티스토리 뷰

File System

$I30 in MFT

YOURIFE 2009. 1. 29. 16:45
It's all a bit confusing but here's my understanding (using Brian Carrier's FSFA book and Google):

The $I30 is the a "file" name given to NTFS MFT attributes containing file name indexes for directories. NTFS stores the file name contents of the directory in several places, depending on the number of files in the directory:

- For directories with just a few files, all are stored resident in the MFT entry $INDEX_ROOT
- For directories with many files, the indexes are stored non-resident in the MFT entry $INDEX_ALLOCATION
- The allocation status of these entries are managed by the $BITMAP MFT entry

NTFS uses B-tree structures to store and quickly access the data. In an example I just looked at, the HISTORY.IE5 directory on a computer had many files. So, the $INDEX_ROOT attribute (with a name of $I30) was not large enough to store the B-tree index of file names. Instead, it points to index records stored in the non-resident $INDEX_ALLOCATION. When I view the contents of that file, I see the B-tree index of file names in the directory.

Why “$I30”? The msdb blog explains:

Filenames are largely alphanumeric, and the first alphanumeric character in the UNICODE table is 0x30 (48 for those who are hexadecimally challenged). “$I30” is a shorthand method for saying “Index that’s alphanumeric”. (http://blogs.msdn.com/ntdebugging/archive/2008/10/31/ntfs-misreporting-free-space-part-2.aspx)

I cannot access the forum link you posted so I'm not sure if I am answering your question or not. I hope this is helpful.

by ahoog

'File System' 카테고리의 다른 글

ElcomSoft Breaks iPhone Encryption  (0) 2011.06.07
looking for trace of classified document  (0) 2009.02.18
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
글 보관함