| Glossary |
This is only applicable to a file index ($I30)
indx help describe as "index = key + data"
given an INDX record, it's difficult to work out what's
being indexed (that info is in the index root)
This is a sub-node of the B+ tree that implements an index (e.g. a directory). It is stored in the stream of the index allocation attribute associated to the index it belongs to.
An INDX buffer is at least 2 KB large or the cluster size if larger (this seems to be a per-index parameter). It falls into 2 parts:
| Offset | Size | Description |
|---|---|---|
| ~ | ~ | Standard Index Header |
| 0x00 | 8 | MFT Reference of the file |
| 0x08 | 2 | Size of this index entry |
| 0x0A | 2 | Offset to the filename |
| 0x0C | 2 | Index Flags |
| 0x0E | 2 | Padding (align to 8 bytes) |
| 0x10 | 8 | MFT File Reference of the parent |
| 0x18 | 8 | File creation time |
| 0x20 | 8 | Last modification time |
| 0x28 | 8 | Last modification time for FILE record |
| 0x30 | 8 | Last access time |
| 0x38 | 8 | Allocated size of file |
| 0x40 | 8 | Real size of file |
| 0x48 | 8 | File Flags |
| 0x50 | 1 | Length of filename (F) |
| 0x51 | 1 | Filename namespace |
| 0x52 | 2F | Filename |
| 2F+0x52 | P | Padding (align to 8 bytes) |
| P+2F+0x52 | 8 | VCN of index buffer with sub-nodes |
N.B. the filename is not null terminated
surely the flags can't be 8 bytes long
table for the flags
VCN of ib only exists when flags&1
last entry has a size of 0x10 (just large enough
for the flags (and a mft ref of zero))
This is a sequence of index entries similar to the one found in the index root attribute.
The index entry has the following structure:
Index entry flags (16-bit).
INDEX_ENTRY_NODE = cpu_to_le16(1), This entry contains a sub-node,
i.e. a reference to an index
block in form of a virtual
cluster number (see below).
INDEX_ENTRY_END = cpu_to_le16(2), This signifies the last entry in
an index block. The index entry
does not represent a file but it
can point to a sub-node.
This is an index entry. A sequence of such entries follows each INDEX_HEADER
structure. Together they make up a complete index. The index follows either
an index root attribute or an index allocation attribute.
NOTE: Before NTFS 3.0 only filename attributes were indexed.
Most entries are not valid (and present) if the entry is the last one. This entry does not represent a file and is used only for subnodes. The pointer to the subnode buffer is only present if the entry has subnodes.