Recommended To Read:

What data recovery tools to buy if you want to start a data recovery business?

Free video data recovery training on how to recover lost data from different hard drives?

Where to buy head and platter replacement tools at good prices?

Data recover case studies step by step guide

I want to attend professional data recovery training courses

NTFS (New Technology File System) From the very beginning is set for enterprise file system. In order to reduce data loss by sudden power cut or system collapsing, the file system should always guarantee the integrity of
metadata in file system. In order to protect the sensitive data from illegal visit, there should be a comprehensive security model in file system; In order to protect the user data, the file system should provide inexpensive data redundance plan based on softeware instead of expensive one based on hardware.

High-level features of NTFS

1. Multi-data streams
2. Name based on Unicode
3. General index mechanism
4. The dynamic bad cluster reprints maps
5. Supports POSIX
6. File compression
7. File encrypts
8. Disk quota
9. Hard link and soft link
10. Link tracks
11. Log records
12. Fragmentation

NTFS file system terminology

LCN: Logical Cluster Number
VCN: Virtual Cluster Number
BPB: BIOS Parameter Block
FSD: File System Driver
SCB: System Control Block
FCB: File Control Block
EFS: Encrypt File System
MFT: Master File Table
MFT Mirror: Master File Table Mirror

Metadata: It’s data stored in volume, supporting file system management. It cannot be visit by application program, just provides service for the system.

Drivers of NTFS

Win 32 I/O API is completed by I/O management. I/O management sents requests of I/O to NTFS FSD to be executed. In implementation, I/O management also works together with high speed buffer management,
memory management, file log service, volume management and disk driver.

kernel-state
Applications create and store files via FSD of NTFS. This process is includes following steps: Firstly Windows 2000/XP checks authority, only legal users’ request can be run. Then I/O management transforms the file handle into the file object indicator. Finally NTFS obtains files in disk through the file object indicator.

Now let’s analyze how NTFS obtains files in disk through the file object indicator. NTFS obtains stream control block (SCB) of file attribute through the file object indicator. Each SCB expresses the single attribute file, and includes information on how it obtains that attribute. All SCBs of a file point to a common data construction File Control Block (FCB). FCB contains an indicator that points to the file record of main file table (MFT). NTFS gets the file access authority through this indicator.

indicator-01
indicator-02