MFT File Reference Number

All MFT entries are given a sequential address starting from zero, zero being the $MFT entry itself. Each MFT entry is addressed using an 6 byte number, additionally the preceding 2 bytes contains the MFT Sequence number, these two numbers combined are called the file reference number. For example, if we take the entire 8 bytes of a File Reference Number(6 bytes for the MFT Number + 2 bytes for the sequence number)  0x060000000100 in little endian, we would need to split the 2 values as follows:

MFT Record number = [0x060000000000]

Sequence Number= [0100]

After converting from little endian we can determine that this refers to the MFT record number 6 and has a sequence number of 1.

The sequence number incremented each time an MFT File is reallocated, as NTFS attempts to reuse existing MFT records above creating new ones, it is possible for a file to be deleted and its MFT File to be reused for a new file. If this happens, its sequence number would be incremented from 1 (Assuming the original file was the first to occupy that MFT) to 2.

Explore posts in the same categories: Uncategorized

This entry was posted on January 27, 2011 at 8:15 pm and is filed under Uncategorized. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

Leave a comment