Ntfs mft example
Download
1 / 70

NTFS MFT Example - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

NTFS MFT Example. COEN 152 / 252. MFT Table Entry. MFT Table Entry. Magic marker: FILE. MFT Table Entry. Update Sequence Offset: 0x 00 30 Three entries in update sequence. MFT Table Entry. Sequence number is 0x 00 08. MFT Table Entry. Link count is 00 01 (one). MFT Table Entry.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' NTFS MFT Example' - duke


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ntfs mft example

NTFS MFT Example

COEN 152 / 252



Mft table entry1
MFT Table Entry

Magic marker: FILE


Mft table entry2
MFT Table Entry

Update Sequence Offset: 0x 00 30

Three entries in update sequence


Mft table entry3
MFT Table Entry

Sequence number is 0x 00 08


Mft table entry4
MFT Table Entry

Link count is 00 01

(one)


Mft table entry5
MFT Table Entry

First attribute is located at offset

0x 00 38


Mft table entry6
MFT Table Entry

Flags are 0x 01 00

Record in use


Mft table entry7
MFT Table Entry

Used size of MFT entry:

0x 00 00 01 68 =

360


Mft table entry8
MFT Table Entry

Allocated size of MFT entry:

0x 00 00 04 00 =

102410


Mft table entry9
MFT Table Entry

File Reference 0


Mft table entry10
MFT Table Entry

Next attribute ID 0004


Mft table entry11
MFT Table Entry

MFT Record Number

00 02 3C E0


Mft table entry12
MFT Table Entry

Attribute Type:

00 00 00 10

Standard


Mft table entry13
MFT Table Entry

Attribute Length:

00 00 00 60


Mft table entry14
MFT Table Entry

Non-resident flag:

resident


Mft table entry15
MFT Table Entry

Length of name: 0


Mft table entry16
MFT Table Entry

Offset to name: 0


Mft table entry17
MFT Table Entry

Flags: 0


Mft table entry18
MFT Table Entry

Attribute Identifier: 0


Mft table entry19
MFT Table Entry

Size of Content: 0x 48 = 72


Mft table entry20
MFT Table Entry

Offset to Content:

0x 18 = 24


Mft table entry21
MFT Table Entry

Standard Information Content:

File Creation Time

4029AF606C50C701


Mft table entry22
MFT Table Entry

Standard Information Content:

File Alternation Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


Mft table entry23
MFT Table Entry

Standard Information Content:

MFT Change Time

90CE7E856C50C701

2/14/2007, 19:15:42 UTC


Mft table entry24
MFT Table Entry

Standard Information Content:

File Read Time

0046B5606C50C701

2/14/2007, 19:14:41 UTC


Mft table entry25
MFT Table Entry

DOS Permissions

00 00 00 20


Mft table entry26
MFT Table Entry

Maximum Number of Versions

00 00 00 00


Mft table entry27
MFT Table Entry

Version Number

00 00 00 00


Mft table entry28
MFT Table Entry

Class ID

00 00 00 00


Mft table entry29
MFT Table Entry

Owner ID

00 00 00 00


Mft table entry30
MFT Table Entry

Security ID

00 00 03 0F


Mft table entry31
MFT Table Entry

Quota Charged

00 00 03 0F


Mft table entry32
MFT Table Entry

Update Sequence Number

00 00 00 02 60 E3 93 E8


Mft table entry33
MFT Table Entry

Attribute Type Identifier

30: $FILENAME


Mft table entry34
MFT Table Entry

Length of Attribute: 0x 70


Mft table entry35
MFT Table Entry

Resident:




Mft table entry38
MFT Table Entry

No Flages


Mft table entry39
MFT Table Entry

Attribute identifier 2


Mft table entry40
MFT Table Entry

Size of Content: 0x 52


Mft table entry41
MFT Table Entry

Offset to Content: 0x 18

This gives us the structure of the attribute


Mft table entry42
MFT Table Entry

File Reference to parent directory:

00 3A 00 00 00 02 B8 E4


Mft table entry43
MFT Table Entry

File creation time:

4029AF606c50C701

2/14/2007 19:14:41 UTC


Mft table entry44
MFT Table Entry

File modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry45
MFT Table Entry

File access time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry46
MFT Table Entry

MFT modification time:

0046B5606c50C701

2/14/2007 19:14:41 UTC


Mft table entry47
MFT Table Entry

Allocated Size of File


Mft table entry48
MFT Table Entry

Real Size of File



Mft table entry50
MFT Table Entry

Security ID


Mft table entry51
MFT Table Entry

Filename length in Unicode Characters: 8


Mft table entry52
MFT Table Entry

Filename namespace


Mft table entry53
MFT Table Entry

File name / extension in unicode: test.txt


Mft table entry54
MFT Table Entry

Attribute Type: Object_ID


Mft table entry55
MFT Table Entry

Length of Attribute: 0x28


Mft table entry56
MFT Table Entry

Length of Attribute: 0x28


Mft table entry57
MFT Table Entry

B0: Resident

B1-4: No Name

B 5-6: Attribute ID: 3


Mft table entry58
MFT Table Entry

Size of content: 0x10

Offset to content 0x18

Check: Length of attribute is 0x28


Mft table entry59
MFT Table Entry

Object ID:


Mft table entry60
MFT Table Entry

Object ID:


Mft table entry61
MFT Table Entry

Attribute Type: $DATA


Mft table entry62
MFT Table Entry

Attribute Length: 0x30


Mft table entry63
MFT Table Entry

Resident



Mft table entry65
MFT Table Entry

Size of contents: 0x17


Mft table entry66
MFT Table Entry

Offset to contents: 0x18


Mft table entry67
MFT Table Entry

Contents


Mft table entry68
MFT Table Entry

End of Entry


ad