What Is the $MFT ?

-= This information is supplied courtesy of Data Clinic Ltd, http://www.dataclinic.co.uk/ =-

After a format operation, some important system information will be introduced to the hard drive. This system information is called metadata file. They are not accessible by the users. Each filename of these system information starts with a “$”, indicating that it is a hidden and protected file. In NTFS file system, there are 16 metadata files. In this section, we will introduce the first metadata file of $MFT. The other 15 metadata files will be introduced in latter sections.

All the system data and user data are treated as files stored in NTFS partition. $MFT metadata file is the most important system management file, which consists of all the MFT file records of each file (system data and user data) on the partition. The MFT file record is the place where stores the filename, the file creation date and time, file data location, etc. The operating system retrieves the file content and associated file information mainly from the MFT file record. The size of the $MFT will depend on the total number of files stored on the partition. When the $MFT first created during the format operation, the Windows OS will reserve a certain amount of space for this file. The reserved size can be 12.5%, 25%, 37.5% or 50% of the partition. Another reason to reserve the space is to avoid the $MFT getting fragmented.

The first 16 MFT file records in the $MFT are the 16 system information metadata files. The first MFT file record records the file information of the $MFT metadata file itself. Due to its importance of the $MFT, the system creates a copy of the $MFT and stores it in a file of $MFTMirr. But it is not a complete clone of the $MFT, it only holds the first four MFT file records of the $MFT. The second MFT file record reflects the $MFTMirr.

The DBR sector of the NTFS file system is always located at the first sector of the partition. But the location of the $MFT is determined by the operating system. It is also specified by the content at offset 0x30 to 0x37 of the DBR sector. In Fig- ure 3.1, it indicates that the $MFT is located at cluster 0xC00000 (cluster 786,432). The $MFTMirr is indicated by the content at offset 0x38-0x3F. It is 0x84C403A3 (cluster 61,048,004) in Figure 3.1. The first cluster number of the $MFT is a very important parameter which can be used to work out the configuration of a RAID system. It will be introduced in the chapter of RAID in this book.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s