The bootstrapping firmware contained within the ROM BIOS
loads and executes the master boot record. The MBR of a drive usually includes
the drive's partition table, which the PC uses to load and run the boot record
of the partition that is marked with the active flag. This design allows the
BIOS to load any OS without knowing exactly where to start inside its
partition. Because the MBR is read almost immediately when the computer is
started, many computer viruses made in the era before virus scanner software
became widespread operated by changing the code within the MBR.
The Partition
Table:
In computer engineering, hard disk drive partitioning is
the creation of logical divisions on a hard disk that allows one to apply
operating system-specific logical formatting.
The partition table is located in the master boot record
on the disk. The master boot record is the first sector on a disk. The
partition table consists of 64 bytes. There are 4 partition table entries. Each
is 16 bytes in length.
The partition table starts at offset (Hexadecimal) 0x1BE.
Each partition table entry is 16 bytes in length so:
Master Boot Record / Extended Partition Boot Record
(offset)
0x0000 to 0x01BD - First 446 bytes (boot loader code)
0x01BE to 0x01CD - Partition entry 1
0x01CE to 0x01DD - Partition entry 2
0x01DE to 0x01ED - Partition entry 3
0x01EE to 0x01FD - Partition entry 4
0x01FE to 0x01FF - Boot signature (55 AA)
Each partition table entry has the following arrangement:
|====================================================|
| Byte Count | Description of contents |
|====================================================|
| 1 | Boot indicator (0x00 off, 0x80 on) |
|====================================================|
| 3 | Starting head, cylinder and sector |
|====================================================|
| 1 | File system descriptor |
|====================================================|
| 3 | Ending head, cylinder and sector |
|====================================================|
| 4 | Starting sector (offset to disk start |
|====================================================|
| 4 | Number of sectors in partition |
|====================================================|
Sample partition table entry... (please also keep in mind
that all bytes are in little endian):
offset: value explanation
======: ===== ===========
0x01BE: 0x80 bootable flag (0x00 for flag
off, 0x80 for on)
0x01BF: 0x00 0x02 0x00 starting head, cylinder and sector
0x01C2: 0x07 file system descriptor
0x01C3: 0x1A 0x5B 0x8C ending head, cylinder and sector
0x01C6: 0x02 0x00 0x00 0x00 starting sector (relative to start of disk)
0x01CA: 0x00 0x35 0x0C 0x00 number of sectors in partition
Active partition: The Bootable Flag determines the active
partition. Only one partition can normally be active at a time. The active
marker is used during boot: after the BIOS loads the MBR into memory and
executes it, the MBR checks the partition table at its end, and locates the
active partition. Then it proceeds to load the boot sector of that partition
into memory and runs it.
Logical partitions: Logical partitions are a way to
extend the Master Boot Record's limitation of four partitions. One partition
can be designated as an extended partition. This can contain up to 24 logical
partitions, whose details are listed in the extended partition's own partition
table, the Extended Partition Boot Record or EPBR. Modern operating systems
treat these the same as primary partitions.
FAT 16
Introduction
This is the 16-bit version of the FAT file system. The
16-bit part describes the way units are allocated on the drive. The FAT16 file
system uses a 16-bit number to identify each allocation unit (called cluster),
and this gives it a total of 65.536 clusters. The size of each cluster is
defined in the boot sector of the volume (volume = partition). The File System
ID number usually associated with FAT16 volumes are 04h and 06h. The first is
used on volumes with less than 65536 sectors (typical this is on drives less
than 32 Mb in size), and the latter one is used on volumes with more than 65536
sectors. There is also another variant which is used with the LBA address mode,
that variant has a File System ID of 0Eh.
Basic Structure
The FAT16 file system structure contains the following
regions:
FAT16 File System Structure
Region
|
Reserved Region (incl. Boot Sector)
|
File Allocation Table (FAT)
|
Root Directory
|
Data Region
|
The first sector (boot sector) contain information which
is used to calculate the sizes and locations of the other regions. The boot
sector also contain code to boot the operating system installed on the volume.
The data region is split up into logical blocks called clusters. Each of these
clusters has an accompanying entry in the FAT region. The cluster specific
entry can either contain a value of the next cluster which contain data from
the file, or a so called End-of-file value which means that there are no more
clusters which contain data from the file. The root directory and its
sub-directories contain filename, dates, attribute flags and starting cluster
information about the filesystem objects.
Boot Sector
The first sector in the reserved region is the boot
sector. Though this sector is typical 512 bytes in can be longer depending on
the media. The boot sector typical start with a 3 byte jump instruction to
where the bootstrap code is stored, followed by an 8 byte long string set by
the creating operating system. This is followed by the BIOS Parameter Block,
and then by an Extended BIOS Parameter Block. Finally the boot sector contain
boot code and a signature.
Structure of the
FAT16 Boot sector
Part
|
Offset
|
Size
|
Description
|
Code
|
0000h
|
3 bytes
|
Code to jump to the bootstrap code.
|
OS Name
|
0003h
|
8 bytes
|
Oem ID - Name of the formatting OS
|
BIOS Para- meter Block
|
000Bh
|
2 bytes
|
|
000Dh
|
1 bytes
|
||
000Eh
|
2 bytes
|
||
0010h
|
1 bytes
|
||
0011h
|
2 bytes
|
||
0013h
|
2 bytes
|
||
0015h
|
1 bytes
|
||
0016h
|
2 bytes
|
||
0018h
|
2 bytes
|
||
001Ah
|
2 bytes
|
||
001Ch
|
4 bytes
|
||
0020h
|
4 bytes
|
||
Ext. BIOS Para- meter Block
|
0024h
|
1 bytes
|
|
0025h
|
1 bytes
|
||
0026h
|
1 bytes
|
||
0027h
|
4 bytes
|
||
002Bh
|
11 bytes
|
||
0036h
|
8 bytes
|
||
Code
|
003Eh
|
448 bytes
|
|
Sig.
|
01FEh
|
2
|
FAT 32
Introduction
This is the 32-bit version of the FAT file system. The
32-bit part describes the way units are allocated on the drive. The FAT32 file
system uses a 32-bit number to identify each allocation unit (called cluster),
and this gives it a total of 4.294.967.296 clusters. The size of each cluster
is defined in the boot sector of the volume (volume = partition).
Boot Sector Structure
The first sector on the volume is the boot sector. It is
exactly 512 bytes long and have the following structure.
Structure of the FAT32 Boot sector
Part
|
Offset
|
Size
|
Description
|
Code
|
0000h
|
3 bytes
|
JMP 0x80h
|
OS Name
|
0003h
|
8 bytes
|
Oem ID - Name of the formatting OS
|
BIOS Para- meter Block
|
000Bh
|
2 bytes
|
Bytes per Sector on the physical medium - Normally 512 bytes
|
000Dh
|
1 bytes
|
Sectors per Cluster - 1, 2, 4, 8, 16, 32, 64 or 128 sectors
|
|
000Eh
|
2 bytes
|
Reserved sectors in front of the FAT(s) incl. the Boot sector
|
|
0010h
|
1 bytes
|
Number of FAT copies - Normaly 2
|
|
0011h
|
4 bytes
|
Not used in FAT32
|
|
0015h
|
1 bytes
|
Media Descriptor - The same as in FAT16, but FAT32 is only
allowed on harddrives, so the value is F8h
|
|
0016h
|
2 bytes
|
Not used in FAT32
|
|
0018h
|
2 bytes
|
Sectors per Track - The disc geometry used when formatting the
partition.
|
|
001Ah
|
2 bytes
|
Heads - The disc geometry used when formatting the partition.
|
|
001Ch
|
4 bytes
|
The number of sectors on the disk from the start of the
partition to the beginning of the first FAT.
|
|
0020h
|
4 bytes
|
Number of sectors in the partition
|
|
0024h
|
4 bytes
|
Sectors per FAT
|
|
0028h
|
2 bytes
|
||
002Ah
|
2 bytes
|
FAT32 Drive Version (High byte = Major version, Low byte =
Minor version)
|
|
002Ch
|
4 bytes
|
Cluster number for the start of the Root Directory Table
|
|
0030h
|
2 bytes
|
Sector number from the start of the partition, for the File
System Information Sector
|
|
0032h
|
2 bytes
|
Sector number from the start of the partition, for the Backup
Boot Sector
|
|
0034h
|
12 bytes
|
Reserved
|
|
Ext. BIOS Para- meter Block
|
0040h
|
1 bytes
|
Logical Drive Number - Normaly 00h for floppies and 80h for
hard drives.
|
0041h
|
1 bytes
|
||
0042h
|
1 bytes
|
||
0043h
|
4 bytes
|
ID - Random generated serial number
|
|
0047h
|
11 bytes
|
Volume Label - The same as stored in a special file in the
root directory.
|
|
0052h
|
8 bytes
|
System ID - This is the string 'FAT32 '
|
|
Code
|
005Ah
|
420 bytes
|
|
Sig.
|
01FEh
|
2
|
Executable sector signature (AA55h when read into a register)
|
New Technology File System (NTFS)
NTFS also includes security features required for file
servers and high-end personal computers in a corporate environment, and data
access control and ownership privileges important for data integrity.
Multiple Data Streams
NTFS supports multiple data streams, where the stream
name identifies a new data attribute on the file. A handle can be opened to
each data stream. A data stream, then, is a unique set of file attributes.
Streams have separate opportunistic locks, file locks, and sizes, but common
permissions.
This feature enables you to manage data as a single unit.
The following is an example of an alternate stream:
myfile.dat:stream2
A library of files might exist where the files are
defined as alternate streams, as in the following example:
library:file1
:file2
:file3
A file can be associated with more than one application
at a time, such as Microsoft® Word and Microsoft® WordPad. For instance, a file
structure like the following illustrates file association, but not multiple
files:
program:source_file
:doc_file
:object_file
:executable_file
You can use the Win32 advanced programming interface
(API) CreateFile to create an alternate data stream. Or, at the command prompt,
you can type commands such as:
echo text>program:source_file
more <program:source_file
Caution
Because NTFS is not supported on floppy disks, when you
copy an NTFS file to a floppy disk, data streams and other attributes not
supported by FAT are lost without warning.
Reparse Points
Reparse points are new file system objects in the version
of NTFS included with Windows 2000. Reparse points have a definable attribute
containing user-controlled data and are used to extend functionality in the
input/output (I/O) subsystem.
Change Journal
The change journal is used by NTFS to provide a
persistent log of all changes made to files on the volume. For each volume,
NTFS uses the change journal to track information about added, deleted, and
modified files. The change journal is much more efficient than time stamps or
file notifications for determining changes in a given namespace.
The change journal is implemented as a sparse stream in
which only a small active range uses any disk allocation. The active range
initially begins at offset 0 in the stream and moves monotonically forward. The
unique sequence number (USN) of a particular record represents its virtual
offset in the stream. As the active range moves forward through the stream,
earlier records are deallocated and become unavailable. The size of the active
range in a sparse file can be adjusted.
Encryption
File and directory-level encryption is implemented in the
version of NTFS included with Windows 2000 for enhanced security in NTFS
volumes. Windows 2000 uses Encrypting File System (EFS) to store data in
encrypted form, which provides security when the storage media are removed from
a system running Windows 2000.
Sparse File
Support
Sparse files allow programs to create very large files,
but to consume disk space only as needed. A sparse file is a file with an
attribute that causes the I/O subsystem to allocate the file's meaningful
(nonzero) data. All nonzero data is allocated on disk, whereas all
nonmeaningful data (large strings of data composed of zeros) is not. When a
sparse file is read, allocated data is returned as it was stored, and
nonallocated data is returned, by default, as zeros in accordance with the C2
security requirement specification.
NTFS includes full sparse file support for both
compressed and uncompressed files. NTFS handles read operations on sparse files
by returning allocated data and sparse data. It is possible to read a sparse
file as allocated data and a range of data without having to retrieve the
entire data set, although, by default, NTFS returns the entire data set.
You can set a user-controlled file system attribute to
take advantage of the sparse file function in NTFS. With the sparse file
attribute set, the file system can deallocate data from anywhere in the file
and, when an application calls, yield the zero data by range instead of storing
and returning the actual data. File system APIs allow for the file to be copied
or backed as actual bits and sparse stream ranges. The net result is efficient
file system storage and access. Figure shows how data is stored with and
without the sparse file attribute set.
Structure of an
NTFS Volume
Like FAT, NTFS uses clusters as the fundamental unit of
disk allocation. In the Disk Management snap-in, you can specify a cluster size
of up to 4 KB. If you type format at the command prompt to format your NTFS
volume, but do not specify an allocation unit size using the /A:<size>
switch , the values in Table will be used.
Table Default
Cluster Sizes for NTFS
Volume
Size
|
Sectors
Per Custer
|
Default
Cluster Size
|
512 MB or less
|
1
|
512 bytes
|
513 MB–1,024 MB (1 GB)
|
2
|
1,024 bytes (1 KB)
|
1,025 MB–2,048 MB (2 GB)
|
4
|
2,048 bytes (2 KB)
|
Greater than 2,049 MB
|
8
|
4 KB
|
Note
Windows 2000, like Windows NT 3.51 and Windows NT 4.0,
supports file compression. Since file compression is not supported on cluster
sizes above 4 K, the default NTFS cluster size for Windows 2000 never exceeds 4
K.
The Second Extended (EXT2)
Figure: Physical Layout of the EXT2 File system
The Second Extended File system was devised (by Rémy
Card) as an extensible and powerful file system for Linux. It is also the most
successful file system so far in the Linux community and is the basis for all
of the currently shipping Linux distributions.
The EXT2 file system, like a lot of the file systems, is
built on the premise that the data held in files is kept in data blocks. These
data blocks are all of the same length and, although that length can vary
between different EXT2 file systems the block size of a particular EXT2 file
system is set when it is created (using mke2fs ). Every file's size is rounded
up to an integral number of blocks. If the block size is 1024 bytes, then a
file of 1025 bytes will occupy two 1024 byte blocks. Unfortunately this means
that on average you waste half a block per file. Usually in computing you trade
off CPU usage for memory and disk space utilisation. In this case Linux, along
with most operating systems, trades off a relatively inefficient disk usage in
order to reduce the workload on the CPU. Not all of the blocks in the file
system hold data, some must be used to contain the information that describes
the structure of the file system. EXT2 defines the file system topology by describing
each file in the system with an inode data structure. An inode describes which
blocks the data within a file occupies as well as the access rights of the
file, the file's modification times and the type of the file. Every file in the
EXT2 file system is described by a single inode and each inode has a single
unique number identifying it. The inodes for the file system are all kept
together in inode tables. EXT2 directories are simply special files (themselves
described by inodes) which contain pointers to the inodes of their directory
entries.
Figure shows the
layout of the EXT2 file system as occupying a series of blocks in a block
structured device. So far as each file system is concerned, block devices are
just a series of blocks which can be read and written. A file system does not
need to concern itself with where on the physical media a block should be put,
that is the job of the device's driver. Whenever a file system needs to read
information or data from the block device containing it, it requests that its
supporting device driver reads an integral number of blocks. The EXT2 file
system divides the logical partition that it occupies into Block Groups. Each group duplicates information critical
to the integrity of the file system as well as holding real files and
directories as blocks of information and data. This duplication is neccessary
should a disaster occur and the file system need recovering. The subsections
describe in more detail the contents of each Block Group.
Tidak ada komentar:
Posting Komentar