Ntfs mft example
This presentation is the property of its rightful owner.
Sponsored Links
1 / 70

NTFS MFT Example PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on
  • Presentation posted in: General

NTFS MFT Example. COEN 152 / 252. MFT Table Entry. MFT Table Entry. Magic marker: FILE. MFT Table Entry. Update Sequence Offset: 0x 00 30 Three entries in update sequence. MFT Table Entry. Sequence number is 0x 00 08. MFT Table Entry. Link count is 00 01 (one). MFT Table Entry.

Download Presentation

NTFS MFT Example

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ntfs mft example

NTFS MFT Example

COEN 152 / 252


Mft table entry

MFT Table Entry


Mft table entry1

MFT Table Entry

Magic marker: FILE


Mft table entry2

MFT Table Entry

Update Sequence Offset: 0x 00 30

Three entries in update sequence


Mft table entry3

MFT Table Entry

Sequence number is 0x 00 08


Mft table entry4

MFT Table Entry

Link count is 00 01

(one)


Mft table entry5

MFT Table Entry

First attribute is located at offset

0x 00 38


Mft table entry6

MFT Table Entry

Flags are 0x 01 00

Record in use


Mft table entry7

MFT Table Entry

Used size of MFT entry:

0x 00 00 01 68 =

360


Mft table entry8

MFT Table Entry

Allocated size of MFT entry:

0x 00 00 04 00 =

102410


Mft table entry9

MFT Table Entry

File Reference 0


Mft table entry10

MFT Table Entry

Next attribute ID 0004


Mft table entry11

MFT Table Entry

MFT Record Number

00 02 3C E0


Mft table entry12

MFT Table Entry

Attribute Type:

00 00 00 10

Standard


Mft table entry13

MFT Table Entry

Attribute Length:

00 00 00 60


Mft table entry14

MFT Table Entry

Non-resident flag:

resident


Mft table entry15

MFT Table Entry

Length of name: 0


Mft table entry16

MFT Table Entry

Offset to name: 0


Mft table entry17

MFT Table Entry

Flags: 0


Mft table entry18

MFT Table Entry

Attribute Identifier: 0


Mft table entry19

MFT Table Entry

Size of Content: 0x 48 = 72


Mft table entry20

MFT Table Entry

Offset to Content:

0x 18 = 24


Mft table entry21

MFT Table Entry

Standard Information Content:

File Creation Time

4029AF606C50C701


Mft table entry22

MFT Table Entry

Standard Information Content:

File Alternation Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


Mft table entry23

MFT Table Entry

Standard Information Content:

MFT Change Time

90CE7E856C50C701

2/14/2007, 19:15:42 UTC


Mft table entry24

MFT Table Entry

Standard Information Content:

File Read Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


Mft table entry25

MFT Table Entry

DOS Permissions

00 00 00 20


Mft table entry26

MFT Table Entry

Maximum Number of Versions

00 00 00 00


Mft table entry27

MFT Table Entry

Version Number

00 00 00 00


Mft table entry28

MFT Table Entry

Class ID

00 00 00 00


Mft table entry29

MFT Table Entry

Owner ID

00 00 00 00


Mft table entry30

MFT Table Entry

Security ID

00 00 03 0F


Mft table entry31

MFT Table Entry

Quota Charged

00 00 03 0F


Mft table entry32

MFT Table Entry

Update Sequence Number

00 00 00 02 60 E3 93 E8


Mft table entry33

MFT Table Entry

Attribute Type Identifier

30: $FILENAME


Mft table entry34

MFT Table Entry

Length of Attribute: 0x 70


Mft table entry35

MFT Table Entry

Resident:


Mft table entry36

MFT Table Entry

No Name


Mft table entry37

MFT Table Entry

No Name


Mft table entry38

MFT Table Entry

No Flages


Mft table entry39

MFT Table Entry

Attribute identifier 2


Mft table entry40

MFT Table Entry

Size of Content: 0x 52


Mft table entry41

MFT Table Entry

Offset to Content: 0x 18

This gives us the structure of the attribute


Mft table entry42

MFT Table Entry

File Reference to parent directory:

00 3A 00 00 00 02 B8 E4


Mft table entry43

MFT Table Entry

File creation time:

4029AF606c50C701

2/14/2007 19:14:41 UTC


Mft table entry44

MFT Table Entry

File modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry45

MFT Table Entry

File access time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry46

MFT Table Entry

MFT modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry47

MFT Table Entry

Allocated Size of File


Mft table entry48

MFT Table Entry

Real Size of File


Mft table entry49

MFT Table Entry

Flags


Mft table entry50

MFT Table Entry

Security ID


Mft table entry51

MFT Table Entry

Filename length in Unicode Characters: 8


Mft table entry52

MFT Table Entry

Filename namespace


Mft table entry53

MFT Table Entry

File name / extension in unicode: test.txt


Mft table entry54

MFT Table Entry

Attribute Type: Object_ID


Mft table entry55

MFT Table Entry

Length of Attribute: 0x28


Mft table entry56

MFT Table Entry

Length of Attribute: 0x28


Mft table entry57

MFT Table Entry

B0: Resident

B1-4: No Name

B 5-6: Attribute ID: 3


Mft table entry58

MFT Table Entry

Size of content: 0x10

Offset to content 0x18

Check: Length of attribute is 0x28


Mft table entry59

MFT Table Entry

Object ID:


Mft table entry60

MFT Table Entry

Object ID:


Mft table entry61

MFT Table Entry

Attribute Type: $DATA


Mft table entry62

MFT Table Entry

Attribute Length: 0x30


Mft table entry63

MFT Table Entry

Resident


Mft table entry64

MFT Table Entry

No name


Mft table entry65

MFT Table Entry

Size of contents: 0x17


Mft table entry66

MFT Table Entry

Offset to contents: 0x18


Mft table entry67

MFT Table Entry

Contents


Mft table entry68

MFT Table Entry

End of Entry


  • Login