720 likes | 1.25k Vues
NTFS MFT Example. COEN 152 / 252. MFT Table Entry. MFT Table Entry. Magic marker: FILE. MFT Table Entry. Update Sequence Offset: 0x 00 30 Three entries in update sequence. MFT Table Entry. Sequence number is 0x 00 08. MFT Table Entry. Link count is 00 01 (one). MFT Table Entry.
E N D
NTFS MFT Example COEN 152 / 252
MFT Table Entry Magic marker: FILE
MFT Table Entry Update Sequence Offset: 0x 00 30 Three entries in update sequence
MFT Table Entry Sequence number is 0x 00 08
MFT Table Entry Link count is 00 01 (one)
MFT Table Entry First attribute is located at offset 0x 00 38
MFT Table Entry Flags are 0x 01 00 Record in use
MFT Table Entry Used size of MFT entry: 0x 00 00 01 68 = 360
MFT Table Entry Allocated size of MFT entry: 0x 00 00 04 00 = 102410
MFT Table Entry File Reference 0
MFT Table Entry Next attribute ID 0004
MFT Table Entry MFT Record Number 00 02 3C E0
MFT Table Entry Attribute Type: 00 00 00 10 Standard
MFT Table Entry Attribute Length: 00 00 00 60
MFT Table Entry Non-resident flag: resident
MFT Table Entry Length of name: 0
MFT Table Entry Offset to name: 0
MFT Table Entry Flags: 0
MFT Table Entry Attribute Identifier: 0
MFT Table Entry Size of Content: 0x 48 = 72
MFT Table Entry Offset to Content: 0x 18 = 24
MFT Table Entry Standard Information Content: File Creation Time 4029AF606C50C701
MFT Table Entry Standard Information Content: File Alternation Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC
MFT Table Entry Standard Information Content: MFT Change Time 90CE7E856C50C701 2/14/2007, 19:15:42 UTC
MFT Table Entry Standard Information Content: File Read Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC
MFT Table Entry DOS Permissions 00 00 00 20
MFT Table Entry Maximum Number of Versions 00 00 00 00
MFT Table Entry Version Number 00 00 00 00
MFT Table Entry Class ID 00 00 00 00
MFT Table Entry Owner ID 00 00 00 00
MFT Table Entry Security ID 00 00 03 0F
MFT Table Entry Quota Charged 00 00 03 0F
MFT Table Entry Update Sequence Number 00 00 00 02 60 E3 93 E8
MFT Table Entry Attribute Type Identifier 30: $FILENAME
MFT Table Entry Length of Attribute: 0x 70
MFT Table Entry Resident:
MFT Table Entry No Name
MFT Table Entry No Name
MFT Table Entry No Flages
MFT Table Entry Attribute identifier 2
MFT Table Entry Size of Content: 0x 52
MFT Table Entry Offset to Content: 0x 18 This gives us the structure of the attribute
MFT Table Entry File Reference to parent directory: 00 3A 00 00 00 02 B8 E4
MFT Table Entry File creation time: 4029AF606c50C701 2/14/2007 19:14:41 UTC
MFT Table Entry File modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
MFT Table Entry File access time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
MFT Table Entry MFT modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
MFT Table Entry Allocated Size of File
MFT Table Entry Real Size of File