Recently DTI Data Recovery received an interesting question about NTFS data recovery and the values stored in the Master File Table. The question referenced the value following the magic value of ‘FILE’ in the record. Some of the time the data is an asterisk ‘*’ and other time the data is a zero ‘0’. The person asking the question thought that his MFT might be corrupt, in actuality it was not. The following text is an explanation of what the data stores and a possible clarification as to why there are two different values.
The value that is stored at that offset is a two byte offset to the Update Sequence Array. The Update Sequence Array holds values that are used to verify that a group of sectors are valid. In other words it is a kind of ‘CRC’ check if you will. Microsoft uses a method called a ‘Fixup’ to verify that the sectors it is reading are free from corruption. Here is how it works:
The offset to the Update Sequence Array in this particular case is 30h or 42 decimal. If you look 42 bytes from the beginning of the sector you will see a two byte number. This number is also written at byte offset 1FEh or 510 decimal. If the sector is valid then these two numbers should match. If you take a look at the second sector of the MFT record at offset 510 you should see that number again. So the number at offset 42 was taken and written to offset 510 for the first and the second sector of the MFT record.
The question is what happened to the original data that was located at offset 510 in both of those sectors?
When the record is created the data at those two offsets is read into memory. That data is then stored in the next four bytes of the Update Sequence Array. Two bytes for the first sector and two bytes for the second sector. Those bytes replace the ‘Fixup’ number placed at offset 510. In this particular case both of the values are ’00 00’ as shown in the figure. However, there are many times when that data is not a zero and may contain security information, dates, file sizes, and even the cluster mapping.
The following is a sequence of events the operating system uses when reading an MFT record. There may be other steps but these are the ones that must be used in order to do NTFS data recovery and process the ‘Fixup’ verification logic.
1. Read the records two sectors from the MFT.
2. Read the two byte offset of the Update Sequence Array located right after the four byte record magic value
3. Compare the first number in the array to the number at offset 510 in sector 1
4. If the values do not match indicate and error. This is when ‘chkdsk’ could be run
5. Repeat steps 3 and 4 for sector 2
6. Take the next value in the Update Sequence Array and write it at offset 510 in sector 1
7. Repeat step 6 for sector 2
I hope this helps anyone who may have been curious as to how the ‘Fixup’ logic worked for the MFT. I haven’t worked with the Master File Table in awhile so I had to do some research. As an aside, the offset in the questioners MFT is 42 and I believe this indicates an older version of NTFS. Perhaps NT4 or Windows 2000. The offset for XP and beyond is 48. I believe the difference is that Microsoft added a place to store the actual record number in the MFT and the record number uses eight bytes. This is one of the differences between NTFS4 and NTFS5.