I recently was doing a bit of reading about inodes in unix type systems. I had a knoppix boot cd which i loaded up on my windows xp laptop. When I was browsing the mounted windows hard drive I ran the command to see if windows had inodes:
ls -li
to my surprise there were 'numbers' listed before the permissions like this:
10344 drwxrwxrwx 1 knoppix knoppix 4096 Feb 20 02:38 backup
I am guessing that the 10344 is the inode, however i read at few places on the net that said windows did not have inodes. Can anyone clarify what I am seeing here?
The other odd thing about these 'numbers', if they are indeed windows inodes is that they don't seem incremental. For instance, a directory created feb 20 2005 has an inode of 10344, A directory created Nov 2007, 2002 has an inode of 27927. Aren't inodes created incrementally?
Something to do with MFT entries, perhaps? Starting clusters?
Wild guesses…anyone know for sure?
Jamie
My guess is it's random data that's being interpreted as an inode. Again, it's a guess. I've got some material on this at home, I'll check it tonight and see if I can glean anything else.
thanks for help guys. 🙂 I am scratching my head on this one. Gmarshall, are you referring to book you have that has this information? I'd be interested to know the title.
It's a text from Guidance's advanced forensics class. It's not available unless you go to the class. So you can get one for about $3000. We went through file systems a lot. Mainly NTFS but also Mac, Unix, Linux, etc.
Thanks for the info Gmarshall. Did have anything about the possible inodes in windows?
Can you post the inode records that you're seeing. At least a couple of them. They should be 128 bytes in length. I can find no reference of Windows using inodes. Are your hits within the MFT? Also, if you are booting from a linux disk then linux is your OS. Linux does use inodes.
After watching this thread for a while, I decided to look into it for myself.
What I've found so far is this:
Specifically:
An inode is the filesystems representation of a file, directory, device, etc. In NTFS every inode it represented by an MFT FILE record.
Now, we know that Windows itself does not use the concept of inodes:
(from
The inode, and therefore st_ino, has no meaning in the FAT, HPFS, or NTFS file systems.
But keep in mind, that's from a Windows perspective. So the real question isn't whether or not NTFS uses inodes (b/c we know it doesn't), but how the NTFS driver under Linux populates the inode field.
Still looking…
H. Carvey
"Windows Forensics and Incident Recovery"
So the real question isn't whether or not NTFS uses inodes (b/c we know it doesn't), but how the NTFS driver under Linux populates the inode field.
I think you're right on the money here.
I think you're right on the money here.
Not a lot of help there…
I did a lot more looking around, specifically on the Linux NTFS site, but didn't find anything specific. However, I did find something useful here:
Specifically:
Each MFT entry is given a number (similar to inode numbers in UNIX).
So, I guess the final answer is…what you're looking at is the MFT entry number.
Hope that helps,
H. Carvey
"Windows Forensics and Incident Recovery"