Ntfs mft example
This presentation is the property of its rightful owner.
Sponsored Links
1 / 70

NTFS MFT Example PowerPoint PPT Presentation


  • 66 Views
  • Uploaded on
  • Presentation posted in: General

NTFS MFT Example. COEN 152 / 252. MFT Table Entry. MFT Table Entry. Magic marker: FILE. MFT Table Entry. Update Sequence Offset: 0x 00 30 Three entries in update sequence. MFT Table Entry. Sequence number is 0x 00 08. MFT Table Entry. Link count is 00 01 (one). MFT Table Entry.

Download Presentation

NTFS MFT Example

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


NTFS MFT Example

COEN 152 / 252


MFT Table Entry


MFT Table Entry

Magic marker: FILE


MFT Table Entry

Update Sequence Offset: 0x 00 30

Three entries in update sequence


MFT Table Entry

Sequence number is 0x 00 08


MFT Table Entry

Link count is 00 01

(one)


MFT Table Entry

First attribute is located at offset

0x 00 38


MFT Table Entry

Flags are 0x 01 00

Record in use


MFT Table Entry

Used size of MFT entry:

0x 00 00 01 68 =

360


MFT Table Entry

Allocated size of MFT entry:

0x 00 00 04 00 =

102410


MFT Table Entry

File Reference 0


MFT Table Entry

Next attribute ID 0004


MFT Table Entry

MFT Record Number

00 02 3C E0


MFT Table Entry

Attribute Type:

00 00 00 10

Standard


MFT Table Entry

Attribute Length:

00 00 00 60


MFT Table Entry

Non-resident flag:

resident


MFT Table Entry

Length of name: 0


MFT Table Entry

Offset to name: 0


MFT Table Entry

Flags: 0


MFT Table Entry

Attribute Identifier: 0


MFT Table Entry

Size of Content: 0x 48 = 72


MFT Table Entry

Offset to Content:

0x 18 = 24


MFT Table Entry

Standard Information Content:

File Creation Time

4029AF606C50C701


MFT Table Entry

Standard Information Content:

File Alternation Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


MFT Table Entry

Standard Information Content:

MFT Change Time

90CE7E856C50C701

2/14/2007, 19:15:42 UTC


MFT Table Entry

Standard Information Content:

File Read Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


MFT Table Entry

DOS Permissions

00 00 00 20


MFT Table Entry

Maximum Number of Versions

00 00 00 00


MFT Table Entry

Version Number

00 00 00 00


MFT Table Entry

Class ID

00 00 00 00


MFT Table Entry

Owner ID

00 00 00 00


MFT Table Entry

Security ID

00 00 03 0F


MFT Table Entry

Quota Charged

00 00 03 0F


MFT Table Entry

Update Sequence Number

00 00 00 02 60 E3 93 E8


MFT Table Entry

Attribute Type Identifier

30: $FILENAME


MFT Table Entry

Length of Attribute: 0x 70


MFT Table Entry

Resident:


MFT Table Entry

No Name


MFT Table Entry

No Name


MFT Table Entry

No Flages


MFT Table Entry

Attribute identifier 2


MFT Table Entry

Size of Content: 0x 52


MFT Table Entry

Offset to Content: 0x 18

This gives us the structure of the attribute


MFT Table Entry

File Reference to parent directory:

00 3A 00 00 00 02 B8 E4


MFT Table Entry

File creation time:

4029AF606c50C701

2/14/2007 19:14:41 UTC


MFT Table Entry

File modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


MFT Table Entry

File access time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


MFT Table Entry

MFT modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


MFT Table Entry

Allocated Size of File


MFT Table Entry

Real Size of File


MFT Table Entry

Flags


MFT Table Entry

Security ID


MFT Table Entry

Filename length in Unicode Characters: 8


MFT Table Entry

Filename namespace


MFT Table Entry

File name / extension in unicode: test.txt


MFT Table Entry

Attribute Type: Object_ID


MFT Table Entry

Length of Attribute: 0x28


MFT Table Entry

Length of Attribute: 0x28


MFT Table Entry

B0: Resident

B1-4: No Name

B 5-6: Attribute ID: 3


MFT Table Entry

Size of content: 0x10

Offset to content 0x18

Check: Length of attribute is 0x28


MFT Table Entry

Object ID:


MFT Table Entry

Object ID:


MFT Table Entry

Attribute Type: $DATA


MFT Table Entry

Attribute Length: 0x30


MFT Table Entry

Resident


MFT Table Entry

No name


MFT Table Entry

Size of contents: 0x17


MFT Table Entry

Offset to contents: 0x18


MFT Table Entry

Contents


MFT Table Entry

End of Entry


  • Login