See #elo!.
7< < File size
See #elo!.
;9 7 File attri#$te flags
See sectionC -3.- File attri#$te flags
9, 7 8&tene ata
See #elo!.
97 - Name string size
5ontains the n$m#er of characters !ith=
o$t the en=of=string character
9; - Namespace of the name string
99 ... Name string
ATF=-9 little=enian !itho$t an en=of=
string character
The e&tene ata containsC
the reparse point tag (see section 0.- >eparse point tag) if the reparse point file attri#$te flag
(F268S.TT>2BAT8S>8*.>S8S*'2NT) is setK
the e&tene attri#$te ata size.
The allocate file size an file size "al$es o not al!ays contain acc$rate "al$es !hen store in a
MFT attri#$te+ see F5.>>28>,;H page 393 for more information. F5.>>28>,;H also states that
the file size "al$es are acc$rate !hen R$se in a irectory ine&R (store in an ine& "al$e)+ ho!e"er
this seems to #e tr$e for most files #$t not for all. .t least the BMFT an BMFTMirror metaata file
irectory entries on a Wino!s 4ista NTFS "ol$me !ere fo$n to contain the same "al$e as the
corresponing MFT entries+ !hich !ere not e@$al to the size of the ata stream.
.n MFT attri#$te can contain m$ltiple file name attri#$tes+ e.g. for a separate (long) name an short
name.
2n se"eral cases on a 4ista NTFS "ol$me the MFT entry containe #oth a 1'S U Wino!s an
*'S2I namespace name. ?o!e"er the irectory entry ine& (B23,) of the parent irectory only
page -9
containe the 1'S U Wino!s name.
2n case of a har lin% the MFT entry !ill contain aitional file name attri#$tes !ith the parent file
reference of each har lin%.
).!.1. Names*ace
Value (dentifier Description
, *'S2I 5ase sensiti"e character set that consists of all
Anicoe characters e&cept forC
RM,R (zero character)+
RPR (for!ar slash).
The RCR (colon) is "ali for NTFS #$t not for
Wino!s.
- W2N1'WS . case insensiti"e s$# set of the *'S2I character
set that consists of all Anicoe characters e&cept
forC
RVR RWR RPR RCR R<R R>R RER RMR RXR
Note that names cannot en !ith a R.R (ot) or R R
(space).
/ 1'S . case insensiti"e s$# set of the W2N1'WS
character set that consists of all $pper case .S522
characters e&cept forC
RVR RWR RYR R+R RPR RCR RKR R<R RJR R>R RER RMR
Note the name m$st follo! the <.3 format.
3 1'SSW2N1'WS Both the 1'S an W2N1'WS names are ientical
Which is the same as the 1'S character set+ !ith
the e&ception that lo!er case is $se as !ell.
).!.2. +ong to short name conversion
Basically the con"ersion from a long name to short name #oils o!n to the approach mentione
#elo!. Note that it iffers from the approach mentione in F>ASS'N,;H an FMSSA**'>TH+ in
regar of the thir case to ma%e the short name $ni@$e.
2n the long nameC
ignore Anicoe characters #eyon the first <=#it (e&tene .S522)
ignore control characters an spaces (character < ,&/,)
ignore non=allo!e characters (RVR RWR RYR R+R RPR RCR RKR R<R RJR R>R RER RMR)
ignore ots e&cept the last one (e&tension) an one at the start of the name
ma%e all letters $pper case
Ma%e the name $ni@$eC
-. $se the characters - to 9 a Z- an if the long name has an e&tension a the a ot an its
first 3 letters
/. if the name alreay e&ists try Z/ $p to Z0
page -:
3. if the name alreay e&ists $se some -9=#it he&aecimal "al$e for characters 3 to 9 !ith Z-
FMS1NH Denerates the ne&t fo$r letters of the short file name #y mathematically manip$lating the
remaining letters of the long file name.
NoteC #eha"ior epenent on fs$til E
case -C N*rogram FilesO #ecomes N*>'D>.Z-O or O Z*6.TM'428.>8DO #ecomes
NZ*6.TMZ-.>8DO
case /C N*rogram 1ataO+ in the same irectory as N*rogram FilesO+ #ecomes N*>'D>.Z/O
case 3C N&<9Smicrosoft=!ino!s=r..ry=eitor.reso$rcesS3-#f3<;9a397e3;S9.,.9,,,.-93<9Sen=
$sSf<0a:#,,,;7/f7O+ in a irectory !ith a lot of filenames starting !ith N&<9SmicrosoftO+
#ecomes NI<F5.9Z-.-93O
,.'. The volume version attri&ute
T'1'+ nee a pre NTFS 3., "ol$me
,.,. The o&.ect identifier attri&ute
The o#ject ientifier attri#$te (B'BJ85TS21) contains istri#$te lin% trac%er properties. 2t is store
as a resient MFT attri#$te.
The o#ject ientifier ata is either -9 or 97 #ytes of size an consists ofC
offset si&e !alue description
, -9 1roi file ientifier
5ontains a DA21
-9 -9 Birth roi "ol$me ientifier
5ontains a DA21
3/ -9 Birth roi file ientifier
5ontains a DA21
7< -9 Birth roi omain ientifier
5ontains a DA21
,./. The securit" descri#tor attri&ute
The sec$rity escriptor attri#$te (BS85A>2TTS18S5>2*T'>) T'1'. 2t is store as a resient
MFT attri#$te.
The sec$rity escriptor ata is "aria#le of size an consists ofC
T'1'
page -<
,.0. The volume name attri&ute
The "ol$me name attri#$te (B4'6AM8SN.M8) contains the name of the "ol$me. 2t is store as a
resient MFT attri#$te.
The "ol$me name ata is "aria#le of size an consists ofC
offset si&e !alue description
, ... Name string
ATF=-9 little=enian !itho$t an en=of=
string character
The "ol$me name attri#$te is $se in the B4ol$me metaata file MFT entry.
,.1. The volume information attri&ute
The "ol$me information attri#$te (B4'6AM8S2NF'>M.T2'N) contains the name of the "ol$me.
2t is store as a resient MFT attri#$te.
The "ol$me information ata is -/ #ytes of size an consists ofC
offset si&e !alue description
, < An%no!n (empty "al$eE)
< - Major "ersion n$m#er
0 - Minor "ersion n$m#er
-, / 4ol$me flags
The "ol$me information attri#$te is $se in the B4ol$me metaata file MFT entry.
).,.1. -olme flags
Value (dentifier Description
,&,,,- 2s irty
,&,,,/ >e=size jo$rnal (6ogFile )
,&,,,7 Apgrae on ne&t mo$nt
,&,,,< Mo$nte on Wino!s NT 7
,&,,-, 1elete ASN $ner!ay
,&,,/, >epair o#ject ientifiers
,&<,,, Moifie #y ch%s%
,.12. The data stream attri&ute
The ata stream attri#$te (B1.T.) contains the file ata. 2t can #e store as either a resient (for a
small amo$nt of ata) an non=resient MFT attri#$te.
page -0
,.11. The inde* root attri&ute
The ine& root attri#$te (B2N18IS>''T) contains the root of the ine& tree. 2t is store as a
resient MFT attri#$te.
See sectionC : The ine& an :./ The ine& root.
,.12. The inde* allocation attri&ute
The ine& allocation attri#$te (B2N18IS.66'5.T2'N) contains an array of ine& entries. 2t is
store as a non=resient MFT attri#$te.
Note that the ine& allocation attri#$te itself oes not efine !hich attri#$te type it contains in the
ine& "al$e ata. For this information it nees the corresponing ine& root attri#$te.
.lso note that m$ltiple ine& allocation attri#$tes for the same ine& can #e $se in the attri#$te list
to efine ifferent parts of the ine& allocation ata. The first ine& allocation attri#$te !ill contain
the size of the entire ine& allocation ata. 'ther ine& allocation attri#$tes sho$l ha"e a size of ,.
See sectionC : The ine&.
,.13. The &itma# attri&ute
The #itmap attri#$te (BB2TM.*) contains the allocation #itmap. 2t can #e store as either a resient
(for a small amo$nt of ata) an non=resient MFT attri#$te.
2t is $se to maintain information a#o$t !hich entry is $se an !hich is not. 8"ery #it in the #itmap
represents an entry. The ine& is store #yte=!ise !ith the 6SB of the #yte correspons to the first
allocation elementK the allocation element can represent se"eral things+ see #elo!.
The allocation element is allocate if the corresponing #it contains - or $nallocate if ,.
2t is %no!n to #e $se inC
the MFT (nameless)+ !here an allocation element represents a MFT entryK
ine&es (B2[[)+ !here an allocation element represents an ine& entry.
,.14. The re#arse #oint attri&ute
The reparse point attri#$te (B>8*.>S8S*'2NT) contains information a#o$t a file system=le"el lin%.
2t is store as a resient MFT attri#$te.
See sectionC 0 The reparse point.
,.1'. The (34)$) e*tended attri&ute information
T'1'+ nee a NTFS "ol$me !ith (?*FS) e&tene attri#$tes
0600 2 1ize o' the pac8e" ?6te!"e" 9ttri$%te
0602 2 )%m$er o' ?6te!"e" 9ttri$%te 2hich ha0e )??,@?9 et
060A A 1ize o' the %!pac8e" ?6te!"e" 9ttri$%te
page /,
,.1,. The (34)$) e*tended attri&ute
T'1'+ nee a NTFS "ol$me !ith (?*FS) e&tene attri#$tes
0600 A B''et to !e6t ?6te!"e" 9ttri$%te
060A 1 +lag
060> 1 )ame -e!gth ())
060C 2 .al%e -e!gth (.)
060D ) )ame
)<060D . .al%e
+lag=
06D0 )ee" ?9
,.1/. The #ro#ert" set attri&ute
T'1'+ nee a pre NTFS 3., "ol$me
,.10. The logged utilit" stream attri&ute
attri#$te type for storing aitional ata for the files an irectories
resient+ %no!n to ca$se pro#lems !hen non=resient on Wino!s 4ista
Value (dentifier Description
B8FS 8ncrypte NTFS (8FS)
BTIFS1.T. Transactional NTFS (T&F)
T'1'
.. The in"e/
The ine& str$ct$res are $se for "ario$s p$rposes one of !hich are the irectory entries.
The root of the ine& is store in ine& root. The ine& root attri#$te efines !hich type of attri#$te
is store in the ine& an the root ine& noe.
2f the ine& is too large part of the ine& is store in an ine& allocation attri#$te !ith the same
attri#$te name. The ine& allocation attri#$te efines a ata stream !hich contains ine& entries.
8ach ine& entry contains an ine& noe.
See F5.>>28>,;H page 3:< for an ill$stration ho! the ine& root an ine& allocation attri#$te
relate.
.n ine& consists of a tree+ !here #oth the #ranch an ine& leaf noes contain the act$al ata. 8.g.
in case of a irectory entries ine&+ any noe that contains ine& "al$e ata ma%e $p for the irectory
page /-
entries.
The ine& "al$e ata in a #ranch noe signifies the $pper #o$n of the "al$es in the that specific
#ranch. 8.g. if irectory entries ine& #ranch noe contains the name Rte&tfile.t&tR all names in that
ine& #ranch are smaller than Rte&tfile.t&tR. Note the act$al sorting orer is epenent on the collation
type efine in the ine& root attri#$te.
The ine& allocation attri#$te is accompanie #y a #itmap attri#$te !ith the corresponing attri#$te
name. The #itmap attri#$te efines the allocation of "irt$al cl$ster #loc%s !ithin the ine& allocation
attri#$te ata stream.
Note that the ine& allocation attri#$te can #e present e"en tho$gh it is not $se.
/.1. Common used inde*es
2ne&es commonly $se #y NTFS areC
Value (dentifier Description
B23, 1irectory entries ($se #y irectories)
BS1? Sec$rity escriptors ($se #y BSec$re)
BS22 Sec$rity ientifiers ($se #y BSec$re)
B' '#ject ientifiers ($se #y B'#j2)
B' '!ner ientifiers ($se #y BL$ota)
BL L$otas ($se #y BL$ota)
B> >eparse points ($se #y B>eparse)
/.2. The inde* root
The ine& root consists ofC
ine& root heaer
ine& noe heaer
an array of ine& "al$es
..2.1. The in"e/ root hea"er
The ine& root heaer is -9 #ytes of size an consists ofC
offset si&e !alue description
, 7 .ttri#$te type
5ontains the type of the ine&e attri#$te
or , if none
7 7 5ollation type
What oes it contain an !hat is it $se
forE
< 7 2ne& entry size
-/ 7 2ne& entry n$m#er of cl$ster #loc%s
page //
Note that F5.>>28>,;H an F>ASS'N,;H state that the last 3 #ytes are $n$se (alignment
paing). ?o!e"er it is highly pro#a#ly that the last "al$e is 3/=#it of size.
..2.2. Collation ty*e
Value (dentifier Description
,&,,,,,,,, 5'66.T2'NSB2N.>T Binary
The first #yte is most significant
,&,,,,,,,- 5'66.T2'NSF268N.M8 Anicoe strings case=insensiti"e
,&,,,,,,,/ 5'66.T2'NSAN25'18SST
>2ND
Anicoe strings case=sensiti"e
Apper case letters sho$l come first
,&,,,,,,-, 5'66.T2'NSNT'FSSA6'N
D
Ansigne 3/=#it little=enian integer
,&,,,,,,-- 5'66.T2'NSNT'FSSS21 NT sec$rity ientifier (S21)
,&,,,,,,-/ 5'66.T2'NSNT'FSSS85A
>2TTS?.S?
Sec$rity hash first+ then NT sec$rity ientifier
,&,,,,,,-3 5'66.T2'NSNT'FSSA6'N
DS
.n array of $nsigne 3/=#it little=enian integer
"al$es
/.3. The inde* entr"
The ine& entry consists ofC
the ine& entry heaer
the ine& noe heaer
the fi&=$p "al$es
alignment paing (<=#yte alignment)+ contains zero=#ytes
an array of ine& "al$es
..3.1. The in"e/ entry hea"er
The ine& entry heaer is 3/ #ytes of size an consists ofC
offset si&e !alue description
, 7 N2N1IO Signat$re
7 / The fi&=$p "al$es offset
5ontains an offset relati"e from the start
of the MFT entry
9 / The n$m#er of fi&=$p "al$es
< < Jo$rnal se@$ence n$m#er
B6ogFile Se@$ence N$m#er (6SN)
-9 < 4irt$al 5l$ster N$m#er (45N) of the
ine& entry
page /3
/.4. The inde* node header
The ine& noe heaer is -9 #ytes of size an consists ofC
offset si&e !alue description
, 7 2ne& "al$es offset
The offset is relati"e from the start of the
ine& noe heaer
7 7 2ne& noe size
The "al$e incl$es the size of the ine&
noe heaer. See #elo!.
< 7 .llocate ine& noe size
The "al$e incl$es the size of the ine&
noe heaer
-/ 7 2ne& noe flags
Note that F>ASS'N,;H states that the last 3 #ytes are $n$se (alignment paing)+ !hile
F5.>>28>,;H states that the last "al$e is 3/=#it of size. Seen that the ine& "al$e flags are a 3/=#it
"al$e it is highly pro#a#ly the ine& noe flags are as !ell.
Note that in an ine& entry (ine& allocation attri#$te) the ine& noe size incl$e the size of the fi&=
$p "al$es an the alignment paing follo!ing it.
Note that the remainer of the ine& noe contains remnant ata anPor zero=#yte "al$es.
..!.1. The in"e/ no"e flags
Value (dentifier Description
,&,,,,,,,- ?as ine& allocation attri#$te
Ase in an ine& root attri#$te to inicate the
presence of an ine& allocation attri#$te !hich
contains the ine& "al$es
/.'. The inde* value
The ine& "al$e is "aria#le of size an consists ofC
offset si&e !alue description
, < File reference
See sectionC ;.-.3 The file reference
< / 2ne& "al$e size
-, / 2ne& "al$e ata size
Note that the size of the paing is not
incl$e in the "al$e ata size
-/ 7 2ne& "al$e flags
&f inde val-e data si.e /0
-9 ... 2ne& "al$e ata
page /7
offset si&e !alue description
... ... .lignment paing (<=#yte alignment)
5an contain remnant ata
&f inde val-e fla0 000000001 (1as s-( node) is set
... < S$# noe 4irt$al 5l$ster N$m#er (45N)
The ine& "al$es are < #yte aligne.
..#.1. The in"e/ vale flags
Value (dentifier Description
,&,,,,,,,- ?as s$# noe
2f set the ine& "al$e contains a s$# noe 4irt$al
5l$ster N$m#er (45N)
,&,,,,,,,/ 2s last
2f set the ine& "al$e is the last in the ine& "al$es
array
/.,. The inde* value data
..).1. The "irectory entry
The MFT attri#$te name of the irectory entry ine& isC B23,.
The irectory entry ine& "al$e ata contains a file name attri#$te. See sectionC 9.7 The file name
attri#$te.
Note that #oth the short an long names of the same file ha"e a separate ine& "al$e. The short name
$ses the 1'S namespace an the long name the W2N1'WS namespace. 2ne& "al$es !ith a single
name $se either the *'S2I or 1'SSW2N1'WS namespace.
. har lin% to a file in the same irectory !ill also ha"e a separate ine& "al$e.
The har lin% al!ays has namespace *'S2IE
0. Com*ression
The NTFS compression gro$ps -9 cl$ster #loc%s together. This gro$p of -9 cl$ster #loc%s is either
RcompresseR or ra! ata. The !or compresse is @$ote #eca$se+ as yo$ !ill see #elo!+ the gro$p
of cl$ster #loc%s can also contain $ncompresse ata. . gro$p of cl$ster #loc% is RcompresseR !hen
itRs compresse size is smaller than its ra! ata size.
Within a gro$p of cl$ster #loc%s each of the -9 #loc%s is RcompresseR ini"i$ally. The ma&im$m
$ncompresse ata size is al!ays the cl$ster size (in most cases 7,09).
The amo$nt an offset of NTFS compresse an ra! cl$ster #loc% is maintaine in the NTFS Master
File Ta#le (MFT). This allo!s NTFS compression to #e com#ine !ith sparse cl$ster #loc%s.
page /;
0.1. Block &ased storage
NTFS compression stores the RcompresseR ata in #loc%s. 8ach #loc% has a / #yte #loc% heaer.
The #loc% is "aria#le of size an consists ofC
offset si&e !alue description
, / Bloc% size
/ (compresse
ata size)
The $pper 7 #its of the #loc% size are $se as flags.
'its Description
,=-- 5ompresse ata size
-/=-7 An%no!n flags
-; 1ata is compresse
0.2. Com#ression techni5ue
The NTFS compression techni@$e is #ase on 6\:: compression.
8"ery compression #loc% consists of tagge compression gro$ps . . tagge gro$p consist of <
"al$es (not #ytes) precee #y a tag #yte .
tag 9 7 C , ? + ( E
The 6SB of the tag #yte represents the first "al$e in the gro$p+ the MSB the last .
a tag #it of , inicates an $ncompresse #yte K
a tag #it of - inicates compresse ata $sing a little=enian -9=#it (/=#yte) compression t$ple
-
.
The compression t$ple contains an offset (#ac% reference) an a size "al$e.
Where the size is the act$al size min$s 3. Ase the follo!ing calc$lation to correct the size "al$e in
the t$ple.
ize ; ize < /
.n the offset a positi"e representation of a #ac% reference min$s -. Ase the follo!ing calc$lation to
correct the offset "al$e in the t$ple.
o''et ; -1 F ( o''et < 1 )
The compression t$ple $ses a ynamic amo$nt of #its to store the offset an size "al$es.
The calc$lation of the amo$nt of #its $se for the offset an size "al$es is as follo!ingC
at the $ncompresse ata #loc% offset ,+ the size is store in the least significant -/ #its of size
an the offset 7 #its
- T$ple meaning com#ination of t!o "al$es.
page /9
the larger the $ncompresse ata #loc% offset+ the larger the amo$nt of #its are $se for the
offset "al$e an the smaller the amo$nt of #its for the size .
The follo!ing calc$lation is $se to etermine the amo$nt of #its to store the offset an size "al$es.
compreio!@t%ple@ize@o''et@hi't ; 123
compreio!@t%ple@ize@ma8 ; 06'''3
'or( iterator ; %!compree"@"ata@$loc8@o''et - 13
iterator >; 06103
iterator >>; 1 )
G
&F $it hi't 'or the o''et 0al%e F&
compreio!@t%ple@ize@o''et@hi't--3
&F $it ma8 'or ize 0al%e F&
compreio!@t%ple@ize@ma8 >>; 13
H
The t$ple is $ncompresse #y copying the #yte at the offset in the $ncompresse ata to the en of
the $ncompresse ata. This is repeate for the size "al$e of the t$ple.
Note that the offset "al$e itself oes not change+ the offset remains fi&e relati"e to the en of the
$ncompresse ata. ?o!e"er this means that for e"ery increment of the size "al$e the offset refers
to another #yte in the $ncompresse ata. 5onsier the follo!ing e&amples.
0.2.1. 1/am*les
5onsier the follo!ing tagge compression gro$pC
0602 0620 06'c 060'
The tag #yte consists ofC
0602 ;> 00000010$
This means that the /n an 3r "al$es contain a -9=#it compression t$ple.
060''c
Beca$se this compression t$ple is near the start of the $ncompresse ata the offset shift is -/ an
the size mas% is ,&,fff.
o''et= 060''c >> 12 ;> -1 F ( 0 < 1 ) ;> -1
ize= 060''c I 060''' ;> A092 < / ;> A09>
The algorithm starts !ith an $ncompresse "al$e of ,&/, !hich represents the space character
(.S522). This "al$e is ae to the $ncompresse ata. Ne&t the algorithm reas the compression
t$ple an etermines the offset an size "al$es. The offset refers to the pre"io$s space "al$e in the
$ncompresse ata an a this to $ncompresse ata. .n so on. Note that the offset remains
referring to the last "al$e in the $ncompresse ata. 2n the en !e en $p !ith a #loc% of 7,09
spaces.
No! consier the follo!ing $ncompresse ataC
Ji!cl%"e <!t'.h>K!
page /:
Ji!cl%"e <t"io.h>K!
Note that the Mn is the string representation of the ne!line character (.S522C ,&,a)
This is logically compresse toC
Ji!cl%"e <!t'.h>K!(-1D#10)t"io(-1L#A)
2n the e&ample a#o"e the t$ples are represente #y (offset+size).
The first part of this is ata store !ith tag #ytes loo%s li%eC
00000000b MJM MiM M!M McM MlM M%M M"M MeM
00000000b M M M<M M!M MtM M'M MM M.M MhM
00000100b M>M MK!M 0x07 0x88 MM MtM M"M MiM MoM
00000001b 0x01 0x80
.n as a he&$mpC
00000000 00 2/ C9 Ce C/ Cc L> CA C> 00 20 /c Ce LA CC L/ N.Ji!cl%"e. <!t'N
00000010 2e CD 04 /e 0a 07 88 /c L/ LA CA C9 01 01 80 N.h.>...t"io... N
The tag #ytes ha"e #een mae #ol an the compression t$ples #ol an re.
For the first t$ple the offset shift is -- an the size mas% is ,&,:ff. The t$ple consists ofC
o''et= 06DD0L >> 11 ;> -1 F ( 1L < 1 ) ;> -1D
ize= 06DD0L I 060L'' ;> L < / ;> 10
This t$ples refer toC
(-1D#10) ;> Ji!cl%"e <
,. The re*arse *oint
The reparse point is $se to create file system=le"el lin%s. >eparse point ata is store in the reparse
point attri#$te.
The reparse point ata (>8*.>S8S1.T.SBAFF8>) is "aria#le of size an consists ofC
offset si&e !alue description
, 7 >eparse point tag
7 / >eparse ata size
9 / , >eser"e
< ... >eparse ata
What a#o$t the DA21 mentione in F>ASS'N,;H in thir party reparse points.
FMS1NH >eparseD$iC . -9=#yte DA21 that $ni@$ely ientifies the o!ner of the reparse point.
>eparse pointDA21s are assigne #y the implementer of a file system+ the file system filter ri"er+ or
the minifilter ri"er. The implementer m$st generate one DA21 to $se !ith their assigne reparse
point tag+ an m$st al!ays $se this DA21 as the >eparseD$i for that tag.
page /<
1.1. 6e#arse #oint tag
offset si&e !alue description
,., -9 #its Type
/., -/ #its >eser"e
3.7 7 #its Flags
,.1.1. 2re"efine" re*arse *oint tag vales
*reefine reparse point tag "al$es accoring to FMS1NHC
Value (dentifier Description
,&,,,,,,,, 2'S>8*.>S8ST.DS>8S8>4
81S\8>'
>eser"e
,&,,,,,,,- 2'S>8*.>S8ST.DS>8S8>4
81S'N8
>eser"e
,&<,,,,,,; 2'S>8*.>S8ST.DS1>248>
S8IT8N18>
Ase #y ?ome ser"er ri"e e&tener
,&<,,,,,,9 2'S>8*.>S8ST.DS?SM/ Ase #y ?ierarchical Storage Manager *ro$ct
,&<,,,,,,: 2'S>8*.>S8ST.DSS2S Ase #y single=instance storage (S2S) filter ri"er
,&<,,,,,,a 2'S>8*.>S8ST.DS1FS Ase #y the 1istri#$te File System (1FS)
,&<,,,,,,# 2'S>8*.>S8ST.DSF26T8>S
M.N.D8>
Ase #y filter manager test harnes
,&<,,,,,-/ 2'S>8*.>S8ST.DS1FS> Ase #y the 1istri#$te File System (1FS)
,&a,,,,,,3 2'S>8*.>S8ST.DSM'ANT
S*'2NT
J$nction or mo$nt point
,&a,,,,,,c 2'S>8*.>S8ST.DSSTM62N
G
Sym#olic lin%
,&c,,,,,,7 2'S>8*.>S8ST.DS?SM Ase #y ?ierarchical Storage Manager *ro$ct
,.1.2. %e*arse *oint tag flags
Value (dentifier Description
,&- >eser"e accoring to FMS1NH
,&/ Name s$rrogate #it
2f this #it is set+ the file or irectory represents
page /0
Value (dentifier Description
another name entity in the system.
,&7 >eser"e accoring to FMS1NH
F>ASS'N,;H 2s high=latency meia
,&< 2s nati"e (Microsoft=#it)
1oes this flag infl$ence the reparse point DA21E
1.2. 7unction or mount #oint re#arse data
The j$nction or mo$nt point reparse ata is "aria#le of size an consists ofC
offset si&e !alue description
, / S$#stit$te name offset
The offset is relati"e from the start of the
reparse name ata
/ / S$#stit$te name size
4al$e in #ytes+ the size of the en=of=
string character is not incl$e
7 / *rint name offset
The offset is relati"e from the start of the
reparse name ata
9 / *rint name size
4al$e in #ytes+ the size of the en=of=
string character is not incl$e
2e'arse name data
< ... S$#stit$te name
ATF=-9 little=enian !ith the en=of=
string characterE
... ... *rint name
ATF=-9 little=enian !ith the en=of=
string characterE
1.3. $"m&olic link re#arse data
The sym#olic lin% reparse ata is "aria#le of size an consists ofC
offset si&e !alue description
, / S$#stit$te name offset
The offset is relati"e from the start of the
reparse name ata
/ / S$#stit$te name size
4al$e in #ytes+ the size of the en=of=
string character is not incl$e
7 / *rint name offset
The offset is relati"e from the start of the
page 3,
offset si&e !alue description
reparse name ata
9 / *rint name size
4al$e in #ytes+ the size of the en=of=
string character is not incl$e
< 7 Sym#olic lin% flags
2e'arse name data
-/ ... S$#stit$te name
ATF=-9 little=enian !ith the en=of=
string characterE
... ... *rint name
ATF=-9 little=enian !ith the en=of=
string characterE
,.3.1. Symbolic lin3 flags
Value (dentifier Description
,&,,,,,,,- STM62NGSF6.DS>86.T24
8
The s$#stit$te name is a path name relati"e to the
irectory containing the sym#olic lin%.
14. The allocation bitma*
The metaata file BBitmap contains the allocation #itmap.
8"ery #it in the allocation #itmap represents a #loc% the size of the cl$ster #loc%+ !here the 6SB is
the first #it in a #yte.
11. 5*"ate (or change) 6ornal
The metaata file B8&tenMBAsnJrnl contains the $pate (or change) jo$rnal. 2t is a sparse file in
!hich NTFS stores recors of changes to files an irectories. .pplications ma%e $se of the jo$rnal
to respon to file an irectory changes as they occ$r+ li%e e.g. the Wino!s File >eplication Ser"ice
(F>S) an the Wino!s (1es%top) Search ser"ice.
The $pate jo$rnal consists ofC
the BAsnJrnlCBMa& ata stream+ containing metaata li%e the ma&im$m size of the jo$rnal
the BAsnJrnlCBJ ata stream+ containing the $pate (or change) entries
Note that the BAsnJrnlCBJ ata stream is sparse.
11.1. 8#date .ournal metadata
The $pate jo$rnal metaata is 3/ #ytes of size an consists ofC
page 3-
offset si&e !alue description
, < Ma&im$m size
< < .llocation 1elta
-9 < Apate (ASN) jo$rnal ientifier
5ontains a filetime
/7 < An%no!n (empty)
11.2. 8#date .ournal entries
The BAsnJrnlCBJ ata stream consists of an array of $pate jo$rnal entries.
11.2.1. 5*"ate 6ornal entry
The $pate jo$rnal entry (ASNS>85'>1) is "aria#le of size an consists ofC
offset si&e !alue description
, 7 8ntry (or recor) size
7 / ,&,,,/ Major "ersion
9 / ,&,,,, Minor "ersion
< < File reference
-9 < *arent file reference
/7 < Apate se@$ence n$m#er (ASN)
5ontains the file offset of the $pate
jo$rnal entry !hich is $se as a $ni@$e
ientifier
3/ < Apate ate an time
5ontains a filetime
7, 7 Apate reason flags
T'1' a reference
77 7 Apate so$rce flags
T'1' a reference
7< 7 Sec$rity ientifier ine&
5ontains the ine& of the sec$rity
ientifier in the BSec$re metaata file
;/ 7 File attri#$te flags
See sectionC -3.- File attri#$te flags
;9 / Name size
5ontains the #yte size of the name
;< / Name offset
The offset is relati"e from the start of the
$pate jo$rnal entry
!ommon
9, (name size) Name
page 3/
offset si&e !alue description
... ... ,&,, *aing
T'1' !hat a#o$t other $pate jo$rnal entry "ersionsE
11.2.2. 5*"ate reason flags
Value (dentifier Description
,&,,,,,,,- ASNS>8.S'NS1.T.S'48
>W>2T8
The ata in the file or irectory is o"er!ritten.
The efa$lt ($nname) B1.T. attri#$te !as
o"er!ritten
,&,,,,,,,/ ASNS>8.S'NS1.T.S8IT8
N1
The file or irectory is e&tene
The efa$lt ($nname) B1.T. attri#$te !as
e&tene
,&,,,,,,,7 ASNS>8.S'NS1.T.ST>A
N5.T2'N
The file or irectory is tr$ncate.
The efa$lt ($nname) B1.T. attri#$te !as
tr$ncate
,&,,,,,,-, ASNS>8.S'NSN.M81S1.
T.S'48>W>2T8
'ne or more name ata streams (B1.T.
attri#$tes) of file !ere o"er!ritten
,&,,,,,,/, ASNS>8.S'NSN.M81S1.
T.S8IT8N1
'ne or more name ata streams (B1.T.
attri#$tes) of file !ere e&tene
,&,,,,,,7, ASNS>8.S'NSN.M81S1.
T.ST>AN5.T2'N
'ne or more name ata streams (B1.T.
attri#$tes) of a file !ere tr$ncate
,&,,,,,-,, ASNS>8.S'NSF268S5>8.T
8
The file or irectory !as create
,&,,,,,/,, ASNS>8.S'NSF268S1868T
8
The file or irectory !as elete
,&,,,,,7,, ASNS>8.S'NS8.S5?.ND
8
The e&tene attri#$tes of the file !ere change
,&,,,,,<,, ASNS>8.S'NSS85A>2TTS
5?.ND8
The access rights (sec$rity escriptor) of a file or
irectory !ere change
,&,,,,-,,, ASNS>8.S'NS>8N.M8S'
61SN.M8
The name change
The $pate jo$rnal entry contains the ol name
,&,,,,/,,, ASNS>8.S'NS>8N.M8SN
8WSN.M8
The name change
The $pate jo$rnal entry contains the ne! name
,&,,,,7,,, ASNS>8.S'NS2N18I.B68
S5?.ND8
5ontent ine&e stat$s change
the file attri#$teC
F268S.TT>2BAT8SN'TS5'NT8NTS2N18I8
1 !as change
,&,,,,<,,, ASNS>8.S'NSB.S25S2NF'
S5?.ND8
Basic file or irectory attri#$tes change
'ne or more file or irectory attri#$tes !ere
page 33
Value (dentifier Description
change e.g. rea=only+ hien+ system+ archi"e+ or
sparse attri#$te+ or one or more time stamps.
,&,,,-,,,, ASNS>8.S'NS?.>1S62NG
S5?.ND8
. har lin% !as create or elete
,&,,,/,,,, ASNS>8.S'NS5'M*>8SS2
'NS5?.ND8
The file or irectory !as compresse or
ecompresse
,&,,,7,,,, ASNS>8.S'NS8N5>T*T2'
NS5?.ND8
The file or irectory !as encrypte or ecrypte
,&,,,<,,,, ASNS>8.S'NS'BJ85TS21S
5?.ND8
The o#ject ientifier of a file or irectory !as
change
,&,,-,,,,, ASNS>8.S'NS>8*.>S8S*
'2NTS5?.ND8
The reparse point that in a file or irectory !as
change+ or a reparse point !as ae to or elete
from a file or irectory.
,&,,/,,,,, ASNS>8.S'NSST>8.MS5?
.ND8
. name ata stream (B1.T. attri#$te) is ae
to or remo"e from a file+ or a name stream is
rename
,&,,7,,,,, An%no!n fo$n in T&F $pate jo$rnal entry list
,&,,<,,,,, ASNS>8.S'NS56'S8 The file or irectory !as close
,&<,,,,,,, An%no!n fo$n in T&F $pate jo$rnal entry list
11.2.3. 5*"ate sorce flags
Value (dentifier Description
,&,,,,,,,- ASNSS'A>58S1.T.SM.N
.D8M8NT
The operation ae a pri"ate ata stream to a file
or irectory. The moifications i not change the
application ata.
,&,,,,,,,/ ASNSS'A>58S.AI262.>T
S1.T.
The operation !as ca$se #y the operating system.
.ltho$gh a !rite operation is performe on the
item+ the ata !as not change.
,&,,,,,,,7 ASNSS'A>58S>8*625.T2'
NSM.N.D8M8NT
The operation !as ca$se #y file replication
12. Transactional NTFS (T/F)
.s of 4ista (or !ino!s ser"er /,,3E) Transactional NTFS (T&F) !as ae.
2n T&F the reso$rce manager (>M) %eeps trac% of transactional metaata an log files . The T&F
relate metaata files are store in the metaata irectoryC
O?6te!"KOPmMeta"ata
page 37
12.1. 6esource manager re#air information
The reso$rce manager repair information metaata fileC B8&tenMB>mMetaataMB>epair consists of
the follo!ing ata streamsC
the efa$lt ($nname) ata stream+ p$rpose $n%no!n
the B5onfig ata stream+ contains the reso$rce manager repair config$ration information
12.1.1. %esorce manager re*air configration information
The B>epairCB5onfig ata streams containsC
T'1'
00000000 01 00 00 00 01 00 00 00 N........N
offset si&e !alue description
, 7 An%no!n
7 7 An%no!n
12.2. Transactional 9T)$ (T*)) metadata director"
The transactional NTFS (T&F) metaata irectoryC B8&tenMB>mMetaataMBT&f is $se to isolate
files for elete or o"er!rite operations.
File formatE .ll files seem to start !ith similar information
12.3. T*) :ld 4age $tream (T:4$) file
The T&F 'l *age Stream (T'*S) fileC B8&tenMB>mMetaataMBT&f6ogMBTops consists of the
follo!ing ata streamsC
the efa$lt ($nname) ata stream+ contains metaata a#o$t the reso$rce manager+ s$ch as its
DA21+ its 56FS log policy+ an the 6SN at !hich reco"ery sho$l start
the BT ata stream+ contains the file ata that is partially o"er!ritten #y a transaction
as oppose to a f$ll o"er!rite+ !hich !o$l mo"e the file into the Transactional NTFS (T&F)
metaata irectory
12.3.1. T/F Ol" 2age Stream (TO2S) meta"ata
The BTops efa$lt ($nname) ata streams containsC
T'1'
offset si&e !alue description
, / ,&,,,a An%no!n
/ / ,&,,97 Size of T'*S metaata
7 7 ,&,,,- An%no!n
page 3;
offset si&e !alue description
N$m#er of reso$rce managersPstreamsE
< -9 >eso$rce Manager (>M) ientifier
5ontains a DA21
/7 < An%no!n (empty)
3/ < Base (or log start) 6SN of T&F6og
stream
7, < An%no!n
7< < 6ast fl$she 6SN of T&F6og stream
;9 < An%no!n
97 < An%no!n (empty)
:/ < >estart 6SNE
<, /, An%no!n
12.3.2. T/F Ol" 2age Stream (TO2S) file "ata
The BTopsCBT ata streams contains the file ata that is partially o"er!ritten #y a transaction. 2t
consists of m$ltiple pening transaction IM6=oc$ments.
Note that the start of each sector contains ,&,,,-+ is this a "al$e inication the sector is emptyE 'r
are there fi&=$p "al$es store some!here elseE
. pening transaction IM6=oc$ment starts !ith an ATF=< #yte=orer=mar%. 2s ro$ghly contains
the follo!ing ataC
<Q6ml 0erio!;M1.0M e!co"i!g;M%t'-DMQ>
<Pe!"i!g5ra!actio! .erio!;:2.0: 4"e!ti'ier;:...:>
<5ra!actio!>
<5ra!actio! 5ra!actio!4";:...:>
<4!tall 9pplicatio!;:...# C%lt%re;...# .erio!;...# P%$licRey5o8e!;...#
Proceor9rchitect%re;...# 0erio!1cope;...:
Pe'(%i";:...:
Pe'4"e!ti'ier;:...:
Pe'?6tra;:...:&>
...
<&5ra!actio!>
<&5ra!actio!>
<Cha!ge-it>
<Cha!ge +amily;:...# C%lt%re;...# P%$licRey5o8e!;...#
Proceor9rchitect%re;...# 0erio!1cope;...:
)e2;:...:&>
...
<&Cha!ge-it>
<PBS>
<7egi!5ra!actio! i";:...:&>
<Create+ile path;:...:
'ile9ttri$%te;:...:&>
<,elete+ile path;:...:&>
<Mo0e+ile o%rce;:...: "eti!atio!;:...:&>
<Ear"li!8+ile o%rce;:...: "eti!atio!;:...:&>
page 39
<1et+ile4!'ormatio! path;:...:
ec%rity,ecriptor;:$i!ary $aeCA=...:
'lag ;:...:&>
<CreateRey path;:...:&>
<1etRey.al%e path;:...:
!ame;:...:
type;:...:
e!co"i!g;:$aeCA:
0al%e;:...:&>
<,eleteRey.al%e path;:...:
!ame;:...:&>
...
<&PBS>
<4!tallerS%e%e -e!gth;:...:>
<9ctio! 4!taller;:...:
Mo"e;:...:
Phae;:...:
+amily;:...# C%lt%re;...# P%$licRey5o8e!;...#
Proceor9rchitect%re;...# 0erio!1cope;...:
Bl";:...:
)e2;:...:&>
...
<&4!tallerS%e%e >
<&Pe!"i!g5ra!actio!>
12.4. Transactional 9T)$ (T*)) Common Log )ile $"stem (CL)$) files
T&F $ses a 5ommon 6og File System (56FS) log store an the logge $tility stream attri#$te name
BTIFS1.T..
See F>ASSN'425?,0H+ FMS1NH an F62BFS56FSH for more information a#o$t 56FS.
The #ase log file (B6F) of the T&F log store isC
O?6te!"KOPmMeta"ataKO56'-ogK56'-og.$l'
5ommonly the corresponing container files areC
O?6te!"KOPmMeta"ataKO56'-ogK56'-ogCo!tai!er00000000000000000001
O?6te!"KOPmMeta"ataKO56'-ogK56'-ogCo!tai!er00000000000000000002
T&F $ses a m$ltiple&e log store !hich contains t!o streamsC
the Gtm6og stream $se for Gernel Transaction Manager (GTM) metaata recors
T&f6og stream+ !hich contains the T&F log recors.
12.'. Transactional data logged utilit" stream attri&ute
The transactional ata (BTIFS1.T.) logge $tility stream attri#$te is ;9 #ytes of size an consist
ofC
offset si&e !alue description
, 9 An%no!n (remnant ata)
page 3:
offset si&e !alue description
9 < >eso$rce manager root file reference
5ontains an NTFS file reference that
refers to the MFT
-7 < ASN ine&E
// < File ientifier (T&21)
5ontains a T&F file ientifier
3, < 1ata 6SN
5ontains a 56FS 6SN of file ata
transaction recors
3< < Metaata 6SN
5ontains a 56FS 6SN of file system
metaata transaction recors
79 < 1irectory ine& 6SN
5ontains a 56FS 6SN of irectory ine&
transaction recors
;7 / ,&,,,,
,&,,,/
FlagsE
Note there can #e more than - per MTF entry
13. 7in"ows "efinitions
13.1. )ile attri&ute flags
The file attri#$te flags consist of the follo!ing "al$esC
Value (dentifier Description
,&,,,,,,,- F268S.TT>2BAT8S>8.1'N
6T
2s rea=only
,&,,,,,,,/ F268S.TT>2BAT8S?2118N 2s hien
,&,,,,,,,7 F268S.TT>2BAT8SSTST8M 2s a system file or irectory
,&,,,,,,,< 2s a "ol$me la#el
Not $se #y NTFS
,&,,,,,,-, F268S.TT>2BAT8S12>85T
'>T
2s a irectory
Not $se #y NTFS
,&,,,,,,/, F268S.TT>2BAT8S.>5?24
8
Sho$l #e archi"e
,&,,,,,,7, F268S.TT>2BAT8S184258 2s a e"ice
Not $se #y NTFS
,&,,,,,,<, F268S.TT>2BAT8SN'>M.
6
2s normal
None of the other flags sho$l #e set
,&,,,,,-,, F268S.TT>2BAT8ST8M*'>
.>T
2s temporary
page 3<
Value (dentifier Description
,&,,,,,/,, F268S.TT>2BAT8SS*.>S8S
F268
2s a sparse file
,&,,,,,7,, F268S.TT>2BAT8S>8*.>S
8S*'2NT
2s a reparse point or sym#olic lin%
,&,,,,,<,, F268S.TT>2BAT8S5'M*>8
SS81
2s compresse
,&,,,,-,,, F268S.TT>2BAT8S'FF62N8 2s offline
The ata of the file is store on an offline storage.
,&,,,,/,,, F268S.TT>2BAT8SN'TS5'
NT8NTS2N18I81
1o not ine& content
The content of the file or irectory sho$l not #e
ine&e #y the ine&ing ser"ice.
,&,,,,7,,, F268S.TT>2BAT8S8N5>T*
T81
2s encrypte
,&,,,-,,,, F268S.TT>2BAT8S42>TA.
6
2s "irt$al
T1e followin0 fla0s are mainl3 -sed in t1e file name attri(-te and s'arsel3 in t1e standard
information attri(-te4 it co-ld (e t1at t1e3 1ave a different meanin0 in (ot1 t3'es of attri(-tes or
t1at t1e standard information fla0s are not -'dated$ For now t1e latter is ass-med$
,&-,,,,,,, 2s irectory (or has B23, ine& E)
($se instea of ,&,,,,,,-, E)
,&/,,,,,,, 2s ine& "ie!
(copy from corresponing #it in MFT recor)
1!. Notes
14.1. ;:&.<=;:
00000000 00 00 00 00 1/ 00 00 00 00 10 00 00 01 00 00 00 N................N
00000010 10 00 00 00 DD 00 00 00 DD 00 00 00 01 00 00 00 N................N
00000020 20 00 /D 00 00 00 00 00 C0 00 10 00 01 00 00 00 N .D.....T.......N
B7J?C5@4,= A/ecee>9-e2$/-11"c-a"Le-001c2>D2>9D' o' root "irectory
000000/0 >9 ee ec A/ $/ e2 "c 11 a" Le 00 1c 2> D2 >9 D' NU..C.....V..W.U.N
M+5 'ile re'ere!ce
B7J?C5@4,= eCaCL$C0-c0$>-A$>/-$D'e-9AAL0cD/"'D9 o' O.Bl%me
000000A0 0> 00 00 00 00 00 0> 00 C0 L$ aC eC $> c0 >/ A$ N........TG....1RN
000000>0 $D 'e 9A AL 0c D/ "' D9 >9 ee ec A/ $/ e2 "c 11 N...(....U..C....N
000000C0 a" Le 00 1c 2> D2 >9 D' 00 00 00 00 00 00 00 00 N.V..W.U.........N
000000L0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 N................N
000000D0 00 00 00 00 00 00 00 00 1D 00 00 00 0/ 00 00 00 N................N
page 30
00000090 01 00 00 00 00 00 00 00 N........N
14.2. 9T)$ reserved file names
+ile!ame
,ecriptio!
KOM't
Mater +ile 5a$le (M+5) - a! i!"e6 o' e0ery 'ile
KOM'tMirr
9 $ac8%p copy o' the 'irt A recor" o' the M+5
KO-og+ile
5ra!actio!al loggi!g 'ile
KO.ol%me
1erial !%m$er# creatio! time# "irty 'lag
KO9ttr,e'
9ttri$%te "e'i!itio!
KO7itmap
Co!tai! 0ol%meM cl%ter map (i!-%e 0. 'ree)
KO7oot
7oot recor" o' the 0ol%me
KO7a"Cl%
-it $a" cl%ter o! the 0ol%me
KO1ec%re
1ec%rity "ecriptor %e" $y the 0ol%me
KO*pCae
5a$le o' %ppercae character %e" 'or collati!g
page 7,
KO?6te!"
9 "irectory
+ile!ame
,ecriptio!
KO?6te!"KOCo!'ig
*e 'or )5+1 repair acti0ity
KO?6te!"KO,elete
,elete 'ile !ame
KO?6te!"KOB$j4"
*!iX%e 4" gi0e! to e0ery 'ile
KO?6te!"KOS%ota
S%ota i!'ormatio!
KO?6te!"KOPepair
Pepair !ame
KO?6te!"KOPepair.log
Pepair log !ame
KO?6te!"KOPepare
Pepare poi!t i!'ormatio!
KO?6te!"KOPmMeta"ata
5ra!actio!al )5+1 reo%rce ma!ager meta"ata !ame
KO?6te!"KO5op
5ra!actio!al )5+1 Bl" Page 1tream# %e" to tore "ata that ha $ee!
o0er2ritte! i!i"e a c%rre!tly acti0e tra!actio!
KO?6te!"KO56'
page 7-
5ra!actio!al )5+1
KO?6te!"KO56'-og
5ra!actio!al )5+1 log
14.3. )ile s"stem flags
'%til 'i!'o 0ol%mei!'o C=
+4-?@C91?@PP?1?P.?,@)9M?1
0600000002
5he peci'ie" 0ol%me %pport preer0e" cae o' 'ile !ame 2he! it place a
!ame o! "i8.
+4-?@C91?@1?)1454.?@1?9PCE
0600000001
5he peci'ie" 0ol%me %pport cae-e!iti0e 'ile !ame.
+4-?@+4-?@CBMPP?114B)
0600000010
5he peci'ie" 0ol%me %pport 'ile-$ae" compreio!.
+4-?@)9M?,@15P?9M1
06000A0000
5he peci'ie" 0ol%me %pport !ame" tream.
+4-?@P?P1415?)5@9C-1
060000000D
5he peci'ie" 0ol%me preer0e a!" e!'orce acce co!trol lit (9C-). +or
e6ample# the )5+1 'ile ytem preer0e a!" e!'orce 9C-# a!" the +95 'ile
ytem "oe !ot.
+4-?@P?9,@B)-U@.B-*M?
06000D0000
5he peci'ie" 0ol%me i rea"-o!ly.
page 7/
Yi!"o2 2000= 5hi 0al%e i !ot %pporte".
+4-?@1?S*?)549-@YP45?@B)C?
0600100000
5he peci'ie" 0ol%me %pport a i!gle eX%e!tial 2rite.
Yi!"o2 2000= 5hi 0al%e i !ot %pporte".
+4-?@1*PPBP51@?)CPUP54B)
0600020000
5he peci'ie" 0ol%me %pport the ?!crypte" +ile 1ytem (?+1). +or more
i!'ormatio!# ee +ile ?!cryptio!.
+4-?@1*PPBP51@?Z5?),?,@955P47*5?1
0600D00000
5he peci'ie" 0ol%me %pport e6te!"e" attri$%te. 9! e6te!"e" attri$%te i a
piece o' applicatio!-peci'ic meta"ata that a! applicatio! ca! aociate 2ith
a 'ile a!" i !ot part o' the 'ileM "ata.
Yi!"o2 1er0er 200D# Yi!"o2 .ita# Yi!"o2 1er0er 200/# a!" Yi!"o2
ZP&2000= 5hi 0al%e i !ot %pporte" %!til Yi!"o2 1er0er 200D P2 a!" Yi!"o2
L.
+4-?@1*PPBP51@E9P,@-4)R1
0600A00000
5he peci'ie" 0ol%me %pport har" li!8. +or more i!'ormatio!# ee Ear" -i!8
a!" J%!ctio!.
Yi!"o2 1er0er 200D# Yi!"o2 .ita# Yi!"o2 1er0er 200/# a!" Yi!"o2
ZP&2000= 5hi 0al%e i !ot %pporte" %!til Yi!"o2 1er0er 200D P2 a!" Yi!"o2
L.
+4-?@1*PPBP51@B7J?C5@4,1
0600010000
5he peci'ie" 0ol%me %pport o$ject i"e!ti'ier.
+4-?@1*PPBP51@BP?)@7U@+4-?@4,
0601000000
5he 'ile ytem %pport ope! $y +ile4,. +or more i!'ormatio!# ee
+4-?@4,@7B5E@,4P@4)+B.
Yi!"o2 1er0er 200D# Yi!"o2 .ita# Yi!"o2 1er0er 200/# a!" Yi!"o2
page 73
ZP&2000= 5hi 0al%e i !ot %pporte" %!til Yi!"o2 1er0er 200D P2 a!" Yi!"o2
L.
+4-?@1*PPBP51@P?P9P1?@PB4)51
06000000D0
5he peci'ie" 0ol%me %pport re-pare poi!t.
+4-?@1*PPBP51@1P9P1?@+4-?1
06000000A0
5he peci'ie" 0ol%me %pport pare 'ile.
+4-?@1*PPBP51@5P9)19C54B)1
0600200000
5he peci'ie" 0ol%me %pport tra!actio!. +or more i!'ormatio!# ee 9$o%t
R5M.
Yi!"o2 2000= 5hi 0al%e i !ot %pporte".
+4-?@1*PPBP51@*1)@JB*P)9-
0602000000
5he peci'ie" 0ol%me %pport %p"ate eX%e!ce !%m$er (*1)) jo%r!al. +or more
i!'ormatio!# ee Cha!ge Jo%r!al Pecor".
Yi!"o2 1er0er 200D# Yi!"o2 .ita# Yi!"o2 1er0er 200/# a!" Yi!"o2
ZP&2000= 5hi 0al%e i !ot %pporte" %!til Yi!"o2 1er0er 200D P2 a!" Yi!"o2
L.
+4-?@*)4CB,?@B)@,41R
060000000A
5he peci'ie" 0ol%me %pport *!ico"e i! 'ile !ame a they appear o! "i8.
+4-?@.B-*M?@41@CBMPP?11?,
060000D000
5he peci'ie" 0ol%me i a compree" 0ol%me# 'or e6ample# a ,o%$le1pace
0ol%me.
+4-?@.B-*M?@S*B591
0600000020
5he peci'ie" 0ol%me %pport "i8 X%ota.
page 77
page 7;
'**en"i/ '. %eferences
FS.N18>S'N,/H
TitleC NTFS 5ompression Q a forensic "ie!
.$thor(s)C *a$l Sanerson
1ateC 'cto#er /,,/
A>6C httpCPP!!!.sanersonforensics.co.$%PFilesPNTFS]/,compression]/,!hite
]/,paper.pf
F5.>>28>,;H
TitleC File System Forensic .nalysis
.$thor(s)C Brian 5arrier
1ateC /,,;
2SBN=-,C ,=3/-=/9<-:=/
F>ASS'N,;H
TitleC NTFS 1oc$mentation
.$thor(s)C >ichar >$sson+ T$"al Fieel
1ateC /,,;
A>6C httpCPPlin$&=ntfs.orgP
F*'66.>1,9H
TitleC .ll a#o$t B2'S parameter #loc%s
.$thor(s)C Jonathan e Boyne *ollar
A>6C httpCPPhomepage.ntl!orl.com.Pjonathan.e#oynepollarPFD.P#ios=parameter=
#loc%.html
FM8182>'S,<H
TitleC NTFS Forensics = . *rogrammers 4ie! of >a! Filesystem 1ata 8&traction
.$thor(s)C Jason Meeiros
A>6C httpCPPgrayscale=research.orgPne!PpfsPNTFS]/,forensics.pf
F>ASSN'425?,0H
TitleC Wino!s 2nternals ; = 5o"ering Wino!s Ser"er /,,< an Wino!s 4ista
.$thor(s)C Mar% 8. >$ssino"ich an 1a"i .. Solomon
1ateC J$ne -:+ /,,0
2SBN=-3C 0:<=,:3;9/;3,3
F62BB18H
TitleC Bit6oc%er 1ri"e 8ncryption (B18) format specification = .nalysis of theBit6oc%er
1ri"e 8ncryption (B18) "ol$me format
1ateC March /,--
.$thor(s)C Joachim Metz
A>6C httpCPPcoe.google.comPpPli##ePo!nloasPetailEnameJBit6oc%er]/,1ri"e
]/,8ncryption]/,]/<B18]/0]/,format.pf
F62BFS56FSH
TitleC 5ommon 6og File System Q .nalysis of the Wino!s .>28S log system
1ateC No"em#er /,-,
.$thor(s)C Joachim Metz
A>6C httpCPPcoe.google.comPpPli#fsli#sPo!nloasPetailEnameJ5ommon]/,6og]/,File
]/,System]/,]/<56FS]/0.pf
page 79
F62B4S?.1'WH
TitleC 4ol$me Shao! Snapshot (4SS) = .nalysis the Wino!s NT 4SS format
1ateC March /,--
.$thor(s)C Joachim Metz
A>6C httpCPPcoe.google.comPpPli#"shao!Po!nloasPetailEnameJ4ol$me]/,Shao!
]/,Snapshot]/,]/<4SS]/0]/,format.pfUcanJ/U@J[ma%echanges
F62NAINTFSH
TitleC 6in$&=NTFS *roject
A>6C httpCPPinform.p$cp.e$.pePZinf/3/PNtfsPntfsSocS",.;Pine&.html
FMSSA**'>TH
TitleC Microsoft S$pport = ?o! Wino!s Denerates <.3 File Names from 6ong File Names
A>6C httpCPPs$pport.microsoft.comP%#P-7/0</Pen=$s
FMS1NH
TitleC Microsoft 1e"eloper Net!or%
A>6C httpCPPtechnet.microsoft.comPen=$sPli#raryPcc:<--37]/<WS.-,]/0.asp&
S$#jectC >eser"e file names
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPff790/37]/<"J*>'T.-,]/0.asp&
S$#jectC NTFS attri#$te types
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPff790/39]/<*>'T.-,]/0.asp&
S$#jectC >eparse point
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPaa39;:7,]/<4S.<;]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPaa39;;--]/<"J4S.<;]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryP;7-99:]/<*>'T.-3]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPcc/3/,,;]/<"J*>'T.-3]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPcc/3/,,9]/<"J*>'T.-3]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPcc/3/,,:]/<"J*>'T.-3]/0.asp&
S$#jectC Apate (or change) jo$rnal
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPaa393:0<.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPaa393<,3]/<4S.<;]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryPaa39;://]/<4S.<;]/0.asp&
S$#jectC transactional NTFS
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryP##09<<,9]/<"J4S.<;]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryP##0<9:7<]/<4S.<;]/0.asp&
A>6C httpCPPmsn.microsoft.comPen=$sPli#raryP##;7,39<]/<4S.<;]/0.asp&
FW2G2H
A>6C httpCPPen.!i%ipeia.orgP!i%iPNTFS
A>6C httpCPPen.!i%ipeia.orgP!i%iPB2'SSparameterS#loc%
A>6C httpCPPen.!i%ipeia.orgP!i%iPTransactionalSNTFS
FW2N3/*>'DH
TitleC The Win3/ *rogramming T$torials For F$n Q .ppeni& 8. NTFS 'n=1is% Str$ct$re
A>6C httpCPP!!!.installset$pconfig.comP!in3/programmingP-009]/,.pp8Sapnilife.pf
page 7:
'**en"i/ 8. 9N5 Free (ocmentation +icense
4ersion -.3+ 3 No"em#er /,,<
Copyright [ 2000# 2001# 2002# 200L# 200D +ree 1o't2are +o%!"atio!# 4!c.
<http=&&''.org&>
?0eryo!e i permitte" to copy a!" "itri$%te 0er$atim copie o' thi lice!e
"oc%me!t# $%t cha!gi!g it i !ot allo2e".
)* +",A$'-,
The p$rpose of this 6icense is to ma%e a man$al+ te&t#oo%+ or other f$nctional an $sef$l oc$ment
VfreeV in the sense of freeomC to ass$re e"eryone the effecti"e freeom to copy an reistri#$te it+
!ith or !itho$t moifying it+ either commercially or noncommercially. Seconarily+ this 6icense
preser"es for the a$thor an p$#lisher a !ay to get creit for their !or%+ !hile not #eing consiere
responsi#le for moifications mae #y others.
This 6icense is a %in of VcopyleftV+ !hich means that eri"ati"e !or%s of the oc$ment m$st
themsel"es #e free in the same sense. 2t complements the DNA Deneral *$#lic 6icense+ !hich is a
copyleft license esigne for free soft!are.
We ha"e esigne this 6icense in orer to $se it for man$als for free soft!are+ #eca$se free soft!are
nees free oc$mentationC a free program sho$l come !ith man$als pro"iing the same freeoms
that the soft!are oes. B$t this 6icense is not limite to soft!are man$alsK it can #e $se for any
te&t$al !or%+ regarless of s$#ject matter or !hether it is p$#lishe as a printe #oo%. We
recommen this 6icense principally for !or%s !hose p$rpose is instr$ction or reference.
.* A++-(CA'(-(T/ AND D,F(N(T(0NS
This 6icense applies to any man$al or other !or%+ in any mei$m+ that contains a notice place #y
the copyright holer saying it can #e istri#$te $ner the terms of this 6icense. S$ch a notice grants
a !orl=!ie+ royalty=free license+ $nlimite in $ration+ to $se that !or% $ner the conitions state
herein. The V1oc$mentV+ #elo!+ refers to any s$ch man$al or !or%. .ny mem#er of the p$#lic is a
licensee+ an is aresse as Vyo$V. To$ accept the license if yo$ copy+ moify or istri#$te the !or%
in a !ay re@$iring permission $ner copyright la!.
. VMoifie 4ersionV of the 1oc$ment means any !or% containing the 1oc$ment or a portion of it+
either copie "er#atim+ or !ith moifications anPor translate into another lang$age.
. VSeconary SectionV is a name appeni& or a front=matter section of the 1oc$ment that eals
e&cl$si"ely !ith the relationship of the p$#lishers or a$thors of the 1oc$ment to the 1oc$mentRs
o"erall s$#ject (or to relate matters) an contains nothing that co$l fall irectly !ithin that o"erall
s$#ject. (Th$s+ if the 1oc$ment is in part a te&t#oo% of mathematics+ a Seconary Section may not
e&plain any mathematics.) The relationship co$l #e a matter of historical connection !ith the
s$#ject or !ith relate matters+ or of legal+ commercial+ philosophical+ ethical or political position
regaring them.
The V2n"ariant SectionsV are certain Seconary Sections !hose titles are esignate+ as #eing those
of 2n"ariant Sections+ in the notice that says that the 1oc$ment is release $ner this 6icense. 2f a
section oes not fit the a#o"e efinition of Seconary then it is not allo!e to #e esignate as
2n"ariant. The 1oc$ment may contain zero 2n"ariant Sections. 2f the 1oc$ment oes not ientify any
page 7<
2n"ariant Sections then there are none.
The V5o"er Te&tsV are certain short passages of te&t that are liste+ as Front=5o"er Te&ts or Bac%=
5o"er Te&ts+ in the notice that says that the 1oc$ment is release $ner this 6icense. . Front=5o"er
Te&t may #e at most ; !ors+ an a Bac%=5o"er Te&t may #e at most /; !ors.
. VTransparentV copy of the 1oc$ment means a machine=reaa#le copy+ represente in a format
!hose specification is a"aila#le to the general p$#lic+ that is s$ita#le for re"ising the oc$ment
straightfor!arly !ith generic te&t eitors or (for images compose of pi&els) generic paint
programs or (for ra!ings) some !iely a"aila#le ra!ing eitor+ an that is s$ita#le for inp$t to
te&t formatters or for a$tomatic translation to a "ariety of formats s$ita#le for inp$t to te&t
formatters. . copy mae in an other!ise Transparent file format !hose mar%$p+ or a#sence of
mar%$p+ has #een arrange to th!art or isco$rage s$#se@$ent moification #y reaers is not
Transparent. .n image format is not Transparent if $se for any s$#stantial amo$nt of te&t. . copy
that is not VTransparentV is calle V'pa@$eV.
8&amples of s$ita#le formats for Transparent copies incl$e plain .S522 !itho$t mar%$p+ Te&info
inp$t format+ 6aTeI inp$t format+ SDM6 or IM6 $sing a p$#licly a"aila#le 1T1+ an stanar=
conforming simple ?TM6+ *ostScript or *1F esigne for h$man moification. 8&amples of
transparent image formats incl$e *ND+ I5F an J*D. 'pa@$e formats incl$e proprietary formats
that can #e rea an eite only #y proprietary !or processors+ SDM6 or IM6 for !hich the 1T1
anPor processing tools are not generally a"aila#le+ an the machine=generate ?TM6+ *ostScript or
*1F pro$ce #y some !or processors for o$tp$t p$rposes only.
The VTitle *ageV means+ for a printe #oo%+ the title page itself+ pl$s s$ch follo!ing pages as are
neee to hol+ legi#ly+ the material this 6icense re@$ires to appear in the title page. For !or%s in
formats !hich o not ha"e any title page as s$ch+ VTitle *ageV means the te&t near the most
prominent appearance of the !or%Rs title+ preceing the #eginning of the #oy of the te&t.
The Vp$#lisherV means any person or entity that istri#$tes copies of the 1oc$ment to the p$#lic.
. section V8ntitle IT\V means a name s$#$nit of the 1oc$ment !hose title either is precisely
IT\ or contains IT\ in parentheses follo!ing te&t that translates IT\ in another lang$age. (?ere
IT\ stans for a specific section name mentione #elo!+ s$ch as V.c%no!legementsV+
V1eicationsV+ V8norsementsV+ or V?istoryV.) To V*reser"e the TitleV of s$ch a section !hen yo$
moify the 1oc$ment means that it remains a section V8ntitle IT\V accoring to this efinition.
The 1oc$ment may incl$e Warranty 1isclaimers ne&t to the notice !hich states that this 6icense
applies to the 1oc$ment. These Warranty 1isclaimers are consiere to #e incl$e #y reference in
this 6icense+ #$t only as regars isclaiming !arrantiesC any other implication that these Warranty
1isclaimers may ha"e is "oi an has no effect on the meaning of this 6icense.
1* V,"'AT($ C0+/(N2
To$ may copy an istri#$te the 1oc$ment in any mei$m+ either commercially or noncommercially+
pro"ie that this 6icense+ the copyright notices+ an the license notice saying this 6icense applies to
the 1oc$ment are repro$ce in all copies+ an that yo$ a no other conitions !hatsoe"er to
those of this 6icense. To$ may not $se technical meas$res to o#str$ct or control the reaing or
f$rther copying of the copies yo$ ma%e or istri#$te. ?o!e"er+ yo$ may accept compensation in
e&change for copies. 2f yo$ istri#$te a large eno$gh n$m#er of copies yo$ m$st also follo! the
conitions in section 3.
To$ may also len copies+ $ner the same conitions state a#o"e+ an yo$ may p$#licly isplay
page 70
copies.
3* C0+/(N2 (N 45ANT(T/
2f yo$ p$#lish printe copies (or copies in meia that commonly ha"e printe co"ers) of the
1oc$ment+ n$m#ering more than -,,+ an the 1oc$mentRs license notice re@$ires 5o"er Te&ts+ yo$
m$st enclose the copies in co"ers that carry+ clearly an legi#ly+ all these 5o"er Te&tsC Front=5o"er
Te&ts on the front co"er+ an Bac%=5o"er Te&ts on the #ac% co"er. Both co"ers m$st also clearly
an legi#ly ientify yo$ as the p$#lisher of these copies. The front co"er m$st present the f$ll title
!ith all !ors of the title e@$ally prominent an "isi#le. To$ may a other material on the co"ers in
aition. 5opying !ith changes limite to the co"ers+ as long as they preser"e the title of the
1oc$ment an satisfy these conitions+ can #e treate as "er#atim copying in other respects.
2f the re@$ire te&ts for either co"er are too "ol$mino$s to fit legi#ly+ yo$ sho$l p$t the first ones
liste (as many as fit reasona#ly) on the act$al co"er+ an contin$e the rest onto ajacent pages.
2f yo$ p$#lish or istri#$te 'pa@$e copies of the 1oc$ment n$m#ering more than -,,+ yo$ m$st
either incl$e a machine=reaa#le Transparent copy along !ith each 'pa@$e copy+ or state in or !ith
each 'pa@$e copy a comp$ter=net!or% location from !hich the general net!or%=$sing p$#lic has
access to o!nloa $sing p$#lic=stanar net!or% protocols a complete Transparent copy of the
1oc$ment+ free of ae material. 2f yo$ $se the latter option+ yo$ m$st ta%e reasona#ly pr$ent
steps+ !hen yo$ #egin istri#$tion of 'pa@$e copies in @$antity+ to ens$re that this Transparent copy
!ill remain th$s accessi#le at the state location $ntil at least one year after the last time yo$
istri#$te an 'pa@$e copy (irectly or thro$gh yo$r agents or retailers) of that eition to the p$#lic.
2t is re@$este+ #$t not re@$ire+ that yo$ contact the a$thors of the 1oc$ment !ell #efore
reistri#$ting any large n$m#er of copies+ to gi"e them a chance to pro"ie yo$ !ith an $pate
"ersion of the 1oc$ment.
6* $0D(F(CAT(0NS
To$ may copy an istri#$te a Moifie 4ersion of the 1oc$ment $ner the conitions of sections /
an 3 a#o"e+ pro"ie that yo$ release the Moifie 4ersion $ner precisely this 6icense+ !ith the
Moifie 4ersion filling the role of the 1oc$ment+ th$s licensing istri#$tion an moification of the
Moifie 4ersion to !hoe"er possesses a copy of it. 2n aition+ yo$ m$st o these things in the
Moifie 4ersionC
.. Ase in the Title *age (an on the co"ers+ if any) a title istinct from that of the 1oc$ment+
an from those of pre"io$s "ersions (!hich sho$l+ if there !ere any+ #e liste in the ?istory
section of the 1oc$ment). To$ may $se the same title as a pre"io$s "ersion if the original
p$#lisher of that "ersion gi"es permission.
B. 6ist on the Title *age+ as a$thors+ one or more persons or entities responsi#le for
a$thorship of the moifications in the Moifie 4ersion+ together !ith at least fi"e of the
principal a$thors of the 1oc$ment (all of its principal a$thors+ if it has fe!er than fi"e)+ $nless
they release yo$ from this re@$irement.
5. State on the Title page the name of the p$#lisher of the Moifie 4ersion+ as the
p$#lisher.
1. *reser"e all the copyright notices of the 1oc$ment.
8. . an appropriate copyright notice for yo$r moifications ajacent to the other copyright
notices.
F. 2ncl$e+ immeiately after the copyright notices+ a license notice gi"ing the p$#lic
permission to $se the Moifie 4ersion $ner the terms of this 6icense+ in the form sho!n in
the .en$m #elo!.
D. *reser"e in that license notice the f$ll lists of 2n"ariant Sections an re@$ire 5o"er Te&ts
gi"en in the 1oc$mentRs license notice.
page ;,
?. 2ncl$e an $naltere copy of this 6icense.
2. *reser"e the section 8ntitle V?istoryV+ *reser"e its Title+ an a to it an item stating at
least the title+ year+ ne! a$thors+ an p$#lisher of the Moifie 4ersion as gi"en on the Title
*age. 2f there is no section 8ntitle V?istoryV in the 1oc$ment+ create one stating the title+
year+ a$thors+ an p$#lisher of the 1oc$ment as gi"en on its Title *age+ then a an item
escri#ing the Moifie 4ersion as state in the pre"io$s sentence.
J. *reser"e the net!or% location+ if any+ gi"en in the 1oc$ment for p$#lic access to a
Transparent copy of the 1oc$ment+ an li%e!ise the net!or% locations gi"en in the
1oc$ment for pre"io$s "ersions it !as #ase on. These may #e place in the V?istoryV
section. To$ may omit a net!or% location for a !or% that !as p$#lishe at least fo$r years
#efore the 1oc$ment itself+ or if the original p$#lisher of the "ersion it refers to gi"es
permission.
G. For any section 8ntitle V.c%no!legementsV or V1eicationsV+ *reser"e the Title of the
section+ an preser"e in the section all the s$#stance an tone of each of the contri#$tor
ac%no!legements anPor eications gi"en therein.
6. *reser"e all the 2n"ariant Sections of the 1oc$ment+ $naltere in their te&t an in their
titles. Section n$m#ers or the e@$i"alent are not consiere part of the section titles.
M. 1elete any section 8ntitle V8norsementsV. S$ch a section may not #e incl$e in the
Moifie 4ersion.
N. 1o not retitle any e&isting section to #e 8ntitle V8norsementsV or to conflict in title !ith
any 2n"ariant Section.
'. *reser"e any Warranty 1isclaimers.
2f the Moifie 4ersion incl$es ne! front=matter sections or appenices that @$alify as Seconary
Sections an contain no material copie from the 1oc$ment+ yo$ may at yo$r option esignate some
or all of these sections as in"ariant. To o this+ a their titles to the list of 2n"ariant Sections in the
Moifie 4ersionRs license notice. These titles m$st #e istinct from any other section titles.
To$ may a a section 8ntitle V8norsementsV+ pro"ie it contains nothing #$t enorsements of
yo$r Moifie 4ersion #y "ario$s parties^for e&ample+ statements of peer re"ie! or that the te&t
has #een appro"e #y an organization as the a$thoritati"e efinition of a stanar.
To$ may a a passage of $p to fi"e !ors as a Front=5o"er Te&t+ an a passage of $p to /; !ors
as a Bac%=5o"er Te&t+ to the en of the list of 5o"er Te&ts in the Moifie 4ersion. 'nly one
passage of Front=5o"er Te&t an one of Bac%=5o"er Te&t may #e ae #y (or thro$gh
arrangements mae #y) any one entity. 2f the 1oc$ment alreay incl$es a co"er te&t for the same
co"er+ pre"io$sly ae #y yo$ or #y arrangement mae #y the same entity yo$ are acting on #ehalf
of+ yo$ may not a anotherK #$t yo$ may replace the ol one+ on e&plicit permission from the
pre"io$s p$#lisher that ae the ol one.
The a$thor(s) an p$#lisher(s) of the 1oc$ment o not #y this 6icense gi"e permission to $se their
names for p$#licity for or to assert or imply enorsement of any Moifie 4ersion.
7* C0$'(N(N2 D0C5$,NTS
To$ may com#ine the 1oc$ment !ith other oc$ments release $ner this 6icense+ $ner the terms
efine in section 7 a#o"e for moifie "ersions+ pro"ie that yo$ incl$e in the com#ination all of
the 2n"ariant Sections of all of the original oc$ments+ $nmoifie+ an list them all as 2n"ariant
Sections of yo$r com#ine !or% in its license notice+ an that yo$ preser"e all their Warranty
1isclaimers.
The com#ine !or% nee only contain one copy of this 6icense+ an m$ltiple ientical 2n"ariant
Sections may #e replace !ith a single copy. 2f there are m$ltiple 2n"ariant Sections !ith the same
page ;-
name #$t ifferent contents+ ma%e the title of each s$ch section $ni@$e #y aing at the en of it+ in
parentheses+ the name of the original a$thor or p$#lisher of that section if %no!n+ or else a $ni@$e
n$m#er. Ma%e the same aj$stment to the section titles in the list of 2n"ariant Sections in the license
notice of the com#ine !or%.
2n the com#ination+ yo$ m$st com#ine any sections 8ntitle V?istoryV in the "ario$s original
oc$ments+ forming one section 8ntitle V?istoryVK li%e!ise com#ine any sections 8ntitle
V.c%no!legementsV+ an any sections 8ntitle V1eicationsV. To$ m$st elete all sections 8ntitle
V8norsementsV.
8* C0--,CT(0NS 0F D0C5$,NTS
To$ may ma%e a collection consisting of the 1oc$ment an other oc$ments release $ner this
6icense+ an replace the ini"i$al copies of this 6icense in the "ario$s oc$ments !ith a single copy
that is incl$e in the collection+ pro"ie that yo$ follo! the r$les of this 6icense for "er#atim
copying of each of the oc$ments in all other respects.
To$ may e&tract a single oc$ment from s$ch a collection+ an istri#$te it ini"i$ally $ner this
6icense+ pro"ie yo$ insert a copy of this 6icense into the e&tracte oc$ment+ an follo! this
6icense in all other respects regaring "er#atim copying of that oc$ment.
9* A22",2AT(0N :(T; (ND,+,ND,NT :0"KS
. compilation of the 1oc$ment or its eri"ati"es !ith other separate an inepenent oc$ments or
!or%s+ in or on a "ol$me of a storage or istri#$tion mei$m+ is calle an VaggregateV if the
copyright res$lting from the compilation is not $se to limit the legal rights of the compilationRs $sers
#eyon !hat the ini"i$al !or%s permit. When the 1oc$ment is incl$e in an aggregate+ this
6icense oes not apply to the other !or%s in the aggregate !hich are not themsel"es eri"ati"e
!or%s of the 1oc$ment.
2f the 5o"er Te&t re@$irement of section 3 is applica#le to these copies of the 1oc$ment+ then if the
1oc$ment is less than one half of the entire aggregate+ the 1oc$mentRs 5o"er Te&ts may #e place
on co"ers that #rac%et the 1oc$ment !ithin the aggregate+ or the electronic e@$i"alent of co"ers if
the 1oc$ment is in electronic form. 'ther!ise they m$st appear on printe co"ers that #rac%et the
!hole aggregate.
<* T"ANS-AT(0N
Translation is consiere a %in of moification+ so yo$ may istri#$te translations of the 1oc$ment
$ner the terms of section 7. >eplacing 2n"ariant Sections !ith translations re@$ires special
permission from their copyright holers+ #$t yo$ may incl$e translations of some or all 2n"ariant
Sections in aition to the original "ersions of these 2n"ariant Sections. To$ may incl$e a
translation of this 6icense+ an all the license notices in the 1oc$ment+ an any Warranty
1isclaimers+ pro"ie that yo$ also incl$e the original 8nglish "ersion of this 6icense an the
original "ersions of those notices an isclaimers. 2n case of a isagreement #et!een the translation
an the original "ersion of this 6icense or a notice or isclaimer+ the original "ersion !ill pre"ail.
2f a section in the 1oc$ment is 8ntitle V.c%no!legementsV+ V1eicationsV+ or V?istoryV+ the
re@$irement (section 7) to *reser"e its Title (section -) !ill typically re@$ire changing the act$al title.
=* T,"$(NAT(0N
To$ may not copy+ moify+ s$#license+ or istri#$te the 1oc$ment e&cept as e&pressly pro"ie
$ner this 6icense. .ny attempt other!ise to copy+ moify+ s$#license+ or istri#$te it is "oi+ an
!ill a$tomatically terminate yo$r rights $ner this 6icense.
page ;/
?o!e"er+ if yo$ cease all "iolation of this 6icense+ then yo$r license from a partic$lar copyright
holer is reinstate (a) pro"isionally+ $nless an $ntil the copyright holer e&plicitly an finally
terminates yo$r license+ an (#) permanently+ if the copyright holer fails to notify yo$ of the
"iolation #y some reasona#le means prior to 9, ays after the cessation.
Moreo"er+ yo$r license from a partic$lar copyright holer is reinstate permanently if the copyright
holer notifies yo$ of the "iolation #y some reasona#le means+ this is the first time yo$ ha"e recei"e
notice of "iolation of this 6icense (for any !or%) from that copyright holer+ an yo$ c$re the
"iolation prior to 3, ays after yo$r receipt of the notice.
Termination of yo$r rights $ner this section oes not terminate the licenses of parties !ho ha"e
recei"e copies or rights from yo$ $ner this 6icense. 2f yo$r rights ha"e #een terminate an not
permanently reinstate+ receipt of a copy of some or all of the same material oes not gi"e yo$ any
rights to $se it.
.)* F5T5", ",V(S(0NS 0F T;(S -(C,NS,
The Free Soft!are Fo$nation may p$#lish ne!+ re"ise "ersions of the DNA Free 1oc$mentation
6icense from time to time. S$ch ne! "ersions !ill #e similar in spirit to the present "ersion+ #$t may
iffer in etail to aress ne! pro#lems or concerns. See httpCPP!!!.gn$.orgPcopyleftP.
8ach "ersion of the 6icense is gi"en a isting$ishing "ersion n$m#er. 2f the 1oc$ment specifies that
a partic$lar n$m#ere "ersion of this 6icense Vor any later "ersionV applies to it+ yo$ ha"e the option
of follo!ing the terms an conitions either of that specifie "ersion or of any later "ersion that has
#een p$#lishe (not as a raft) #y the Free Soft!are Fo$nation. 2f the 1oc$ment oes not specify a
"ersion n$m#er of this 6icense+ yo$ may choose any "ersion e"er p$#lishe (not as a raft) #y the
Free Soft!are Fo$nation. 2f the 1oc$ment specifies that a pro&y can ecie !hich f$t$re "ersions
of this 6icense can #e $se+ that pro&yRs p$#lic statement of acceptance of a "ersion permanently
a$thorizes yo$ to choose that "ersion for the 1oc$ment.
..* ",-(C,NS(N2
VMassi"e M$ltia$thor 5olla#oration SiteV (or VMM5 SiteV) means any Worl Wie We# ser"er that
p$#lishes copyrighta#le !or%s an also pro"ies prominent facilities for any#oy to eit those
!or%s. . p$#lic !i%i that any#oy can eit is an e&ample of s$ch a ser"er. . VMassi"e M$ltia$thor
5olla#orationV (or VMM5V) containe in the site means any set of copyrighta#le !or%s th$s
p$#lishe on the MM5 site.
V55=BT=S.V means the 5reati"e 5ommons .ttri#$tion=Share .li%e 3., license p$#lishe #y
5reati"e 5ommons 5orporation+ a not=for=profit corporation !ith a principal place of #$siness in
San Francisco+ 5alifornia+ as !ell as f$t$re copyleft "ersions of that license p$#lishe #y that same
organization.
V2ncorporateV means to p$#lish or rep$#lish a 1oc$ment+ in !hole or in part+ as part of another
1oc$ment.
.n MM5 is Veligi#le for relicensingV if it is license $ner this 6icense+ an if all !or%s that !ere
first p$#lishe $ner this 6icense some!here other than this MM5+ an s$#se@$ently incorporate in
!hole or in part into the MM5+ (-) ha no co"er te&ts or in"ariant sections+ an (/) !ere th$s
incorporate prior to No"em#er -+ /,,<.
The operator of an MM5 Site may rep$#lish an MM5 containe in the site $ner 55=BT=S. on the
same site at any time #efore .$g$st -+ /,,0+ pro"ie the MM5 is eligi#le for relicensing.
page ;3